<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>iptables — Bcfg2 1.3.0 documentation</title> <link rel="stylesheet" href="../../../../../_static/default.css" type="text/css" /> <link rel="stylesheet" href="../../../../../_static/pygments.css" type="text/css" /> <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT: '../../../../../', VERSION: '1.3.0', COLLAPSE_INDEX: false, FILE_SUFFIX: '.html', HAS_SOURCE: true }; </script> <script type="text/javascript" src="../../../../../_static/jquery.js"></script> <script type="text/javascript" src="../../../../../_static/underscore.js"></script> <script type="text/javascript" src="../../../../../_static/doctools.js"></script> <script type="text/javascript" src="../../../../../_static/sidebar.js"></script> <link rel="shortcut icon" href="../../../../../_static/favicon.ico"/> <link rel="top" title="Bcfg2 1.3.0 documentation" href="../../../../../index.html" /> <link rel="up" title="TGenshi" href="../../tgenshi.html" /> <link rel="next" title="motd" href="motd.html" /> <link rel="prev" title="hosts" href="hosts.html" /> <link rel="stylesheet" href="../../../../../_static/bcfg2.css" type=""/> </head> <body> <div style="text-align: left; padding: 10px 10px 15px 15px"> <a href="../../../../../index.html"><img src="../../../../../_static/bcfg2_logo.png" border="0" alt="sampledoc"/></a> </div> <div class="related"> <h3>Navigation</h3> <ul> <li class="right" style="margin-right: 10px"> <a href="../../../../../genindex.html" title="General Index" accesskey="I">index</a></li> <li class="right" > <a href="../../../../../py-modindex.html" title="Python Module Index" >modules</a> |</li> <li class="right" > <a href="motd.html" title="motd" accesskey="N">next</a> |</li> <li class="right" > <a href="hosts.html" title="hosts" accesskey="P">previous</a> |</li> <li><a href="../../../../../index.html">home</a> | </li> <!--<li><a href="../../../../../search.html">search</a> | </li>--> <li><a href="../../../../../help/index.html">help</a> | </li> <li><a href="../../../../../contents.html">documentation </a> »</li> <li><a href="../../../../../contents.html" >Bcfg2 documentation 1.3.0</a> »</li> <li><a href="../../../../index.html" >The Bcfg2 Server</a> »</li> <li><a href="../../../index.html" >Plugins</a> »</li> <li><a href="../../tgenshi.html" accesskey="U">TGenshi</a> »</li> </ul> </div> <div class="document"> <div class="documentwrapper"> <div class="bodywrapper"> <div class="body"> <div class="section" id="iptables"> <h1>iptables<a class="headerlink" href="#iptables" title="Permalink to this headline">¶</a></h1> <ul class="simple"> <li>Setup a Genshi base iptables file that contains the basic rules you want every host to have</li> <li>To be safe you should have a client side IptablesDeadmanScript if you intend on having bcfg2 bounce iptables upon rule updates</li> </ul> <div class="admonition note"> <p class="first admonition-title">Note</p> <p class="last">When updating files in the <tt class="docutils literal"><span class="pre">includes</span></tt> directory, you will need to <cite>touch</cite> the Genshi template to regenerate the template contents.</p> </div> <div class="section" id="repository-cfg-etc-sysconfig-iptables-iptables-genshi"> <h2>/repository/Cfg/etc/sysconfig/iptables/iptables.genshi<a class="headerlink" href="#repository-cfg-etc-sysconfig-iptables-iptables-genshi" title="Permalink to this headline">¶</a></h2> <div class="highlight-none"><div class="highlight"><pre>{% python from genshi.builder import tag import os,sys import Bcfg2.Options opts = { 'repo': Bcfg2.Options.SERVER_REPOSITORY } setup = Bcfg2.Options.OptionParser(opts) setup.parse('--') repo = setup['repo'] basedir = '%s' % (repo) # for instance: bcfg2BaseDir = basedir + name + '/' def checkHostFile(hostName, type): fileName = bcfg2BaseDir + type + '.H_' + hostName if os.path.isfile(fileName)==True : return fileName else: return fileName def checkGroupFile(groupName, type): fileName = bcfg2BaseDir + type + '.G_' + groupName if os.path.isfile(fileName)==True : return fileName else: return fileName %}\ # BCFG2 GENERATED IPTABLES # DO NOT CHANGE THIS # $$Id$$ # Templates live in ${bcfg2BaseDir} # Manual customization of this file will get reverted. # ----------------------------- FILTER --------------------------------- # # Default CHAINS for FILTER: *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :NO-SMTP - [0:0] #Default rules #discard malicious packets -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP #Allow incoming ICMP -A INPUT -p icmp -m icmp -j ACCEPT #Accept localhost traffic -A INPUT -i lo -j ACCEPT # Allow already established sessions to remain -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Deny inbound SMTP delivery (still allows outbound connections) -A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --dport 25 -j NO-SMTP -A NO-SMTP -j LOG --log-prefix " Incoming SMTP (denied) " -A NO-SMTP -j DROP # Allow SSH Access :SSH - [0:0] -A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,ACK SYN --dport 22 -j SSH -A SSH -s 192.168.0.0/255.255.0.0 -j ACCEPT # Allow Ganglia Access -A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --src 192.168.1.1 --dport 8649 -j ACCEPT # Gmetad access to gmond -A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --src 192.168.1.1 --dport 8649 -j ACCEPT # Gmond UDP multicast -A INPUT -m state --state NEW -m udp -p udp --dport 8649 -j ACCEPT {% if metadata.groups %}\ # group custom FILTER rules: {% for group in metadata.groups %}\ {% include ${checkGroupFile(group,'custom-filter')} %}\ {% end %}\ {% end %}\ # host-specific FILTER rules: {% include ${checkHostFile(metadata.hostname, 'custom-filter')} %}\ COMMIT # ------------------------------- NAT ---------------------------------- # *nat # Default CHAINS for NAT: :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] {% if metadata.groups %}\ # group NAT for PREROUTING: {% for group in metadata.groups %}\ {% include ${checkGroupFile(group,'nat-prerouting')} %}\ {% end %}\ {% end %}\ {% if metadata.groups %}\ # group NAT for OUTPUT: {% for group in metadata.groups %}\ {% include ${checkGroupFile(group,'nat-output')} %}\ {% end %}\ {% end %}\ {% if metadata.groups %}\ # group NAT for POSTROUTING: {% for group in metadata.groups %}\ {% include ${checkGroupFile(group,'nat-postrouting')} %}\ {% end %}\ {% end %}\ {% if metadata.groups %}\ # group custom NAT rules: {% for group in metadata.groups %}\ {% include ${checkGroupFile(group,'custom-nat')} %}\ {% end %}\ {% end %}\ # host-specific NAT ruls: {% include ${checkHostFile(metadata.hostname, 'custom-nat')} %}\ COMMIT # ----------------------------- MANGLE -------------------------------- # *mangle # Default CHAINS for MANGLE: :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] {% if metadata.groups %}\ # group MANGLE for PREROUTING: {% for group in metadata.groups %}\ {% include ${checkGroupFile(group,'mangle-prerouting')} %}\ {% end %}\ {% end %}\ {% if metadata.groups %}\ # group MANGLE for INPUT: {% for group in metadata.groups %}\ {% include ${checkGroupFile(group,'mangle-input')} %}\ {% end %}\ {% end %}\ {% if metadata.groups %}\ # group MANGLE for FORWARD: {% for group in metadata.groups %}\ {% include ${checkGroupFile(group,'mangle-forward')} %}\ {% end %}\ {% end %}\ {% if metadata.groups %}\ # group MANGLE for OUTPUT: {% for group in metadata.groups %}\ {% include ${checkGroupFile(group,'mangle-output')} %}\ {% end %}\ {% end %}\ {% if metadata.groups %}\ # group MANGLE for POSTROUTING rules: {% for group in metadata.groups %}\ {% include ${checkGroupFile(group,'mangle-postrouting')} %}\ {% end %}\ {% end %}\ {% if metadata.groups %}\ # group custom MANGLE rules: {% for group in metadata.groups %}\ {% include ${checkGroupFile(group,'custom-mangle')} %}\ {% end %}\ {% end %}\ # host-specific MANGLE rules: {% include ${checkHostFile(metadata.hostname, 'custom-mangle')} %}\ COMMIT </pre></div> </div> <div class="section" id="cfg-etc-sysconfig-iptables-custom-filter-g-mysql-server"> <h3>Cfg/etc/sysconfig/iptables/custom-filter.G_mysql-server<a class="headerlink" href="#cfg-etc-sysconfig-iptables-custom-filter-g-mysql-server" title="Permalink to this headline">¶</a></h3> <div class="highlight-none"><div class="highlight"><pre>:MYSQL - [0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 --tcp-flags FIN,SYN,RST,ACK SYN -j MYSQL -A MYSQL -s 192.168.0.0/255.255.0.0 -j ACCEPT </pre></div> </div> <p>For a host that is in the mysql-server group you get an iptables file that looks like the following:</p> <div class="highlight-python"><pre># BCFG2 GENERATED IPTABLES # DO NOT CHANGE THIS # $Id: template.newtxt 5402 2009-08-19 22:50:06Z unixmouse$ # Templates live in /var/lib/bcfg2/Cfg/etc/sysconfig/iptables/ # Manual customization of this file will get reverted. # ----------------------------- FILTER --------------------------------- # # Default CHAINS for FILTER: *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :NO-SMTP - [0:0] #Default rules #discard malicious packets -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP # Allow incoming ICMP -A INPUT -p icmp -m icmp -j ACCEPT # Accept localhost traffic -A INPUT -i lo -j ACCEPT # Allow already established sessions to remain -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Deny inbound SMTP delivery (still allows outbound connections) -A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --dport 25 -j NO-SMTP -A NO-SMTP -j LOG --log-prefix " Incoming SMTP (denied) " -A NO-SMTP -j DROP # Allow SSH Access :SSH - [0:0] -A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,ACK SYN --dport 22 -j SSH -A SSH -s 192.168.0.0/255.255.0.0 -j ACCEPT # Allow Ganglia Access -A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --src 192.168.1.1 --dport 8649 -j ACCEPT #Gmetad access to gmond -A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --src 192.168.1.1 --dport 8649 -j ACCEPT #Gmond UDP multicast -A INPUT -m state --state NEW -m udp -p udp --dport 8649 -j ACCEPT # group custom FILTER rules: :MYSQL - [0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 --tcp-flags FIN,SYN,RST,ACK SYN -j MYSQL -A MYSQL -s 192.168.0.0/255.255.0.0 -j ACCEPT # host-specific FILTER rules: COMMIT # ------------------------------- NAT ---------------------------------- # *nat # Default CHAINS for NAT: :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] # group NAT for PREROUTING: # group NAT for OUTPUT: # group NAT for POSTROUTING: # group custom NAT rules: # host-specific NAT rules: COMMIT # ----------------------------- MANGLE -------------------------------- # *mangle # Default CHAINS for MANGLE: :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] # group MANGLE for PREROUTING: # group MANGLE for INPUT: # group MANGLE for FORWARD: # group MANGLE for OUTPUT: # group MANGLE for POSTROUTING rules: # group custom MANGLE rules: # host-specific MANGLE rules: COMMIT</pre> </div> </div> </div> </div> </div> </div> </div> <div class="sphinxsidebar"> <div class="sphinxsidebarwrapper"> <h3><a href="../../../../../index.html">Table Of Contents</a></h3> <ul> <li><a class="reference internal" href="#">iptables</a><ul> <li><a class="reference internal" href="#repository-cfg-etc-sysconfig-iptables-iptables-genshi">/repository/Cfg/etc/sysconfig/iptables/iptables.genshi</a><ul> <li><a class="reference internal" href="#cfg-etc-sysconfig-iptables-custom-filter-g-mysql-server">Cfg/etc/sysconfig/iptables/custom-filter.G_mysql-server</a></li> </ul> </li> </ul> </li> </ul> <h4>Previous topic</h4> <p class="topless"><a href="hosts.html" title="previous chapter">hosts</a></p> <h4>Next topic</h4> <p class="topless"><a href="motd.html" title="next chapter">motd</a></p> <h3>This Page</h3> <ul class="this-page-menu"> <li><a href="../../../../../_sources/server/plugins/generators/examples/genshi/iptables.txt" rel="nofollow">Show Source</a></li> </ul> <div id="searchbox" style="display: none"> <h3>Quick search</h3> <form class="search" action="../../../../../search.html" method="get"> <input type="text" name="q" /> <input type="submit" value="Go" /> <input type="hidden" name="check_keywords" value="yes" /> <input type="hidden" name="area" value="default" /> </form> <p class="searchtip" style="font-size: 90%"> Enter search terms or a module, class or function name. </p> </div> <script type="text/javascript">$('#searchbox').show(0);</script> </div> </div> <div class="clearer"></div> </div> <div class="related"> <h3>Navigation</h3> <ul> <li class="right" style="margin-right: 10px"> <a href="../../../../../genindex.html" title="General Index" >index</a></li> <li class="right" > <a href="../../../../../py-modindex.html" title="Python Module Index" >modules</a> |</li> <li class="right" > <a href="motd.html" title="motd" >next</a> |</li> <li class="right" > <a href="hosts.html" title="hosts" >previous</a> |</li> <li><a href="../../../../../index.html">home</a> | </li> <!--<li><a href="../../../../../search.html">search</a> | </li>--> <li><a href="../../../../../help/index.html">help</a> | </li> <li><a href="../../../../../contents.html">documentation </a> »</li> <li><a href="../../../../../contents.html" >Bcfg2 documentation 1.3.0</a> »</li> <li><a href="../../../../index.html" >The Bcfg2 Server</a> »</li> <li><a href="../../../index.html" >Plugins</a> »</li> <li><a href="../../tgenshi.html" >TGenshi</a> »</li> </ul> </div> <div class="footer"> © Copyright 2009-2013, Narayan Desai. Last updated on Mar 20, 2013. Created using <a href="http://sphinx.pocoo.org/">Sphinx</a> 1.1.3. </div> </body> </html>