linux – 使用Puppet管理iptables

前端之家收集整理的这篇文章主要介绍了linux – 使用Puppet管理iptables前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
已经提出了用Puppet管理我们的iptables规则的想法.我看到augeas有一个iptables镜头但它目前是实验性的.

有没有人对如何处理这个有任何建议?理想情况下,我想基于服务器类构建链.

解决方法

这就是我在使用Red Hat Enterprise(RHEL)时所做的.

RHEL有一个iptables服务,它从/ etc / sysconfig / iptables加载规则,我正在修改文件并重新启动iptables服务.许多人喜欢将片段放入iptables.d目录并构建一个iptables(通过make或类似的东西)规则集.我包含了用于重建默认规则集的内容,但通常从不执行任何操作.如果您的需求很简单,您只需将iptables文件复制到系统即可.

尽管看起来有多丑,但它在RHEL4,RHEL5和RHEL6上进行了彻底的测试.

在augeas支持傀儡之前,我已经做到了这一点.如果我今天再次写它,我会先看看augeas iptables镜头,然后再使用exec {“perl …”:}.

一些全局定义用于编辑文件

基于最初来自http://reductivelabs.com/trac/puppet/wiki/SimpleTextRecipes的东西

# Ensure that the line "line" exists in "file":
# Usage: 
# append_if_no_such_line { dummy_modules:
#        file => "/etc/modules",#        line => dummy 
# }
# 
define append_if_no_such_line($file,$line,$refreshonly = 'false') {
   exec { "/bin/echo '$line' >> '$file'":
      unless => "/bin/grep -Fxqe '$line' '$file'",refreshonly => $refreshonly,}
}

# Ensure that the line "line" exists in "file":
# Usage: 
# prepend_if_no_such_line { dummy_modules:
#        file => "/etc/modules",#        line => dummy 
# }
# 
define prepend_if_no_such_line($file,$refreshonly = 'false') {
   $line_no_slashes = slash_escape($line)
   exec { "/usr/bin/perl -p0i -e 's/^/$line_no_slashes\n/;' '$file'":
      unless => "/bin/grep -Fxqe '$line' '$file'",}
}

define insert_line_after_if_no_such_line($file,$after) {
    $line_no_slashes = slash_escape($line)
    $after_no_slashes = slash_escape($after)

    exec { "/usr/bin/perl -p0i -e 's/^($after_no_slashes)\$/\$1\n$line_no_slashes/m' '$file'":
        onlyif => "/usr/bin/perl -ne 'BEGIN { \$ret = 0; } \$ret = 1 if /^$line_no_slashes/; END { exit \$ret; }' '$file'",}
}

define insert_line_before_if_no_such_line($file,$beforeline) {
    $line_no_slashes = slash_escape($line)
    $before_no_slashes = slash_escape($beforeline)

    exec { "/usr/bin/perl -p0i -e 's/^($before_no_slashes)\$/$line_no_slashes\n\$1/m' '$file'":
        onlyif => "/usr/bin/perl -ne 'BEGIN { \$ret = 0; } \$ret = 1 if /^$line_no_slashes/; END { exit \$ret; }' '$file'",}
}

我的iptables类:

class iptables {
   if $lsbmajdistrelease >= '6' {
     $primarychain = 'INPUT'
   } else {
     $primarychain = 'RH-Firewall-1-INPUT'
   }

   package {
      iptables: 
         ensure => installed   # "latest" would be too much
   }

   service { 
     iptables:
        enable    => true,# default on
        ensure    => running,# start it up if it's stopped
        hasstatus => true,# since there's no daemon
  }


   file {
     "/etc/sysconfig/iptables":
       ensure => present;
   }

   ##
   # Build up a config if it's missing components we expect; should
   # automatically repair a config if it's broken for really simple reasons
   ##

   # Very first thing: a comment at the top warning about our evil; add even if
   # we're not touching anything else...
   prepend_if_no_such_line { 
      "/etc/sysconfig/iptables comment":
         file => "/etc/sysconfig/iptables",line => "# This file partially managed by puppet; attempts to edit will result in magic reappearances"
   }

   # start
   # *filter
   insert_line_after_if_no_such_line {
      "/etc/sysconfig/iptables *filter":
         file    => "/etc/sysconfig/iptables",line    => "\\*filter",after   => "#.*",notify => Service[iptables],}

   # first default chain
   # :INPUT ACCEPT [0:0]
   insert_line_after_if_no_such_line {
      "/etc/sysconfig/iptables:INPUT":
         file   => "/etc/sysconfig/iptables",line   => ":INPUT ACCEPT \\[0:0\\]",after  => "\\*filter",}

   # second default chain
   # :FORWARD ACCEPT [0:0]
   insert_line_after_if_no_such_line {
      "/etc/sysconfig/iptables:FORWARD":
         file   => "/etc/sysconfig/iptables",line   => ":FORWARD ACCEPT \\[0:0\\]",after  => ":INPUT ACCEPT \\[\\d+:\\d+\\]",}


   # third default chain
   # :OUTPUT ACCEPT [0:0]
   insert_line_after_if_no_such_line {
      "/etc/sysconfig/iptables:OUTPUT":
         file   => "/etc/sysconfig/iptables",line   => ":OUTPUT ACCEPT \\[0:0\\]",after  => ":FORWARD ACCEPT \\[\\d+:\\d+\\]",}

   if $lsbmajdistrelease <= 5 {

      # Finally,the RH special chain
      # :RH-Firewall-1-INPUT - [0:0]
      insert_line_after_if_no_such_line {
         "/etc/sysconfig/iptables:RH-Firewall-1-INPUT":
            file   => "/etc/sysconfig/iptables",line   => ":RH-Firewall-1-INPUT - \\[0:0\\]",after  => ":OUTPUT ACCEPT \\[\\d+:\\d+\\]",}

      # redirect INPUT to RH chain
      # -A INPUT -j RH-Firewall-1-INPUT
      insert_line_after_if_no_such_line {
         "/etc/sysconfig/iptables:INPUT:RH-Firewall-1-INPUT":
            file   => "/etc/sysconfig/iptables",line   => "-A INPUT -j RH-Firewall-1-INPUT",after  => ":RH-Firewall-1-INPUT - \\[\\d+:\\d+\\]",}

      # redirect FORWARD to RH chain
      # -A FORWARD -j RH-Firewall-1-INPUT
      insert_line_after_if_no_such_line { 
         "/etc/sysconfig/iptables:FORWARD:RH-Firewall-1-INPUT":
            file   => "/etc/sysconfig/iptables",line   => "-A FORWARD -j RH-Firewall-1-INPUT",after  => "-A INPUT -j RH-Firewall-1-INPUT",}

   }

   # Let anything on localhost work...
   # -A $primarychain -i lo -j ACCEPT
   insert_line_after_if_no_such_line {
      "/etc/sysconfig/iptables:$primarychain lo":
         file    => "/etc/sysconfig/iptables",line   => "-A $primarychain -i lo -j ACCEPT",after  => "-A FORWARD -j $primarychain",}

   # And let through all the ICMP stuff:
   # -A $primarychain -p icmp --icmp-type any -j ACCEPT
   if $lsbmajdistrelease >= '6' {
     insert_line_after_if_no_such_line {
        "/etc/sysconfig/iptables:$primarychain icmp":
           file   => "/etc/sysconfig/iptables",line   => "-A $primarychain -p icmp -j ACCEPT",after  => "-A $primarychain -i lo -j ACCEPT",}
   } else {
     insert_line_after_if_no_such_line {
        "/etc/sysconfig/iptables:$primarychain icmp":
           file   => "/etc/sysconfig/iptables",line   => "-A $primarychain -p icmp --icmp-type any -j ACCEPT",}
   }

   # Finally,let anything that's part of an exisiting connection through:
   # -A $primarychain -m state --state ESTABLISHED,RELATED -j ACCEPT
   insert_line_after_if_no_such_line {
      "/etc/sysconfig/iptables:ESTABLISHED":
         file   => "/etc/sysconfig/iptables",line   => "-A $primarychain -m state --state ESTABLISHED,RELATED -j ACCEPT",after  => "-A $primarychain -p icmp --icmp-type any -j ACCEPT",}

   # Very last thing:
   # COMMIT
   append_if_no_such_line {
      "/etc/sysconfig/iptables:COMMIT":
         file   => "/etc/sysconfig/iptables",line   => "COMMIT",}

   # Next to last thing: reject!
   # -A $primarychain -j REJECT --reject-with icmp-host-prohibited
   insert_line_before_if_no_such_line {
      "/etc/sysconfig/iptables:final reject":
         file       => "/etc/sysconfig/iptables",line       => "-A $primarychain -j REJECT --reject-with icmp-host-prohibited",beforeline => "COMMIT",notify     => Service[iptables],}
}

# example:
# iptable_rule { "iptable:ssh":
#   rule => "-m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT"
# }
# change your mind about a rule,do this:
# iptable_rule { "iptable:ssh":
#   rule   => "-m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT",#   ensure => "absent",# }
define iptable_rule($rule,$ensure = 'present') {
   if $lsbmajdistrelease >= '6' {
     $primarychain = 'INPUT'
   } else {
     $primarychain = 'RH-Firewall-1-INPUT'
   }
   $iptablesline = "-A $primarychain $rule"
   case $ensure {
      default: { err ( "unknown ensure value $ensure" ) }
      present: {
         insert_line_before_if_no_such_line {
            "/etc/sysconfig/iptables:add $rule":
               file       => "/etc/sysconfig/iptables",line       => $iptablesline,beforeline => "-A $primarychain -j REJECT --reject-with icmp-host-prohibited",}
      }
      absent: {
         delete_lines {
            "/etc/sysconfig/iptables:remove $rule":
               file    => "/etc/sysconfig/iptables",pattern => $iptablesline,notify  => Service[iptables],}
      }
   }
}

# Example:
# iptable_tcp_port { "iptable:ssh":
#    port => "22",# }
# Example:
# iptable_tcp_port { "iptable:oracle:130.157.5.0/24":
#    port    => "1521",#    source => "130.157.5.0/24",# }
# (add ensure => "absent" to remove)
define iptable_tcp_port($port,$ensure = 'present',$source = 'ANY') {
   case $source {
      "ANY": {
         iptable_rule {
            "iptable_tcp_port:$port":
               rule   => "-m state --state NEW -m tcp -p tcp --dport $port -j ACCEPT",ensure => $ensure,}
      }
      default: {
         iptable_rule {
            "iptable_tcp_port:$port:$source":
               rule   => "-m state --state NEW -m tcp -p tcp --source $source --dport $port -j ACCEPT",}
      }
   }
}

# Example:
# iptable_udp_port { "iptable:ntp":
#    port => "123",# }
# (again,ensure => "absent" if needed)
define iptable_udp_port($port,$source = 'ANY') {
   case $source {
      "ANY": {
         iptable_rule {
            "iptable_udp_port:$port":
               rule   => "-p udp -m udp --dport $port -j ACCEPT",}
      }
      default: {
         iptable_rule {
            "iptable_udp_port:$port":
               rule   => "-p udp -m udp --source $source --dport $port -j ACCEPT",}
      }
   }
}

其他类中的一些使用示例:

class ssh {
  include iptables
  iptable_tcp_port {
    "iptables:ssh":
      port   => "22",ensure => "present"
   }
}
class ssh_restricted inherits ssh {
  Iptable_tcp_port["iptables:ssh"]{ensure => "absent"}
  iptable_tcp_port {
    "ssh:RESTRICTED":
      port   => "22",source => "X.Y.0.0/16",ensure => "present";
   }
}

class apache {
  iptable_tcp_port {
    "iptables:http":
      require => Service["httpd"],port => "80";
  }
}

class apache::secure {
  iptable_tcp_port {
    "iptables:https":
      require => Service["httpd"],port => "443";
  }
}

class snmp {
  iptable_udp_port { "iptables:snmp": port => "161" }
}

猜你在找的Linux相关文章