2013-09-02 17:47:56 +00:00
|
|
|
[[!meta title="Linux distribution independent iptables setup powered by cdist sponsored by panter"]]
|
|
|
|
|
|
|
|
## Introduction
|
|
|
|
|
|
|
|
As a sysadmin, you may have encountered several different
|
|
|
|
Linux distributions in your life. You may also have found
|
|
|
|
out that configuring [[!iptables]]
|
|
|
|
permanently differs from distribution to distribution.
|
|
|
|
|
|
|
|
Fortunately you can stop caring about this problem:
|
|
|
|
In the [[cdist|software/cdist]] source tree you find
|
|
|
|
two new types to handle this problem universally, independent
|
|
|
|
of the Linux distribution.
|
|
|
|
|
|
|
|
These types are a result of work done at [[!ungleich]]
|
|
|
|
for our customer [[!panter]]. Panter does not only
|
|
|
|
allow us to publish the code freely, but also encourages
|
|
|
|
us to do so - many thanks!
|
|
|
|
|
|
|
|
## How to use it
|
|
|
|
|
|
|
|
First of all, ensure you have cdist installed on your source host.
|
|
|
|
Then create the directory ~/.cdist/manifest and then the file
|
|
|
|
~/.cdist/manifest/init with the following content:
|
|
|
|
|
|
|
|
case "$__target_host" in
|
|
|
|
insert-your-target-host-name-here)
|
2013-09-02 17:50:08 +00:00
|
|
|
__iptables_rule policy-in --rule "-P INPUT DROP"
|
2013-09-02 17:47:56 +00:00
|
|
|
__iptables_rule policy-out --rule "-P OUTPUT ACCEPT"
|
|
|
|
__iptables_rule policy-fwd --rule "-P FORWARD DROP"
|
|
|
|
|
2013-09-02 17:50:08 +00:00
|
|
|
__iptables_rule established --rule "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT"
|
|
|
|
__iptables_rule http --rule "-A INPUT -p tcp --dport 80 -j ACCEPT"
|
|
|
|
__iptables_rule ssh --rule "-A INPUT -p tcp --dport 80 -j ACCEPT"
|
2013-09-02 17:47:56 +00:00
|
|
|
;;
|
|
|
|
esac
|
|
|
|
|
|
|
|
Running
|
|
|
|
|
|
|
|
% cdist config insert-your-target-host-name-here
|
|
|
|
|
|
|
|
applies the configuration. That's it, really! Log on to your
|
|
|
|
server and do ***iptables -L -n*** to see the result!
|
|
|
|
|
|
|
|
## What did cdist do?
|
|
|
|
|
|
|
|
The cdist types \_\_iptables\_rule and \_\_iptables\_apply
|
|
|
|
take care of the necessary steps. In detail they
|
|
|
|
|
|
|
|
* create the necessary files and directory
|
|
|
|
* create and setup an init-script that loads / unloads the rules
|
|
|
|
* apply the rules
|
|
|
|
|
|
|
|
|
|
|
|
[[!tag net unix foss ungleich panter]]
|