iptables¶
- Setup a Genshi base iptables file that contains the basic rules you want every host to have
- To be safe you should have a client side IptablesDeadmanScript if you intend on having bcfg2 bounce iptables upon rule updates
Note
When updating files in the includes
directory, you will
need to touch the Genshi template to regenerate the
template contents.
/repository/Cfg/etc/sysconfig/iptables/iptables.genshi¶
{% python
from genshi.builder import tag
import os,sys
import Bcfg2.Options
opts = { 'repo': Bcfg2.Options.SERVER_REPOSITORY }
setup = Bcfg2.Options.OptionParser(opts)
setup.parse('--')
repo = setup['repo']
basedir = '%s' % (repo)
# for instance:
bcfg2BaseDir = basedir + name + '/'
def checkHostFile(hostName, type):
fileName = bcfg2BaseDir + type + '.H_' + hostName
if os.path.isfile(fileName)==True :
return fileName
else:
return fileName
def checkGroupFile(groupName, type):
fileName = bcfg2BaseDir + type + '.G_' + groupName
if os.path.isfile(fileName)==True :
return fileName
else:
return fileName
%}\
# BCFG2 GENERATED IPTABLES
# DO NOT CHANGE THIS
# $$Id$$
# Templates live in ${bcfg2BaseDir}
# Manual customization of this file will get reverted.
# ----------------------------- FILTER --------------------------------- #
# Default CHAINS for FILTER:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:NO-SMTP - [0:0]
#Default rules
#discard malicious packets
-A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
#Allow incoming ICMP
-A INPUT -p icmp -m icmp -j ACCEPT
#Accept localhost traffic
-A INPUT -i lo -j ACCEPT
# Allow already established sessions to remain
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Deny inbound SMTP delivery (still allows outbound connections)
-A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --dport 25 -j NO-SMTP
-A NO-SMTP -j LOG --log-prefix " Incoming SMTP (denied) "
-A NO-SMTP -j DROP
# Allow SSH Access
:SSH - [0:0]
-A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,ACK SYN --dport 22 -j SSH
-A SSH -s 192.168.0.0/255.255.0.0 -j ACCEPT
# Allow Ganglia Access
-A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --src 192.168.1.1 --dport 8649 -j ACCEPT
# Gmetad access to gmond
-A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --src 192.168.1.1 --dport 8649 -j ACCEPT
# Gmond UDP multicast
-A INPUT -m state --state NEW -m udp -p udp --dport 8649 -j ACCEPT
{% if metadata.groups %}\
# group custom FILTER rules:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,'custom-filter')} %}\
{% end %}\
{% end %}\
# host-specific FILTER rules:
{% include ${checkHostFile(metadata.hostname, 'custom-filter')} %}\
COMMIT
# ------------------------------- NAT ---------------------------------- #
*nat
# Default CHAINS for NAT:
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
{% if metadata.groups %}\
# group NAT for PREROUTING:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,'nat-prerouting')} %}\
{% end %}\
{% end %}\
{% if metadata.groups %}\
# group NAT for OUTPUT:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,'nat-output')} %}\
{% end %}\
{% end %}\
{% if metadata.groups %}\
# group NAT for POSTROUTING:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,'nat-postrouting')} %}\
{% end %}\
{% end %}\
{% if metadata.groups %}\
# group custom NAT rules:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,'custom-nat')} %}\
{% end %}\
{% end %}\
# host-specific NAT ruls:
{% include ${checkHostFile(metadata.hostname, 'custom-nat')} %}\
COMMIT
# ----------------------------- MANGLE -------------------------------- #
*mangle
# Default CHAINS for MANGLE:
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
{% if metadata.groups %}\
# group MANGLE for PREROUTING:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,'mangle-prerouting')} %}\
{% end %}\
{% end %}\
{% if metadata.groups %}\
# group MANGLE for INPUT:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,'mangle-input')} %}\
{% end %}\
{% end %}\
{% if metadata.groups %}\
# group MANGLE for FORWARD:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,'mangle-forward')} %}\
{% end %}\
{% end %}\
{% if metadata.groups %}\
# group MANGLE for OUTPUT:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,'mangle-output')} %}\
{% end %}\
{% end %}\
{% if metadata.groups %}\
# group MANGLE for POSTROUTING rules:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,'mangle-postrouting')} %}\
{% end %}\
{% end %}\
{% if metadata.groups %}\
# group custom MANGLE rules:
{% for group in metadata.groups %}\
{% include ${checkGroupFile(group,'custom-mangle')} %}\
{% end %}\
{% end %}\
# host-specific MANGLE rules:
{% include ${checkHostFile(metadata.hostname, 'custom-mangle')} %}\
COMMIT
Cfg/etc/sysconfig/iptables/custom-filter.G_mysql-server¶
:MYSQL - [0:0]
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 --tcp-flags FIN,SYN,RST,ACK SYN -j MYSQL
-A MYSQL -s 192.168.0.0/255.255.0.0 -j ACCEPT
For a host that is in the mysql-server group you get an iptables file that looks like the following:
# BCFG2 GENERATED IPTABLES
# DO NOT CHANGE THIS
# $Id: template.newtxt 5402 2009-08-19 22:50:06Z unixmouse$
# Templates live in /var/lib/bcfg2/Cfg/etc/sysconfig/iptables/
# Manual customization of this file will get reverted.
# ----------------------------- FILTER --------------------------------- #
# Default CHAINS for FILTER:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:NO-SMTP - [0:0]
#Default rules
#discard malicious packets
-A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
-A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# Allow incoming ICMP
-A INPUT -p icmp -m icmp -j ACCEPT
# Accept localhost traffic
-A INPUT -i lo -j ACCEPT
# Allow already established sessions to remain
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Deny inbound SMTP delivery (still allows outbound connections)
-A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --dport 25 -j NO-SMTP
-A NO-SMTP -j LOG --log-prefix " Incoming SMTP (denied) "
-A NO-SMTP -j DROP
# Allow SSH Access
:SSH - [0:0]
-A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,ACK SYN --dport 22 -j SSH
-A SSH -s 192.168.0.0/255.255.0.0 -j ACCEPT
# Allow Ganglia Access
-A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --src 192.168.1.1 --dport 8649 -j ACCEPT
#Gmetad access to gmond
-A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --src 192.168.1.1 --dport 8649 -j ACCEPT
#Gmond UDP multicast
-A INPUT -m state --state NEW -m udp -p udp --dport 8649 -j ACCEPT
# group custom FILTER rules:
:MYSQL - [0:0]
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 --tcp-flags FIN,SYN,RST,ACK SYN -j MYSQL
-A MYSQL -s 192.168.0.0/255.255.0.0 -j ACCEPT
# host-specific FILTER rules:
COMMIT
# ------------------------------- NAT ---------------------------------- #
*nat
# Default CHAINS for NAT:
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# group NAT for PREROUTING:
# group NAT for OUTPUT:
# group NAT for POSTROUTING:
# group custom NAT rules:
# host-specific NAT rules:
COMMIT
# ----------------------------- MANGLE -------------------------------- #
*mangle
# Default CHAINS for MANGLE:
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# group MANGLE for PREROUTING:
# group MANGLE for INPUT:
# group MANGLE for FORWARD:
# group MANGLE for OUTPUT:
# group MANGLE for POSTROUTING rules:
# group custom MANGLE rules:
# host-specific MANGLE rules:
COMMIT