Skip to content

Nat rules for iptables #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
nwesoccer wants to merge 23 commits into
base: refork-nov-2017
Choose a base branch
from
Open

Nat rules for iptables #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
7171935
Temporary fix for windows firewall.
nwesoccer Dec 3, 2015
8323095
Update helpers.rb
nwesoccer Dec 6, 2015
9d7ebac
Update helpers.rb
nwesoccer Dec 6, 2015
2030a98
fixing to allow icmpv4 correctly as there are no ports in icmpv4
Dec 15, 2015
67d9efc
adding rudimentary support for nat in iptables
Jan 22, 2016
04e27a2
another test
Jan 22, 2016
32c0510
ordering
Jan 22, 2016
6aa4cff
more order
Jan 22, 2016
a9ffe7a
fixing COMMIT lines
Jan 22, 2016
a51fe18
ugly syntax error
Jan 22, 2016
68b476a
wont need the -t nat options anymore
Jan 22, 2016
63666bf
version
Jan 22, 2016
c064349
Version Bump
nwesoccer Jan 18, 2017
9c6cc43
Adding support for amazon ami linux which is centos/rhel 6, but platf…
Feb 3, 2017
1828852
Added for amazon
Feb 3, 2017
f270bba
One more amazon commit for good measure
Feb 3, 2017
77c5764
More firewall amazon stuff
Feb 3, 2017
e845e12
Firewall fun
Feb 3, 2017
88a3efb
Eureka! Firewall amazon
Feb 3, 2017
c68b2ef
fixed amazon. Setting default input back to drop
Feb 3, 2017
22530b7
Set chef-sugar max version because 3.6.0 depends on newwer ruby
nwesoccer Nov 21, 2017
1369fba
Update metadata.rb
nwesoccer Nov 21, 2017
78f0580
Bump
nwesoccer Nov 21, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions libraries/helpers.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
module FirewallCookbook
module Helpers

def dport_calc(new_resource)
new_resource.dest_port || new_resource.port
end
Expand All @@ -9,6 +10,8 @@ def port_to_s(p)
p.to_s
elsif p && p.is_a?(Array)
p.sort.join(',')
elsif p && p.is_a?(Range) && node['platform_family'] == 'windows'
"#{p.first}-#{p.last}"
elsif p && p.is_a?(Range)
"#{p.first}:#{p.last}"
end
Expand Down Expand Up @@ -71,6 +74,9 @@ def build_rule_file(rules)
contents << "# position #{sorted_value}"
rules.each do |k, v|
next unless v == sorted_value
if k.include?("COMMIT_")
k = "COMMIT"
end
contents << k
end
end
Expand Down
38 changes: 25 additions & 13 deletions libraries/helpers_iptables.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,24 +5,27 @@ module Iptables
include Chef::Mixin::ShellOut

CHAIN = { in: 'INPUT', out: 'OUTPUT', pre: 'PREROUTING', post: 'POSTROUTING' } unless defined? CHAIN # , nil => "FORWARD"}
TARGET = { allow: 'ACCEPT', reject: 'REJECT', deny: 'DROP', masquerade: 'MASQUERADE', redirect: 'REDIRECT', log: 'LOG --log-prefix "iptables: " --log-level 7' } unless defined? TARGET
TARGET = { allow: 'ACCEPT', reject: 'REJECT', deny: 'DROP', masquerade: 'MASQUERADE', redirect: 'REDIRECT', log: 'LOG --log-prefix "iptables: " --log-level 7', snat: 'SNAT' } unless defined? TARGET

def build_firewall_rule(current_node, rule_resource, ipv6 = false)
el5 = (current_node['platform'] == 'rhel' || current_node['platform'] == 'centos') && Gem::Dependency.new('', '~> 5.0').match?('', current_node['platform_version'])
el5 = (current_node['platform'] == 'rhel' || current_node['platform'] == 'centos' || current_node['platform'] == 'amazon') && Gem::Dependency.new('', '~> 5.0').match?('', current_node['platform_version'])

if rule_resource.raw
firewall_rule = rule_resource.raw.strip
else
firewall_rule = '-A '
firewall_rule = ' '

#if [:pre, :post].include?(rule_resource.direction)
# firewall_rule << '-t nat '
#end

if rule_resource.direction
firewall_rule << "#{CHAIN[rule_resource.direction.to_sym]} "
firewall_rule << "-A #{CHAIN[rule_resource.direction.to_sym]} "
else
firewall_rule << 'FORWARD '
firewall_rule << '-A FORWARD '
end

if [:pre, :post].include?(rule_resource.direction)
firewall_rule << '-t nat '
end
# iptables -t nat -A POSTROUTING -o eth0 -p tcp -d 10.200.110.21 -j SNAT --to-source 10.200.110.6

# Iptables order of prameters is important here see example output below:
# -A INPUT -s 1.2.3.4/32 -d 5.6.7.8/32 -i lo -p tcp -m tcp -m state --state NEW -m comment --comment "hello" -j DROP
Expand All @@ -46,6 +49,10 @@ def build_firewall_rule(current_node, rule_resource, ipv6 = false)
end

firewall_rule << "-j #{TARGET[rule_resource.command.to_sym]} "

# Adding to-source for iptables -t nat type of rules
firewall_rule << "--to-source #{rule_resource.to_source} " if rule_resource.command == :snat

firewall_rule << "--to-ports #{rule_resource.redirect_port} " if rule_resource.action == :redirect
firewall_rule.strip!

Expand Down Expand Up @@ -93,11 +100,16 @@ def iptables_default_allow!(new_resource)

def default_ruleset(current_node)
{
'*filter' => 1,
":INPUT #{current_node['firewall']['iptables']['defaults'][:policy][:input]}" => 2,
":FORWARD #{current_node['firewall']['iptables']['defaults'][:policy][:forward]}" => 3,
":OUTPUT #{current_node['firewall']['iptables']['defaults'][:policy][:output]}" => 4,
'COMMIT' => 100
'*nat' => 1,
':PREROUTING ACCEPT' => 2,
':POSTROUTING ACCEPT' => 3,
':OUTPUT ACCEPT' => 4,
'COMMIT_NAT' => 100,
'*filter' => 101,
":INPUT #{current_node['firewall']['iptables']['defaults'][:policy][:input]}" => 102,
":FORWARD #{current_node['firewall']['iptables']['defaults'][:policy][:forward]}" => 103,
":OUTPUT #{current_node['firewall']['iptables']['defaults'][:policy][:output]}" => 104,
'COMMIT_FILTER' => 200
}
end

Expand Down
8 changes: 4 additions & 4 deletions libraries/helpers_windows.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,16 +65,16 @@ def build_rule(new_resource)

if new_resource.direction.to_sym == :out
parameters['localip'] = new_resource.source ? fixup_cidr(new_resource.source) : 'any'
parameters['localport'] = new_resource.source_port ? port_to_s(new_resource.source_port) : 'any'
parameters['localport'] = new_resource.source_port ? port_to_s(new_resource.source_port) : 'any' unless new_resource.protocol == 'icmpv4'
parameters['interfacetype'] = new_resource.source_interface ? new_resource.source_interface : 'any'
parameters['remoteip'] = new_resource.destination ? fixup_cidr(new_resource.destination) : 'any'
parameters['remoteport'] = port_to_s(new_resource.dest_port) ? new_resource.dest_port : 'any'
parameters['remoteport'] = port_to_s(new_resource.dest_port) ? new_resource.dest_port : 'any' unless new_resource.protocol == 'icmpv4'
else
parameters['localip'] = new_resource.destination ? new_resource.destination : 'any'
parameters['localport'] = dport_calc(new_resource) ? port_to_s(dport_calc(new_resource)) : 'any'
parameters['localport'] = dport_calc(new_resource) ? port_to_s(dport_calc(new_resource)) : 'any' unless new_resource.protocol == 'icmpv4'
parameters['interfacetype'] = new_resource.dest_interface ? new_resource.dest_interface : 'any'
parameters['remoteip'] = new_resource.source ? fixup_cidr(new_resource.source) : 'any'
parameters['remoteport'] = new_resource.source_port ? port_to_s(new_resource.source_port) : 'any'
parameters['remoteport'] = new_resource.source_port ? port_to_s(new_resource.source_port) : 'any' unless new_resource.protocol == 'icmpv4'
end

parameters['action'] = type.to_s
Expand Down
2 changes: 1 addition & 1 deletion libraries/provider_firewall_firewalld.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ class Provider::FirewallFirewalld < Chef::Provider::LWRPBase
include FirewallCookbook::Helpers::Firewalld

provides :firewall, os: 'linux', platform_family: %w(rhel fedora) do |node|
node['platform_version'].to_f >= 7.0 && !node['firewall']['redhat7_iptables']
node['platform_version'].to_f >= 7.0 && !node['firewall']['redhat7_iptables'] && !(node['platform'] == 'amazon')
end

def whyrun_supported?
Expand Down
2 changes: 1 addition & 1 deletion libraries/provider_firewall_iptables.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ class Provider::FirewallIptables < Chef::Provider::LWRPBase
include FirewallCookbook::Helpers::Iptables

provides :firewall, os: 'linux', platform_family: %w(rhel fedora) do |node|
node['platform_version'].to_f < 7.0 || node['firewall']['redhat7_iptables']
node['platform_version'].to_f < 7.0 || node['platform'] == 'amazon' || node['firewall']['redhat7_iptables']
end

def whyrun_supported?
Expand Down
2 changes: 1 addition & 1 deletion libraries/provider_firewall_rule_firewalld.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ class Provider::FirewallRuleFirewalld < Chef::Provider::LWRPBase
include FirewallCookbook::Helpers::Firewalld

provides :firewall_rule, os: 'linux', platform_family: %w(rhel fedora) do |node|
node['platform_version'].to_f >= 7.0 && !node['firewall']['redhat7_iptables']
node['platform_version'].to_f >= 7.0 && !node['firewall']['redhat7_iptables'] && !(node['platform'] == 'amazon')
end

action :create do
Expand Down
10 changes: 7 additions & 3 deletions libraries/provider_firewall_rule_iptables.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ class Provider::FirewallRuleIptables < Chef::Provider::LWRPBase
include FirewallCookbook::Helpers::Iptables

provides :firewall_rule, os: 'linux', platform_family: %w(rhel fedora) do |node|
node['platform_version'].to_f < 7.0 || node['firewall']['redhat7_iptables']
node['platform_version'].to_f < 7.0 || node['platform'] == 'amazon' || node['firewall']['redhat7_iptables']
end

action :create do
Expand All @@ -44,8 +44,12 @@ class Provider::FirewallRuleIptables < Chef::Provider::LWRPBase
types.each do |iptables_type|
# build rules to apply with weight
k = build_firewall_rule(node, new_resource, iptables_type == 'ip6tables')
v = new_resource.position

unless k.include?("SNAT")
v = new_resource.position
else
v = new_resource.nat_position
end

# unless we're adding them for the first time.... bail out.
next if firewall.rules[iptables_type].key?(k) && firewall.rules[iptables_type][k] == v

Expand Down
9 changes: 7 additions & 2 deletions libraries/resource_firewall_rule.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ class Resource::FirewallRule < Chef::Resource::LWRPBase

attribute(:firewall_name, kind_of: String, default: 'default')

attribute(:command, kind_of: Symbol, equal_to: [:reject, :allow, :deny, :masquerade, :redirect, :log], default: :allow)
attribute(:command, kind_of: Symbol, equal_to: [:reject, :allow, :deny, :masquerade, :redirect, :log, :snat], default: :allow)

attribute(:protocol, kind_of: [Integer, Symbol], default: :tcp,
callbacks: { 'must be either :tcp, :udp, :icmp, :\'ipv6-icmp\', :icmpv6, :none, or a valid IP protocol number' => lambda do |p|
Expand All @@ -31,7 +31,9 @@ class Resource::FirewallRule < Chef::Resource::LWRPBase
attribute(:dest_port, kind_of: [Integer, Array, Range])
attribute(:dest_interface, kind_of: String)

attribute(:position, kind_of: Integer, default: 50)

attribute(:nat_position, kind_of: Integer, default: 50)
attribute(:position, kind_of: Integer, default: 150)
attribute(:stateful, kind_of: [Symbol, Array])
attribute(:redirect_port, kind_of: Integer)
attribute(:description, kind_of: String, name_attribute: true)
Expand All @@ -43,6 +45,9 @@ class Resource::FirewallRule < Chef::Resource::LWRPBase
attribute(:program, kind_of: String)
attribute(:service, kind_of: String)

# --to-source option for nat in iptables
attribute(:to_source, kind_of: String)

# for when you just want to pass a raw rule
attribute(:raw, kind_of: String)
end
Expand Down
4 changes: 2 additions & 2 deletions metadata.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
license 'Apache 2.0'
description 'Provides a set of primitives for managing firewalls and associated rules.'
long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
version '2.2.0'
version '2.2.9008'

supports 'amazon'
supports 'centos'
Expand All @@ -15,7 +15,7 @@
supports 'scientific'
supports 'ubuntu'

depends 'chef-sugar'
depends 'chef-sugar', '<=3.5.0'

source_url 'https://github.com/chef-cookbooks/firewall' if respond_to?(:source_url)
issues_url 'https://github.com/chef-cookbooks/firewall/issues' if respond_to?(:issues_url)
2 changes: 1 addition & 1 deletion recipes/default.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@
end

# create a variable to use as a condition on some rules that follow
iptables_firewall = rhel? || node['firewall']['ubuntu_iptables']
iptables_firewall = rhel? || node['firewall']['ubuntu_iptables'] || (node['platform'] == 'amazon')

firewall_rule 'allow world to ssh' do
port 22
Expand Down