.. -*- mode: rst -*- ========== iptables ========== * Setup a Genshi base iptables file that contains the basic rules you want every host to have * To be safe you should have a client side IptablesDeadmanScript if you intend on having bcfg2 bounce iptables upon rule updates .. note:: When updating files in the ``includes`` directory, you will need to `touch` the Genshi template to regenerate the template contents. /repository/Cfg/etc/sysconfig/iptables/iptables.genshi ====================================================== .. code-block:: none {% python from genshi.builder import tag import os,sys import Bcfg2.Options opts = { 'repo': Bcfg2.Options.SERVER_REPOSITORY } setup = Bcfg2.Options.OptionParser(opts) setup.parse('--') repo = setup['repo'] basedir = '%s' % (repo) # for instance: bcfg2BaseDir = basedir + name + '/' def checkHostFile(hostName, type): fileName = bcfg2BaseDir + type + '.H_' + hostName if os.path.isfile(fileName)==True : return fileName else: return fileName def checkGroupFile(groupName, type): fileName = bcfg2BaseDir + type + '.G_' + groupName if os.path.isfile(fileName)==True : return fileName else: return fileName %}\ # BCFG2 GENERATED IPTABLES # DO NOT CHANGE THIS # $$Id$$ # Templates live in ${bcfg2BaseDir} # Manual customization of this file will get reverted. # ----------------------------- FILTER --------------------------------- # # Default CHAINS for FILTER: *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :NO-SMTP - [0:0] #Default rules #discard malicious packets -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP #Allow incoming ICMP -A INPUT -p icmp -m icmp -j ACCEPT #Accept localhost traffic -A INPUT -i lo -j ACCEPT # Allow already established sessions to remain -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Deny inbound SMTP delivery (still allows outbound connections) -A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --dport 25 -j NO-SMTP -A NO-SMTP -j LOG --log-prefix " Incoming SMTP (denied) " -A NO-SMTP -j DROP # Allow SSH Access :SSH - [0:0] -A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,ACK SYN --dport 22 -j SSH -A SSH -s 192.168.0.0/255.255.0.0 -j ACCEPT # Allow Ganglia Access -A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --src 192.168.1.1 --dport 8649 -j ACCEPT # Gmetad access to gmond -A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --src 192.168.1.1 --dport 8649 -j ACCEPT # Gmond UDP multicast -A INPUT -m state --state NEW -m udp -p udp --dport 8649 -j ACCEPT {% if metadata.groups %}\ # group custom FILTER rules: {% for group in metadata.groups %}\ {% include ${checkGroupFile(group,'custom-filter')} %}\ {% end %}\ {% end %}\ # host-specific FILTER rules: {% include ${checkHostFile(metadata.hostname, 'custom-filter')} %}\ COMMIT # ------------------------------- NAT ---------------------------------- # *nat # Default CHAINS for NAT: :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] {% if metadata.groups %}\ # group NAT for PREROUTING: {% for group in metadata.groups %}\ {% include ${checkGroupFile(group,'nat-prerouting')} %}\ {% end %}\ {% end %}\ {% if metadata.groups %}\ # group NAT for OUTPUT: {% for group in metadata.groups %}\ {% include ${checkGroupFile(group,'nat-output')} %}\ {% end %}\ {% end %}\ {% if metadata.groups %}\ # group NAT for POSTROUTING: {% for group in metadata.groups %}\ {% include ${checkGroupFile(group,'nat-postrouting')} %}\ {% end %}\ {% end %}\ {% if metadata.groups %}\ # group custom NAT rules: {% for group in metadata.groups %}\ {% include ${checkGroupFile(group,'custom-nat')} %}\ {% end %}\ {% end %}\ # host-specific NAT ruls: {% include ${checkHostFile(metadata.hostname, 'custom-nat')} %}\ COMMIT # ----------------------------- MANGLE -------------------------------- # *mangle # Default CHAINS for MANGLE: :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] {% if metadata.groups %}\ # group MANGLE for PREROUTING: {% for group in metadata.groups %}\ {% include ${checkGroupFile(group,'mangle-prerouting')} %}\ {% end %}\ {% end %}\ {% if metadata.groups %}\ # group MANGLE for INPUT: {% for group in metadata.groups %}\ {% include ${checkGroupFile(group,'mangle-input')} %}\ {% end %}\ {% end %}\ {% if metadata.groups %}\ # group MANGLE for FORWARD: {% for group in metadata.groups %}\ {% include ${checkGroupFile(group,'mangle-forward')} %}\ {% end %}\ {% end %}\ {% if metadata.groups %}\ # group MANGLE for OUTPUT: {% for group in metadata.groups %}\ {% include ${checkGroupFile(group,'mangle-output')} %}\ {% end %}\ {% end %}\ {% if metadata.groups %}\ # group MANGLE for POSTROUTING rules: {% for group in metadata.groups %}\ {% include ${checkGroupFile(group,'mangle-postrouting')} %}\ {% end %}\ {% end %}\ {% if metadata.groups %}\ # group custom MANGLE rules: {% for group in metadata.groups %}\ {% include ${checkGroupFile(group,'custom-mangle')} %}\ {% end %}\ {% end %}\ # host-specific MANGLE rules: {% include ${checkHostFile(metadata.hostname, 'custom-mangle')} %}\ COMMIT Cfg/etc/sysconfig/iptables/custom-filter.G_mysql-server ------------------------------------------------------- .. code-block:: none :MYSQL - [0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 --tcp-flags FIN,SYN,RST,ACK SYN -j MYSQL -A MYSQL -s 192.168.0.0/255.255.0.0 -j ACCEPT For a host that is in the mysql-server group you get an iptables file that looks like the following:: # BCFG2 GENERATED IPTABLES # DO NOT CHANGE THIS # $Id: template.newtxt 5402 2009-08-19 22:50:06Z unixmouse$ # Templates live in /var/lib/bcfg2/Cfg/etc/sysconfig/iptables/ # Manual customization of this file will get reverted. # ----------------------------- FILTER --------------------------------- # # Default CHAINS for FILTER: *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :NO-SMTP - [0:0] #Default rules #discard malicious packets -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP # Allow incoming ICMP -A INPUT -p icmp -m icmp -j ACCEPT # Accept localhost traffic -A INPUT -i lo -j ACCEPT # Allow already established sessions to remain -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Deny inbound SMTP delivery (still allows outbound connections) -A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --dport 25 -j NO-SMTP -A NO-SMTP -j LOG --log-prefix " Incoming SMTP (denied) " -A NO-SMTP -j DROP # Allow SSH Access :SSH - [0:0] -A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,ACK SYN --dport 22 -j SSH -A SSH -s 192.168.0.0/255.255.0.0 -j ACCEPT # Allow Ganglia Access -A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --src 192.168.1.1 --dport 8649 -j ACCEPT #Gmetad access to gmond -A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --src 192.168.1.1 --dport 8649 -j ACCEPT #Gmond UDP multicast -A INPUT -m state --state NEW -m udp -p udp --dport 8649 -j ACCEPT # group custom FILTER rules: :MYSQL - [0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 --tcp-flags FIN,SYN,RST,ACK SYN -j MYSQL -A MYSQL -s 192.168.0.0/255.255.0.0 -j ACCEPT # host-specific FILTER rules: COMMIT # ------------------------------- NAT ---------------------------------- # *nat # Default CHAINS for NAT: :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] # group NAT for PREROUTING: # group NAT for OUTPUT: # group NAT for POSTROUTING: # group custom NAT rules: # host-specific NAT rules: COMMIT # ----------------------------- MANGLE -------------------------------- # *mangle # Default CHAINS for MANGLE: :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] # group MANGLE for PREROUTING: # group MANGLE for INPUT: # group MANGLE for FORWARD: # group MANGLE for OUTPUT: # group MANGLE for POSTROUTING rules: # group custom MANGLE rules: # host-specific MANGLE rules: COMMIT