Puppet Class: iptables
- Defined in:
- manifests/init.pp
Overview
Add management of iptables with default rule optimization and a failsafe fallback mode
This class will detect conflicts with the SIMP option
simp_options::firewall
and, if necessary, cease management of
IPTables in the case of a conflict.
In particular, this means that if simp_options::firewall
is
false
, but you have included this class, it will refuse to
manage IPTables and will instead raise a warning.
If the simp_options::firewall
variable is not present, the
module will manage IPTables as expected.
70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 |
# File 'manifests/init.pp', line 70
class iptables (
Variant[Enum['ignore'],Boolean] $enable = simplib::lookup('simp_options::firewall', { 'default_value' => true }),
String $ensure = 'latest',
Boolean $ipv6 = true,
Boolean $class_debug = false,
Boolean $optimize_rules = true,
Array[String] $ignore = [],
Boolean $default_rules = true,
Boolean $scanblock = false,
Boolean $prevent_localhost_spoofing = true
) {
if $enable != 'ignore' {
contain '::iptables::install'
contain '::iptables::service'
if $default_rules { contain '::iptables::rules::base' }
if $scanblock { contain '::iptables::rules::scanblock' }
if $prevent_localhost_spoofing { contain '::iptables::rules::prevent_localhost_spoofing' }
Class['iptables::install'] -> Class['iptables::service']
# These are required to run if you are managing iptables with the custom
# types at all.
iptables_optimize { '/etc/sysconfig/iptables':
optimize => $optimize_rules,
ignore => $ignore,
disable => !$enable
}
if $ipv6 and $facts['ipv6_enabled'] {
ip6tables_optimize { '/etc/sysconfig/ip6tables':
optimize => $optimize_rules,
ignore => $ignore,
disable => !$enable
}
}
}
}
|