Puppet Class: iptables::install

Defined in:
manifests/install.pp

Overview

NOTE: THIS IS A PRIVATE CLASS

Install the IPTables and IP6Tables components

This also installs fallback startup scripts that come into play should the regular processes fail to start due to a race consition with DNS.



8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
# File 'manifests/install.pp', line 8

class iptables::install {
  assert_private()

  # IPV4-only stuff
  package { 'iptables': ensure => $::iptables::ensure }

  file { '/etc/init.d/iptables':
    ensure  => 'file',
    owner   => 'root',
    group   => 'root',
    mode    => '0744',
    content => file("${module_name}/iptables"),
    seltype => 'iptables_initrc_exec_t'
  }

  # --------------------------------------------------
  # Set the iptables startup script to fail safe.
  #
  file { '/etc/init.d/iptables-retry':
    ensure  => 'file',
    owner   => 'root',
    group   => 'root',
    mode    => '0744',
    content => file("${module_name}/iptables-retry"),
    seltype => 'iptables_initrc_exec_t'
  }

  file { '/etc/sysconfig/iptables':
    owner => 'root',
    group => 'root',
    mode  => '0640'
  }

  Package['iptables'] -> File['/etc/init.d/iptables']
  Package['iptables'] -> File['/etc/init.d/iptables-retry']
  Package['iptables'] -> File['/etc/sysconfig/iptables']

  if $::iptables::ipv6 and $facts['ipv6_enabled'] {
    # IPV6-only stuff
    file { '/etc/init.d/ip6tables':
      ensure  => 'file',
      owner   => 'root',
      group   => 'root',
      mode    => '0744',
      seltype => 'iptables_initrc_exec_t',
      content => file("${module_name}/ip6tables")
    }

    file { '/etc/init.d/ip6tables-retry':
      ensure  => 'file',
      owner   => 'root',
      group   => 'root',
      mode    => '0744',
      seltype => 'iptables_initrc_exec_t',
      content => file("${module_name}/ip6tables-retry")
    }

    file { '/etc/sysconfig/ip6tables':
      owner => 'root',
      group => 'root',
      mode  => '0640'
    }

    case $facts['os']['name'] {
      'RedHat','CentOS': {
        if $facts['os']['release']['major'] > '6' {
          Package['iptables'] -> File['/etc/init.d/ip6tables']
          Package['iptables'] -> File['/etc/init.d/ip6tables-retry']
          Package['iptables'] -> File['/etc/sysconfig/ip6tables']
        }
        else {
          package { 'iptables-ipv6': ensure => $::iptables::ensure }
          Package['iptables-ipv6'] -> File['/etc/init.d/ip6tables']
          Package['iptables-ipv6'] -> File['/etc/init.d/ip6tables-retry']
          Package['iptables-ipv6'] -> File['/etc/sysconfig/ip6tables']
        }
      }
      default: {
        fail("${::operatingsystem} is not yet supported by ${module_name}")
      }
    }
  }
}