pages tagged panterNico Schotteliushttps://www.nico.schottelius.org//tags/panter/Nico Schotteliusikiwiki2016-02-25T13:34:32ZLinux distribution independent iptables setup powered by cdist sponsored by panterhttps://www.nico.schottelius.org//blog/iptables-distribution-independent-powered-by-cdist-sponsored-by-panter/2016-02-25T13:34:32Z2015-02-03T14:47:26Z
<h2>Introduction</h2>
<p>As a sysadmin, you may have encountered several different
Linux distributions in your life. You may also have found
out that configuring <a href="http://www.netfilter.org/">iptables</a>
permanently differs from distribution to distribution.</p>
<p>Fortunately you can stop caring about this problem:
In the <a href="https://www.nico.schottelius.org//software/cdist/">cdist</a> source tree you find
two new types to handle this problem universally, independent
of the Linux distribution.</p>
<p>These types are a result of work done at <a href="http://www.ungleich.ch">ungleich</a>
for our customer <a href="http://www.panter.ch">panter</a>. Panter does not only
allow us to publish the code freely, but also encourages
us to do so - many thanks!</p>
<h2>How to use it</h2>
<p>First of all, ensure you have cdist installed on your source host.
Then create the directory ~/.cdist/manifest and then the file
~/.cdist/manifest/init with the following content:</p>
<pre><code>case "$__target_host" in
insert-your-target-host-name-here)
__iptables_rule policy-in --rule "-P INPUT DROP"
__iptables_rule policy-out --rule "-P OUTPUT ACCEPT"
__iptables_rule policy-fwd --rule "-P FORWARD DROP"
__iptables_rule established --rule "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT"
__iptables_rule http --rule "-A INPUT -p tcp --dport 80 -j ACCEPT"
__iptables_rule ssh --rule "-A INPUT -p tcp --dport 22 -j ACCEPT"
;;
esac
</code></pre>
<p>Running</p>
<pre><code>% cdist config insert-your-target-host-name-here
</code></pre>
<p>applies the configuration. That's it, really! Log on to your
server and do <strong><em>iptables -L -n</em></strong> to see the result!</p>
<h2>What did cdist do?</h2>
<p>The cdist types __iptables_rule and __iptables_apply
take care of the necessary steps. In detail they</p>
<ul>
<li>create the necessary files and directory</li>
<li>create and setup an init-script that loads / unloads the rules</li>
<li>apply the rules</li>
</ul>