So you want to manage iptables firewall rules with Salt. If you write up a state file that looks like the below, it will work as expected… sorta. It seems existing connections will be dropped and subsequent commands from the Salt master will not make it to the minion, e.g. your separate SSH session will lose connectivity to the minion:
iptables:
pkg.installed
/etc/sysconfig/iptables:
file.managed:
– source: salt://eocprdev/files/iptables
– user: root
– group: root
– mode: 600
restart-iptables-service:
cmd.wait:
– name: service iptables restart
– watch:
– file: /etc/sysconfig/iptables
if you’re logged in to the minion and do a “service iptables restart”, it seems things are fine, so the above command in the “name:” section seems like it’d be fine.
Here’s how you need to do it though. Note the “iptables-restore” method of reloading the iptables rules:
iptables:
pkg.installed
/etc/sysconfig/iptables:
file.managed:
– source: salt://eocprdev/files/iptables
– user: root
– group: root
– mode: 600
restart-iptables-service:
cmd.wait:
– name: iptables-restore < /etc/sysconfig/iptables
– watch:
– file: /etc/sysconfig/iptables
This second way works repeatedly, and existing connections to the minion remain intact.
Here’s a mention of someone else having the problem: http://ift.tt/1j5DemF
No comments:
Post a Comment