The iptables state would be freakin awesome to be able to use. http://ift.tt/1isIDgB
The only iptables state stuff I can get to work is the iptables.append, and even then it, well, always appends, even if the rule is already there. It doesn’t seem there is any way to tell it to only append the rule if that exact rule is not already in there.
Ideally, the iptables states would let you define very readable iptables rules. Each time you run state.highstate for a machine, it would enforce your defined state rules. This would be fantastic for me, since I want to by default deny all traffic. Then I want to allow some globally-applicable inbound rules, say, for SSH from the salt master. Then, I want to allow 80 and 443 for only web servers (define those particular rules in the init.sls for the web servers group). Then, I want to allow 9200:9300 for just the elasticsearch machines.
Oh well. I have to continue to use static iptables files for each group of machines. It’s kinda lame having to add some inbound SSH rule, but I suppose it’s a good step or two better than logging in to each machine and adding it that way. Besides, doing it through salt implicitly documents your iptables configs in a central location.
The docs seem to be either wrong or out of date.
iptables.flush doesn’t work (example from an init.sls file):
flush-iptables:
iptables.flush
Here’s the error after running a state.highstate:
———-
ID: flush-iptables
Function: iptables.flush
Result: False
Comment: An exception occurred in this state: Traceback (most recent call last):
File “/usr/lib/python2.6/site-packages/salt/state.py”, line 1372, in call
self.verify_ret(ret)
File “/usr/lib64/python2.6/contextlib.py”, line 34, in __exit__
self.gen.throw(type, value, traceback)
File “/usr/lib/python2.6/site-packages/salt/utils/context.py”, line 43, in func_globals_inject
yield
File “/usr/lib/python2.6/site-packages/salt/state.py”, line 1371, in call
**cdata['kwargs'])
File “/usr/lib/python2.6/site-packages/salt/states/iptables.py”, line 487, in flush
if not __salt__['iptables.flush'](kwargs['table'], kwargs['chain'], family):
KeyError: ‘table’
Here’s a sample of an iptables.append block that works, but note, if you run “salt ‘*’ state.highstate” you will end up with 2 of the same rule in your iptables rules. Run it 32 times? Yup, you will have 32 iptables rules, each identical:
ssh-from-managementserver:
iptables.append:
– chain: INPUT
– proto: tcp
– connstate: NEW
– jump: ACCEPT
– source: 8.8.8.8 #put in a real IP here
– dport: 22
– table: filter
– match: state
– save: True
here’s a sample of an iptables.append block that does NOT work (taken from docs page). The problem seems to be when you try to add a comment:
httpd2:
iptables.append:
– table: filter
– chain: INPUT
– jump: ACCEPT
– match:
– state
– comment
– comment: “Allow HTTP”
– connstate: NEW
– source: ‘! 127.0.0.1′
– dport: 80
– proto: tcp
– sport: 1025:65535
– save: True
Here’s the error:
———-
ID: httpd2
Function: iptables.append
Result: False
Comment: An exception occurred in this state: Traceback (most recent call last):
File “/usr/lib/python2.6/site-packages/salt/state.py”, line 1372, in call
self.verify_ret(ret)
File “/usr/lib64/python2.6/contextlib.py”, line 34, in __exit__
self.gen.throw(type, value, traceback)
File “/usr/lib/python2.6/site-packages/salt/utils/context.py”, line 43, in func_globals_inject
yield
File “/usr/lib/python2.6/site-packages/salt/state.py”, line 1371, in call
**cdata['kwargs'])
File “/usr/lib/python2.6/site-packages/salt/states/iptables.py”, line 233, in append
rule = __salt__['iptables.build_rule'](family=family, **kwargs)
File “/usr/lib/python2.6/site-packages/salt/modules/iptables.py”, line 135, in build_rule
kwargs['match'].replace(‘ ‘, ”)
AttributeError: ‘list’ object has no attribute ‘replace’
No comments:
Post a Comment