Sunday, April 27, 2014

SaltStack iptables states just don’t seem to work (at least in CentOS 6.5)

The iptables state would be freakin awesome to be able to use. http://ift.tt/1isIDgB


The only iptables state stuff I can get to work is the iptables.append, and even then it, well, always appends, even if the rule is already there. It doesn’t seem there is any way to tell it to only append the rule if that exact rule is not already in there.


Ideally, the iptables states would let you define very readable iptables rules. Each time you run state.highstate for a machine, it would enforce your defined state rules. This would be fantastic for me, since I want to by default deny all traffic. Then I want to allow some globally-applicable inbound rules, say, for SSH from the salt master. Then, I want to allow 80 and 443 for only web servers (define those particular rules in the init.sls for the web servers group). Then, I want to allow 9200:9300 for just the elasticsearch machines.


Oh well. I have to continue to use static iptables files for each group of machines. It’s kinda lame having to add some inbound SSH rule, but I suppose it’s a good step or two better than logging in to each machine and adding it that way. Besides, doing it through salt implicitly documents your iptables configs in a central location.


The docs seem to be either wrong or out of date.


iptables.flush doesn’t work (example from an init.sls file):


flush-iptables:

iptables.flush


Here’s the error after running a state.highstate:

———-

ID: flush-iptables

Function: iptables.flush

Result: False

Comment: An exception occurred in this state: Traceback (most recent call last):

File “/usr/lib/python2.6/site-packages/salt/state.py”, line 1372, in call

self.verify_ret(ret)

File “/usr/lib64/python2.6/contextlib.py”, line 34, in __exit__

self.gen.throw(type, value, traceback)

File “/usr/lib/python2.6/site-packages/salt/utils/context.py”, line 43, in func_globals_inject

yield

File “/usr/lib/python2.6/site-packages/salt/state.py”, line 1371, in call

**cdata['kwargs'])

File “/usr/lib/python2.6/site-packages/salt/states/iptables.py”, line 487, in flush

if not __salt__['iptables.flush'](kwargs['table'], kwargs['chain'], family):

KeyError: ‘table’


Here’s a sample of an iptables.append block that works, but note, if you run “salt ‘*’ state.highstate” you will end up with 2 of the same rule in your iptables rules. Run it 32 times? Yup, you will have 32 iptables rules, each identical:


ssh-from-managementserver:

iptables.append:

– chain: INPUT

– proto: tcp

– connstate: NEW

– jump: ACCEPT

– source: 8.8.8.8 #put in a real IP here

– dport: 22

– table: filter

– match: state

– save: True


here’s a sample of an iptables.append block that does NOT work (taken from docs page). The problem seems to be when you try to add a comment:


httpd2:

iptables.append:

– table: filter

– chain: INPUT

– jump: ACCEPT

– match:

– state

– comment

– comment: “Allow HTTP”

– connstate: NEW

– source: ‘! 127.0.0.1′

– dport: 80

– proto: tcp

– sport: 1025:65535

– save: True


Here’s the error:

———-

ID: httpd2

Function: iptables.append

Result: False

Comment: An exception occurred in this state: Traceback (most recent call last):

File “/usr/lib/python2.6/site-packages/salt/state.py”, line 1372, in call

self.verify_ret(ret)

File “/usr/lib64/python2.6/contextlib.py”, line 34, in __exit__

self.gen.throw(type, value, traceback)

File “/usr/lib/python2.6/site-packages/salt/utils/context.py”, line 43, in func_globals_inject

yield

File “/usr/lib/python2.6/site-packages/salt/state.py”, line 1371, in call

**cdata['kwargs'])

File “/usr/lib/python2.6/site-packages/salt/states/iptables.py”, line 233, in append

rule = __salt__['iptables.build_rule'](family=family, **kwargs)

File “/usr/lib/python2.6/site-packages/salt/modules/iptables.py”, line 135, in build_rule

kwargs['match'].replace(‘ ‘, ”)

AttributeError: ‘list’ object has no attribute ‘replace’





No comments:

Post a Comment