my_firewall Cookbook

The purpose of this cookbook is to provide an attribute driven interface to the IPTables cookbook (and later the firewalld/nftables cookbook/resource?)

Requirements

Platforms

Debian/Ubuntu (tested)
RHEL (targeted, untested)

Cookbooks

iptables

Attributes

default['my_iptables']['ip_versions'] - Array of ip versions. Acceptable inputs %i(ipv4 ipv6). Defaults to %i(ipv4).
default['my_iptables']['iptables'] - configuration of IPTables, refer to Usage below for detailed explanation.
default['my_iptables']['iptables'][<CHAIN NAME>] - Name of the chain we are going to manage.
default['my_iptables']['iptables'][<CHAIN NAME>]['chain'] - Chain configuration Options. Requires a "value".
default['my_iptables']['iptables'][<CHAIN NAME>]['rules'] - Rule configuration options. Refer to iptables_rule documentation for a full list of acceptable options.

Recipes

default

The Default recipe dynamically creates iptables_service, iptables_chain, and iptables_rule resources based on the attributes set.

Usage

The top most level is the Chain name, you can use the default chains or create your own. By default, this cookbook manages INPUT, FORWARD, and OUTPUT rules.

Therefore, all of the INPUT rules will be managed under: default['my_iptables']['iptables']['INPUT'] = {}

All chain options are collected under default['my_iptables']['iptables'][<CHAIN NAME>]['chain'], and a value is always required. This sets the default ACCEPT or DENY policy. And will generally follow the form (refer to the iptables man page for specifics):

Allow All

default['my_firewall']['iptables']['INPUT']['chain'] = {
  'value': 'ACCEPT [0:0]',
}

Deny All

default['my_firewall']['iptables']['INPUT']['chain'] = {
  'value': 'DROP [0:0]',
}

Rules are arranged in the default['my_iptables']['iptables'][]['chain'] hash and follow the form:

<Rule Name>: {
  **<Rule Options>
}

For example, an "Allow SSH" rule, might be written as:

  'Allow SSH': {
    'protocol': 'tcp',
    'dport': '22',
    'state': 'NEW,ESTABLISHED',
    'jump': 'ACCEPT',
  }

Note that the name will be added as a comment if no comment parameter is specified.

Example

Refer to the attributes/default.rb for extended usage.

default['firewall'] = {
  'iptables': {
    'INPUT': {                        # Name of the chain
      'chain': {
        'value': 'DROP [0:0]',        # Default drop all policy
      },
      'rules': {
        # Rule definition
        'Allow Loopback': {           # Rule Name/Description
          'ip_version': 'ipv4',       # ipv4 or ipv6, default both
          'in_interface': 'lo',       # Interface rule applies to
          'jump': 'ACCEPT',           # what to do with the packet
        },
      },
    },
  },
}

Name		Name	Last commit message	Last commit date
Latest commit History 8 Commits
.delivery		.delivery
attributes		attributes
libraries		libraries
recipes		recipes
spec		spec
test/integration/default		test/integration/default
.gitignore		.gitignore
CHANGELOG.md		CHANGELOG.md
LICENSE		LICENSE
Policyfile.rb		Policyfile.rb
README.md		README.md
chefignore		chefignore
kitchen.yml		kitchen.yml
metadata.rb		metadata.rb
my_firewall.code-workspace		my_firewall.code-workspace

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

my_firewall Cookbook

Requirements

Platforms

Cookbooks

Attributes

Recipes

default

Usage

Example

About

Releases

Packages

Languages

License

outlawostinato/my_firewall

Folders and files

Latest commit

History

Repository files navigation

my_firewall Cookbook

Requirements

Platforms

Cookbooks

Attributes

Recipes

default

Usage

Example

About

Resources

License

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages