forked from rtkwlf/cookbook-simple-iptables
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmetadata.json
33 lines (33 loc) · 10.9 KB
/
metadata.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
{
"name": "simple_iptables",
"description": "Simple LWRP and recipe for managing iptables rules",
"long_description": "[](https://travis-ci.org/rtkwlf/cookbook-simple-iptables)\n\nDescription\n===========\n\nSimple cookbook with LWRPs for managing iptables rules and policies.\n\nThis is a fork from the original, which is no longer maintained.\n\nRequirements\n============\n\nNone, other than a system that supports iptables.\n\n\nPlatforms\n=========\n\nThe following platforms are supported and known to work:\n\n* Debian (6.0 and later)\n* RedHat (5.8 and later)\n* CentOS (5.8 and later)\n* Ubuntu (10.04 and later)\n\nOther platforms that support `iptables` and the `iptables-restore` script\nare likely to work as well; if you use one, please let me know so that I can\nupdate the supported platforms list.\n\nAttributes\n==========\n\nThis cookbook uses node attributes to track internal state when generating\nthe iptables rules and policies. These attributes _should not_ be overridden\nby roles, other recipes, etc.\n\nUsage\n=====\n\nInclude the recipe `simple_iptables` somewhere in your run list, then use\nthe LWRPs `simple_iptables_rule` and `simple_iptables_policy` in your\nrecipes.\n\n`simple_iptables_rule` Resource\n-------------------------------\n\nDefines a single iptables rule, composed of a rule string (passed as-is to\niptables), and a jump target. The name attribute defines an iptables chain\nthat this rule will live in (and, thus, that other rules can jump to). For\ninstance:\n\n # Allow SSH\n simple_iptables_rule \"ssh\" do\n rule \"--proto tcp --dport 22\"\n jump \"ACCEPT\"\n end\n\nFor convenience, you may also specify an array of rule strings in a single\nLWRP invocation:\n\n # Allow HTTP, HTTPS\n simple_iptables_rule \"http\" do\n rule [ \"--proto tcp --dport 80\",\n \"--proto tcp --dport 443\" ]\n jump \"ACCEPT\"\n end\n\nAdditionally, if you want to declare a module (such as log) you can define jump as false:\n\n # Log\n simple_iptables_rule \"system\" do\n rule \"--match limit --limit 5/min --jump LOG --log-prefix \\\"iptables denied: \\\" --log-level 7\"\n jump false\n end\n\nBy default rules are added to the filter table but the nat and mangle tables are also supported. For example:\n\n # Tomcat redirects\n simple_iptables_rule \"tomcat\" do\n table \"nat\"\n direction \"PREROUTING\"\n rule [ \"--protocol tcp --dport 80 --jump REDIRECT --to-port 8080\",\n \"--protocol tcp --dport 443 --jump REDIRECT --to-port 8443\" ]\n jump false\n end\n\n #mangle example\n #NOTE: set jump to false since iptables expects the -j MARK --set-mark in that order\n simple_iptables_rule \"mangle\" do\n table \"mangle\"\n direction \"PREROUTING\"\n jump false\n rule \"-i eth0 -j MARK --set-mark 0x6\n end\n\n #reject all outbound connections attempts to 10/8 on a dual-homed host\n simple_iptables_rule \"reset_10slash8_outbound\" do\n direction \"OUTPUT\"\n jump false\n rule \"-p tcp -o eth0 -d 10/8 --jump REJECT --reject-with tcp-reset\"\n end\n\n`simple_iptables_policy` Resource\n---------------------------------\n\nDefines a default action for a given iptables chain. This is usually used to\nswitch from a default-accept policy to a default-reject policy. For\ninstance:\n\n # Reject packets other than those explicitly allowed\n simple_iptables_policy \"INPUT\" do\n policy \"DROP\"\n end\n\nAs with the `simple_iptables_rules` resource, policies are applied to the filter table\nby default. You may change the target table to nat as follows:\n\n # Reject packets other than those explicitly allowed\n simple_iptables_policy \"INPUT\" do\n table \"nat\"\n policy \"DROP\"\n end\n\nExample\n=======\n\nSuppose you had the following `simple_iptables` configuration:\n\n # Reject packets other than those explicitly allowed\n simple_iptables_policy \"INPUT\" do\n policy \"DROP\"\n end\n \n # The following rules define a \"system\" chain; chains\n # are used as a convenient way of grouping rules together,\n # for logical organization.\n \n # Allow all traffic on the loopback device\n simple_iptables_rule \"loopback\" do\n chain \"system\"\n rule \"--in-interface lo\"\n jump \"ACCEPT\"\n end\n \n # Allow any established connections to continue, even\n # if they would be in violation of other rules.\n simple_iptables_rule \"established\" do\n chain \"system\"\n rule \"-m conntrack --ctstate ESTABLISHED,RELATED\"\n jump \"ACCEPT\"\n end\n \n # Allow SSH\n simple_iptables_rule \"ssh\" do\n chain \"system\"\n rule \"--proto tcp --dport 22\"\n jump \"ACCEPT\"\n end\n \n # Allow HTTP, HTTPS\n simple_iptables_rule \"http\" do\n rule [ \"--proto tcp --dport 80\",\n \"--proto tcp --dport 443\" ]\n jump \"ACCEPT\"\n end\n \n # Tomcat redirects\n simple_iptables_rule \"tomcat\" do\n table \"nat\"\n direction \"PREROUTING\"\n rule [ \"--protocol tcp --dport 80 --jump REDIRECT --to-port 8080\",\n \"--protocol tcp --dport 443 --jump REDIRECT --to-port 8443\" ]\n jump false\n end\n\nThis would generate a file `/etc/iptables-rules` with the contents:\n\n # This file generated by Chef. Changes will be overwritten.\n *nat\n :PREROUTING ACCEPT [0:0]\n :INPUT ACCEPT [0:0]\n :OUTPUT ACCEPT [0:0]\n :POSTROUTING ACCEPT [0:0]\n :tomcat - [0:0]\n -A PREROUTING --jump tomcat\n -A tomcat --protocol tcp --dport 80 --jump REDIRECT --to-port 8080\n -A tomcat --protocol tcp --dport 443 --jump REDIRECT --to-port 8443\n COMMIT\n # Completed\n # This file generated by Chef. Changes will be overwritten.\n :PREROUTING ACCEPT [0:0]\n :INPUT ACCEPT [0:0]\n :FORWARD ACCEPT [0:0]\n :OUTPUT ACCEPT [0:0]\n :POSTROUTING ACCEPT [0:0]\n COMMIT\n # Completed\n # This file generated by Chef. Changes will be overwritten.\n *filter\n :INPUT DROP [0:0]\n :FORWARD ACCEPT [0:0]\n :OUTPUT ACCEPT [0:0]\n :system - [0:0]\n :http - [0:0]\n -A INPUT --jump system\n -A system --in-interface lo --jump ACCEPT\n -A system -m conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT\n -A system --proto tcp --dport 22 --jump ACCEPT\n -A INPUT --jump http\n -A http --proto tcp --dport 80 --jump ACCEPT\n -A http --proto tcp --dport 443 --jump ACCEPT\n COMMIT\n # Completed\n # This file generated by Chef. Changes will be overwritten.\n *raw\n :PREROUTING ACCEPT [0:0]\n :OUTPUT ACCEPT [0:0]\n COMMIT\n # Completed\n\nWhich results in the following iptables configuration:\n\n # iptables -L\n Chain INPUT (policy DROP)\n target prot opt source destination \n system all -- anywhere anywhere \n http all -- anywhere anywhere \n \n Chain FORWARD (policy ACCEPT)\n target prot opt source destination \n \n Chain OUTPUT (policy ACCEPT)\n target prot opt source destination \n \n Chain http (1 references)\n target prot opt source destination \n ACCEPT tcp -- anywhere anywhere tcp dpt:http\n ACCEPT tcp -- anywhere anywhere tcp dpt:https\n \n Chain system (1 references)\n target prot opt source destination \n ACCEPT all -- anywhere anywhere \n ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED\n ACCEPT tcp -- anywhere anywhere tcp dpt:ssh\n\n #iptables -L -t nat\n Chain PREROUTING (policy ACCEPT)\n target prot opt source destination \n tomcat all -- anywhere anywhere \n \n Chain INPUT (policy ACCEPT)\n target prot opt source destination \n \n Chain OUTPUT (policy ACCEPT)\n target prot opt source destination \n \n Chain POSTROUTING (policy ACCEPT)\n target prot opt source destination \n \n Chain tomcat (1 references)\n target prot opt source destination \n REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 8080\n REDIRECT tcp -- anywhere anywhere tcp dpt:https redir ports 8443\n\nChanges\n=======\n\n* 0.6.0 (March 19, 2014)\n * Add support for the raw table (#33 - Ray Ruvinskiy)\n * Add :delete semantics to iptables rules (#34 - Michael Parrott)\n* 0.5.2 (March 19, 2014)\n * Fix #21, error parsing node\\['kernel'\\]\\['release'\\] (#30 - Michael Parrott)\n* 0.5.1 (March 18, 2014)\n * Update README example so Chef doesn't warn duplicate resources (#32 - Michael Parrott)\n* 0.5.0 (March 18, 2014)\n * Extend cleanup and test code (#31 - Sander van Harmelen)\n * Disallow adding built-in chains multiple times (#31 - Sander van Harmelen)\n* 0.4.0 (May 9, 2013)\n * Update foodcritic version used in Travis-CI (#29 - Michael Parrott)\n * Added support for mangle table (#18 - Michael Hart)\n * Updated Gemfile to 11.4.4 (#18 - Michael Hart)\n* 0.3.0 (March 5, 2013)\n * Added support for nat table (#10 - Nathan Mische)\n * Updated Gemfile for Travis-CI integration (#10 - Nathan Mische)\n* 0.2.4 (Feb 13, 2013)\n * Fixed attribute precedence issues in Chef 11 (#9 - Warwick Poole)\n * Added `name` to metadata to satisfy recent foodcritic versions\n* 0.2.3 (Nov 10, 2012)\n * Fixed a warning in Chef 11+ (#7 - Hector Castro)\n* 0.2.2 (Oct 13, 2012)\n * Added support for logging module and other non-jump rules (#6 - phoolish)\n* 0.2.1 (Aug 5, 2012)\n * Fixed a bug using `simple_iptables` with chef-solo (#5)\n* 0.2.0 (Aug 1, 2012)\n * Allow an array of rules in `simple_iptables_rule` LWRP (Johannes Becker)\n * RedHat/CentOS compatibility (David Stainton)\n * Failing `simple_iptables_rule`s now fail with a more helpful error message\n* 0.1.2 (July 24, 2012)\n * Fixed examples in README (SchraderMJ11)\n* 0.1.1 (May 22, 2012)\n * Added Travis-CI integration (Nathen Harvey)\n * Fixed foodcritic warnings (Nathen Harvey)\n* 0.1.0 (May 12, 2012)\n * Initial release\n\n",
"maintainer": "Arctic Wolf Networks",
"maintainer_email": "[email protected]",
"license": "BSD",
"platforms": {
"debian": ">= 6.0",
"centos": ">= 5.8",
"redhat": ">= 5.8",
"ubuntu": ">= 10.04"
},
"dependencies": {
},
"recommendations": {
},
"suggestions": {
},
"conflicting": {
},
"providing": {
},
"replacing": {
},
"attributes": {
},
"groupings": {
},
"recipes": {
},
"version": "0.8.0"
}