diff options
Diffstat (limited to 'doc/server/plugins/generators/examples/genshi/iptables.txt')
-rw-r--r-- | doc/server/plugins/generators/examples/genshi/iptables.txt | 300 |
1 files changed, 300 insertions, 0 deletions
diff --git a/doc/server/plugins/generators/examples/genshi/iptables.txt b/doc/server/plugins/generators/examples/genshi/iptables.txt new file mode 100644 index 000000000..b9b3f6904 --- /dev/null +++ b/doc/server/plugins/generators/examples/genshi/iptables.txt @@ -0,0 +1,300 @@ +.. -*- mode: rst -*- + +========== + iptables +========== + +* Setup a Genshi base iptables file that contains the basic rules you + want every host to have +* To be safe you should have a client side IptablesDeadmanScript if you + intend on having bcfg2 bounce iptables upon rule updates + +.. note:: When updating files in the ``includes`` directory, you will + need to `touch` the Genshi template to regenerate the + template contents. + +/repository/Cfg/etc/sysconfig/iptables/iptables.genshi +====================================================== + +.. code-block:: none + + {% python + from genshi.builder import tag + import os,sys + import Bcfg2.Options + + opts = { 'repo': Bcfg2.Options.SERVER_REPOSITORY } + setup = Bcfg2.Options.OptionParser(opts) + setup.parse('--') + repo = setup['repo'] + basedir = '%s' % (repo) + + # for instance: + bcfg2BaseDir = basedir + name + '/' + + def checkHostFile(hostName, type): + fileName = bcfg2BaseDir + type + '.H_' + hostName + if os.path.isfile(fileName)==True : + return fileName + else: + return fileName + + def checkGroupFile(groupName, type): + fileName = bcfg2BaseDir + type + '.G_' + groupName + if os.path.isfile(fileName)==True : + return fileName + else: + return fileName + + %}\ + # BCFG2 GENERATED IPTABLES + # DO NOT CHANGE THIS + # $$Id$$ + # Templates live in ${bcfg2BaseDir} + # Manual customization of this file will get reverted. + # ----------------------------- FILTER --------------------------------- # + # Default CHAINS for FILTER: + *filter + :INPUT DROP [0:0] + :FORWARD DROP [0:0] + :OUTPUT ACCEPT [0:0] + :NO-SMTP - [0:0] + + #Default rules + #discard malicious packets + -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP + -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP + -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + #Allow incoming ICMP + -A INPUT -p icmp -m icmp -j ACCEPT + #Accept localhost traffic + -A INPUT -i lo -j ACCEPT + # Allow already established sessions to remain + -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + + # Deny inbound SMTP delivery (still allows outbound connections) + -A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --dport 25 -j NO-SMTP + -A NO-SMTP -j LOG --log-prefix " Incoming SMTP (denied) " + -A NO-SMTP -j DROP + + # Allow SSH Access + :SSH - [0:0] + -A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,ACK SYN --dport 22 -j SSH + -A SSH -s 192.168.0.0/255.255.0.0 -j ACCEPT + + # Allow Ganglia Access + -A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --src 192.168.1.1 --dport 8649 -j ACCEPT + # Gmetad access to gmond + -A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --src 192.168.1.1 --dport 8649 -j ACCEPT + # Gmond UDP multicast + -A INPUT -m state --state NEW -m udp -p udp --dport 8649 -j ACCEPT + + {% if metadata.groups %}\ + # group custom FILTER rules: + {% for group in metadata.groups %}\ + {% include ${checkGroupFile(group,'custom-filter')} %}\ + {% end %}\ + {% end %}\ + + # host-specific FILTER rules: + {% include ${checkHostFile(metadata.hostname, 'custom-filter')} %}\ + + COMMIT + # ------------------------------- NAT ---------------------------------- # + *nat + + # Default CHAINS for NAT: + :PREROUTING ACCEPT [0:0] + :OUTPUT ACCEPT [0:0] + :POSTROUTING ACCEPT [0:0] + + {% if metadata.groups %}\ + # group NAT for PREROUTING: + {% for group in metadata.groups %}\ + {% include ${checkGroupFile(group,'nat-prerouting')} %}\ + {% end %}\ + {% end %}\ + + {% if metadata.groups %}\ + # group NAT for OUTPUT: + {% for group in metadata.groups %}\ + {% include ${checkGroupFile(group,'nat-output')} %}\ + {% end %}\ + {% end %}\ + + {% if metadata.groups %}\ + # group NAT for POSTROUTING: + {% for group in metadata.groups %}\ + {% include ${checkGroupFile(group,'nat-postrouting')} %}\ + {% end %}\ + {% end %}\ + + {% if metadata.groups %}\ + # group custom NAT rules: + {% for group in metadata.groups %}\ + {% include ${checkGroupFile(group,'custom-nat')} %}\ + {% end %}\ + {% end %}\ + + # host-specific NAT ruls: + {% include ${checkHostFile(metadata.hostname, 'custom-nat')} %}\ + COMMIT + # ----------------------------- MANGLE -------------------------------- # + *mangle + + # Default CHAINS for MANGLE: + :PREROUTING ACCEPT [0:0] + :INPUT ACCEPT [0:0] + :FORWARD ACCEPT [0:0] + :OUTPUT ACCEPT [0:0] + :POSTROUTING ACCEPT [0:0] + + {% if metadata.groups %}\ + # group MANGLE for PREROUTING: + {% for group in metadata.groups %}\ + {% include ${checkGroupFile(group,'mangle-prerouting')} %}\ + {% end %}\ + {% end %}\ + + {% if metadata.groups %}\ + # group MANGLE for INPUT: + {% for group in metadata.groups %}\ + {% include ${checkGroupFile(group,'mangle-input')} %}\ + {% end %}\ + {% end %}\ + + {% if metadata.groups %}\ + # group MANGLE for FORWARD: + {% for group in metadata.groups %}\ + {% include ${checkGroupFile(group,'mangle-forward')} %}\ + {% end %}\ + {% end %}\ + + {% if metadata.groups %}\ + # group MANGLE for OUTPUT: + {% for group in metadata.groups %}\ + {% include ${checkGroupFile(group,'mangle-output')} %}\ + {% end %}\ + {% end %}\ + + {% if metadata.groups %}\ + # group MANGLE for POSTROUTING rules: + {% for group in metadata.groups %}\ + {% include ${checkGroupFile(group,'mangle-postrouting')} %}\ + {% end %}\ + {% end %}\ + + {% if metadata.groups %}\ + # group custom MANGLE rules: + {% for group in metadata.groups %}\ + {% include ${checkGroupFile(group,'custom-mangle')} %}\ + {% end %}\ + {% end %}\ + + # host-specific MANGLE rules: + {% include ${checkHostFile(metadata.hostname, 'custom-mangle')} %}\ + COMMIT + +Cfg/etc/sysconfig/iptables/custom-filter.G_mysql-server +------------------------------------------------------- + +.. code-block:: none + + :MYSQL - [0:0] + -A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 --tcp-flags FIN,SYN,RST,ACK SYN -j MYSQL + -A MYSQL -s 192.168.0.0/255.255.0.0 -j ACCEPT + +For a host that is in the mysql-server group you get an iptables file +that looks like the following:: + + # BCFG2 GENERATED IPTABLES + # DO NOT CHANGE THIS + # $Id: template.newtxt 5402 2009-08-19 22:50:06Z unixmouse$ + # Templates live in /var/lib/bcfg2/Cfg/etc/sysconfig/iptables/ + # Manual customization of this file will get reverted. + # ----------------------------- FILTER --------------------------------- # + # Default CHAINS for FILTER: + *filter + :INPUT DROP [0:0] + :FORWARD DROP [0:0] + :OUTPUT ACCEPT [0:0] + :NO-SMTP - [0:0] + + #Default rules + #discard malicious packets + -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP + -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP + -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP + # Allow incoming ICMP + -A INPUT -p icmp -m icmp -j ACCEPT + # Accept localhost traffic + -A INPUT -i lo -j ACCEPT + # Allow already established sessions to remain + -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + + # Deny inbound SMTP delivery (still allows outbound connections) + -A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --dport 25 -j NO-SMTP + -A NO-SMTP -j LOG --log-prefix " Incoming SMTP (denied) " + -A NO-SMTP -j DROP + + # Allow SSH Access + :SSH - [0:0] + -A INPUT -p tcp -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,ACK SYN --dport 22 -j SSH + -A SSH -s 192.168.0.0/255.255.0.0 -j ACCEPT + + # Allow Ganglia Access + -A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --src 192.168.1.1 --dport 8649 -j ACCEPT + #Gmetad access to gmond + -A INPUT -m state --state NEW -m tcp -p tcp --tcp-flags FIN,SYN,RST,ACK SYN --src 192.168.1.1 --dport 8649 -j ACCEPT + #Gmond UDP multicast + -A INPUT -m state --state NEW -m udp -p udp --dport 8649 -j ACCEPT + + # group custom FILTER rules: + :MYSQL - [0:0] + -A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 --tcp-flags FIN,SYN,RST,ACK SYN -j MYSQL + -A MYSQL -s 192.168.0.0/255.255.0.0 -j ACCEPT + + # host-specific FILTER rules: + + COMMIT + # ------------------------------- NAT ---------------------------------- # + *nat + + # Default CHAINS for NAT: + :PREROUTING ACCEPT [0:0] + :OUTPUT ACCEPT [0:0] + :POSTROUTING ACCEPT [0:0] + + # group NAT for PREROUTING: + + # group NAT for OUTPUT: + + # group NAT for POSTROUTING: + + # group custom NAT rules: + + # host-specific NAT rules: + COMMIT + # ----------------------------- MANGLE -------------------------------- # + *mangle + + # Default CHAINS for MANGLE: + :PREROUTING ACCEPT [0:0] + :INPUT ACCEPT [0:0] + :FORWARD ACCEPT [0:0] + :OUTPUT ACCEPT [0:0] + :POSTROUTING ACCEPT [0:0] + + # group MANGLE for PREROUTING: + + # group MANGLE for INPUT: + # group MANGLE for FORWARD: + + # group MANGLE for OUTPUT: + + # group MANGLE for POSTROUTING rules: + + # group custom MANGLE rules: + + # host-specific MANGLE rules: + COMMIT |