Re: iptables management

To: debian-firewall@lists.debian.org
Subject: Re: iptables management
From: Matthew Palmer <mpalmer@debian.org>
Date: Wed, 24 May 2006 07:41:29 +1000
Message-id: <[🔎] 20060523214129.GE17956@hezmatt.org>
Mail-followup-to: debian-firewall@lists.debian.org
In-reply-to: <[🔎] 1148388722.5702.4.camel@localhost.localdomain>
References: <[🔎] 1148388722.5702.4.camel@localhost.localdomain>

On Tue, May 23, 2006 at 02:52:02PM +0200, Ilin Petkovski wrote:
> Hello, 
> I have few servers in my company configured with different iptables
> rules. As the number of servers rise, the complexity for managing all
> those rules is getting pretty hard. So, I was wondering.. is there any
> tool that can offer centralised management of all those rules from one
> place, or just to keep track of any changes made to those rules. 

The centralised management aspect, and the tracking of changes, can be
achieved using a combination of a automated administration tool like
Puppet[1] and a revision control system like Subversion or Bazaar[2].
Actually building the rules for each server is the really interesting part. 
You could go with a very simple structure, such as a text file per-host
which listed what services should be open, and then have a post-processing
step where you turn that into IPTables rules.

I'd probably use Puppet's classes concept, as part of a larger configuration
management system, to put together a set of shorewall rules fragments which
would be assembled on the server to make the rules file.  For example:

# All servers need SSH
node base {
	sshserver{}
}

# foo and bar are webservers
node foo, bar inherits base {
	webserver{}
}

# But baz is a webserver *and* the DNS server *and* the backup server
node baz inherits base {
	webserver{}
	dnsserver{}
	backupserver{}
}

And then, the configurations for each of those classes would ensure that the
appropriate fragment for that class got copied (into, say,
/etc/shorewall/rules.d) and then a post-process script would turn that into
/etc/shorewall/rules by the advanced technology of 'cat'.

As a basic example:

class webserver {
	package { apache2:
		ensure => installed
	}

	file { "/etc/shorewall/rules.d/webserver":
		source => "puppet://puppet/config/classes/webserver/firewall"
	}
}

You'd repeat that for each server type, then a simple one-liner like so:

#!/bin/sh -e

cat /etc/shorewall/rules.d/* > /etc/shorewall/rules

Will create your rules file, which you just run after everything else has
done it's thing.

But, Puppet can do more for you.  There's a feature in the latest version,
(which I haven't actually played with yet, but I fully intend to) where you
can collect the objects from all of your hosts, and have them apply to your
CPE firewall.  For example, your webserver class might have something like
(and I'm fudging the syntax here because I don't have the puppet reference
manual to hand, and I'm on the train):

class webserver {
	@firewallrule { open_port_80:
		protocol => tcp,
		port => 80,
		destaddr => $host_address
	}
}

Then on the firewall host itself, you just do:

firewallrule <||>

Which pulls all of those firewallrule objects into the firewall, and it
proceeds to write your shorewall rules file for you.

Note that there's no firewallrule class yet that actually writes out a
shorewall rules file, but there will be fairly shortly after I start playing
with Puppet's object collection feature.

- Matt

[1] http://reductivelabs.com/projects/puppet
[2] http://bazaar-ng.org/

Reply to:

References:
- iptables management
  - From: Ilin Petkovski <ilin@on.net.mk>

Prev by Date: Re: Port 65535
Next by Date: Re: iptables management
Previous by thread: Re: iptables management
Next by thread: Re: iptables management
Index(es):
- Date
- Thread