rtkwlf / cookbook-simple-iptables Goto Github PK
View Code? Open in Web Editor NEWSimple Chef iptables cookbook
Simple Chef iptables cookbook
The readme specifies the following examples:
# Allow all traffic on the loopback device
simple_iptables_rule 'system' do
rule '--in-interface lo'
jump 'ACCEPT'
end
# Allow any established connections to continue, even
# if they would be in violation of other rules.
simple_iptables_rule 'system' do
rule '-m conntrack --ctstate ESTABLISHED,RELATED'
jump 'ACCEPT'
end
However, if I use this example, Chef sends a warning about duplicate names:
[2013-03-25T12:17:08+00:00] WARN: Previous simple_iptables_rule[system]:
/tmp/vagrant-chef-1/chef-solo-1/cookbooks/firewall-rules/recipes/default.rb:10:in `from_file'
[2013-03-25T12:17:08+00:00] WARN: Current simple_iptables_rule[system]:
/tmp/vagrant-chef-1/chef-solo-1/cookbooks/firewall-rules/recipes/default.rb:17:in `from_file'
Things still work as expected, just wanted to notify you about this.
I have error in file simple_iptables/templates/default/iptables-rules.erb, line 3
because
node["kernel"]["release"]
contains "3.6-trunk-amd64"
This StackOverflow question, iptables redirect 80 to 8080 but block public 8080 access, and its top answer, is spot on for what I'm trying to do:
One way I've found to accomplish this is to use the MARK target in the mangle table's PREROUTING chain.
Add a rule to tag the packets you want to block:
iptables -t mangle -A PREROUTING -p tcp --dport 8080 -j MARK --set-mark 1
Then, before you allow port 8080 add this to DROP marked packets:
iptables -A INPUT -m mark --mark 1 -j DROP
Based on a quick read of policy.rb, it looks like the mangle table is not currently allowed in this cookbook:
attribute :table,
:equal_to => ["filter", "nat"],
:default => "filter"
I'm planning on simply adding "mangle"
to the above. I'm going to give this a shot in a fork. Sound ok?
Hi,
I was wondering if the version listed at http://community.opscode.com/cookbooks/simple_iptables is intentionally older? It's currently at 0.6.0 when the repo is at 0.6.4. This means the older one is picked up by Berkshelf.
Thanks!
Andrew
aws AMI report as rhel platform, but their platform versioning is totally different and based on year/month rahter than release number.
include_recipe 'simple_iptables::redhat'
simple_iptables_rule 'https' do
rule '--proto tcp --dport 443'
jump 'ACCEPT'
end
simple_iptables_rule 'https' do
rule '--proto tcp --dport 443'
jump 'ACCEPT'
end
Produces the following rule set with chef 11.16.2, note two -A https --jump ACCEPT --proto tcp --dport 443
rules:
# This file generated by Chef. Changes will be overwritten.
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# This file generated by Chef. Changes will be overwritten.
*mangle
:PREROUTING ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# This file generated by Chef. Changes will be overwritten.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:https - [0:0]
-A INPUT --jump ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED
-A INPUT --jump ACCEPT --proto icmp
-A INPUT --jump ACCEPT --in-interface lo
-A https --jump ACCEPT --proto tcp --dport 443
-A INPUT --jump https
-A https --jump ACCEPT --proto tcp --dport 443
-A INPUT --jump ACCEPT --proto tcp --dport 22 -m conntrack --ctstate NEW
-A INPUT --jump REJECT --reject-with icmp-host-prohibited
-A FORWARD --jump REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed
# This file generated by Chef. Changes will be overwritten.
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed
This is caused by reading merged node
attribute while writing the attributes with node.set
.
I got this error message when I provisioning.
I used ruby 2.2.0 and chef 11.12.4
$ sudo head /var/chef/cache/chef-stacktrace.out
Generated at 2015-06-24 14:13:14 +0000
NoMethodError: undefined method `lazy' for #<Class:0x00000002acebb0>
/tmp/vagrant-chef/24908995bd1fac04ad7e673dc8bbe2b2/cookbooks/simple_iptables/resources/rule.rb:10:in `class_from_file'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.2/lib/chef/mixin/from_file.rb:42:in `class_eval'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.2/lib/chef/mixin/from_file.rb:42:in `class_from_file'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.2/lib/chef/resource/lwrp_base.rb:54:in `build_from_file'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.2/lib/chef/run_context/cookbook_compiler.rb:220:in `load_lwrp_resource'
Maybe, This line seems wrong...?
https://github.com/rtkwlf/cookbook-simple-iptables/blob/master/resources/rule.rb
attribute :comment, :kind_of => String, :default => lazy { |r| r.name }
Undefined node attribute or method '<<' on 'node'. To set an attribute, use `<<=value' instead.
/root/chef/cookbooks/simple-iptables/providers/rule.rb:16:in `block in class_from_file'
Running git bisect, it seems the first bad commit is:
ff467b7 is the first bad commit
commit ff467b7
Author: Cory Stegelmeier [email protected]
Date: Wed Jun 10 16:26:00 2015 -0400
fixed foodcritic error
about not always calling new_resource.updated_by_last_action
:100644 100644 63e49a3c00c52475e8637fd60a0209014ff3c8ca 3defc347e3081ef31d12741cd87e0babf1ef5a79 M README.md
:040000 040000 5fda79e664608f96f971c57f35b3cce0d4f8f4b2 1b8f7606a4f1b6ad491aad9c8647ecb6ccc274c2 M providers
Might not be an issue due to the cookbook as long as I'm noob with chef-solo and iptables also... but, I used the recipe given in Readme example and had expected config but not expected behaviour.
My changes in recipe
Generated conf
iptables -l
is similar to given example and so is for -t nat
Behaviour
And If I change manualy iptables to remove the first drop all rule, http connection works either on port 80 and 3000, showing that the nat fwd is at least partialy working and my web server is working.
Any idea about it ? Thanks
This code:
simple_iptables_rule "forward-reject" do
chain "FORWARD"
rule ""
jump "REJECT"
weight 10000
end
generates the following iptables rule, which is wrong, and fails:
-A INPUT --jump FORWARD
However, I would expect that it generated this rule:
-A FORWARD --jump REJECT
Hi,
I get the following error when going a kitchen converge using chef 12.5.1:
================================================================================
Recipe Compile Error in /tmp/kitchen/cache/cookbooks/simple_iptables/resources/policy.rb
================================================================================
NameError
---------
undefined method `log_deprecation' for class `Class'
Cookbook Trace:
---------------
/tmp/kitchen/cache/cookbooks/compat_resource/files/lib/chef_compat/monkeypatches/chef.rb:6:in `method'
/tmp/kitchen/cache/cookbooks/compat_resource/files/lib/chef_compat/monkeypatches/chef.rb:6:in `log_deprecation'
/tmp/kitchen/cache/cookbooks/simple_iptables/resources/policy.rb:3:in `class_from_file'
/tmp/kitchen/cache/cookbooks/compat_resource/files/lib/chef_compat/monkeypatches/chef/resource/lwrp_base.rb:50:in `build_from_file'
Relevant File Content:
----------------------
/tmp/kitchen/cache/cookbooks/compat_resource/files/lib/chef_compat/monkeypatches/chef.rb:
1: class Chef
2: NOT_PASSED = Object.new if !defined?(NOT_PASSED)
3: # Earlier versions of Chef didn't have this message
4: module ChefCompatDeprecation
5: def log_deprecation(message, location=nil)
6>> if superclass.method(:log_deprecation).owner != ChefCompatDeprecation
7: if !location
8: # Pick the first caller that is *not* part of the Chef or ChefCompat gem,
9: # that's the thing the user wrote.
10: chef_compat_gem_path = File.expand_path("../../..", __FILE__)
11: chef_gem_path = File.expand_path("../..",::Chef::Resource.instance_method(:initialize).source_location[0])
12: caller(0..10).each do |c|
13: if !c.start_with?(chef_gem_path) && !c.start_with?(chef_compat_gem_path)
14: location = c
15: break
Running handlers:
[2015-11-02T10:53:24+00:00] ERROR: Running exception handlers
Running handlers complete
[2015-11-02T10:53:24+00:00] ERROR: Exception handlers complete
Chef Client failed. 0 resources updated in 12 seconds
[2015-11-02T10:53:24+00:00] FATAL: Stacktrace dumped to /tmp/kitchen/cache/chef-stacktrace.out
[2015-11-02T10:53:24+00:00] ERROR: undefined method `log_deprecation' for class `Class'
[2015-11-02T10:53:26+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
Converge failed on instance .
Please see .kitchen/logs/default-centos-66.log for more details
------Exception-------
Class: Kitchen::ActionFailed
Message: SSH exited (1) for command: [sh -c '
sudo -E /opt/chef/bin/chef-client --local-mode --config /tmp/kitchen/client.rb --log_level auto --force-formatter --no-color --json-attributes /tmp/kitchen/dna.json --chef-zero-port 8889
']
Ran into painful issue today and wanted to throw down the details, offer up a potential alternative and get input before embarking on implementation.
I configured an LWRP to write a rule, the first version of which IPTables didn't like because the chain name violated length policy. No problem, I thought: I just went into recipe and shortened the name and re-pushed the code. Unfortunately when I ran Chef, no matter what I did the old/bad rules kept getting written back to /etc/sysconfig/iptables
. I purged all the iptables config data, blew away chef-cache, re-pushed my cookbooks and even rebooted, but nothing worked.
It finally dawned on me to look into node attributes and that's when I noticed that the old rules persisted as normal attributes in the node object. The challenge, IMHO, with normal attribs is that they don't get reset/rewritten with each Chef run so if there are bad values from a previous run the only way to resolve is to manually edit the node object (e.g. knife node edit
or nodes.transform
), purge the bad data and save.
Would it be possible to achieve persistence via node.run_state rather than relying on normal attributes so as to avoid this sort of problem? Or is there a better way to solve this problem? I honestly don't have a working alternative at this point, but I'd be willing to take a shot at it. Figured I'd throw out for comment first though.
Absolutely love this cookbook, by the way. Really appreciate the fine work.
Cheers!
Todd Michael
9:
10: simple_iptables_rule "established" do
11: chain "INPUT"
12: rule "-m conntrack --ctstate ESTABLISHED,RELATED"
13: jump "ACCEPT"
14>> weight 1
15: end
16:
17: simple_iptables_rule "icmp" do
18: chain "INPUT"
19: rule "--proto icmp"
20: jump "ACCEPT"
21: weight 2
22: end
23:
[2014-05-22T15:05:13+00:00] ERROR: Running exception handlers
[2014-05-22T15:05:13+00:00] ERROR: Exception handlers complete
[2014-05-22T15:05:13+00:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
[2014-05-22T15:05:13+00:00] ERROR: undefined method `weight' for Chef::Resource::SimpleIptablesRule
Experimenting with the examples provided at docs I stumbled upon this error...
is "weight" deprecated ?
Is this branch dead? Do you want someone else to take it over?
Hello. On cookbook version 0.8.0 i get a following error at the end of the converge:
[2016-11-25T18:02:59+03:00] ERROR: Exception handlers complete
Chef Client failed. 180 resources updated in 05 minutes 13 seconds
[2016-11-25T18:02:59+03:00] FATAL: Stacktrace dumped to /tmp/kitchen/cache/chef-stacktrace.out
[2016-11-25T18:02:59+03:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
[2016-11-25T18:02:59+03:00] ERROR: ruby_block[test-iptables] (simple_iptables::default line 67) had an error: RuntimeError: iptables-restore exited with code 2 while testing new rules
STDOUT:
STDERR:
iptables-restore v1.4.7: iptables-restore: unable to initialize table 'nat'
Error occurred at line: 2
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Line 2: *nat
[2016-11-25T18:02:59+03:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
Same converge but with version 0.7.5 succeeds. I can't understand why.
There are lots of nice improvements since the last upload to the SuperMarket. Namely, the comment feature is what I'm looking for. Can you please upload a new version?
Hi Guys,
I originally built this to meet a need I had for my personal servers, which it did nicely. Since then it seems a lot of people have found it and found that it meets some of their needs as well. That's awesome! I'd love for simple-iptables to live on, and grow to meet new needs, but I simply don't have the time, energy, or familiarity with iptables itself to be very involved in that growth. So, I'd like to open a call to contributors, watchers, or any other interested parties to take a more active role in maintaining the project.
Now, if you'll forgive the spam, I'd like to CC everyone who's sent a pull request, in case any of you are interested: @nathenharvey @SchraderMJ11 @david415 @gwik @phoolish @hecastro @nmische @warwickp @tmatilai @jblaine @svanharmelen @rtkmhart @pimpin @blackstar257. Please also feel free to nominate anyone else who you think might be interested.
I've never done this before, but I'm hoping that one or a few people will step up. If that happens, I'll turn over commit bit on the repository (or assist in moving it to a new home -- perhaps https://github.com/chef-community? CC @miketheman) and publish rights on the community site.
Commit 9fbe398 broke initial cook of a new host in the following way. Subsequent runs do not throw this error. Ubuntu 12.04/14.04 running knife solo/chef-solo.
Recipe: simple_iptables::default
* ruby_block[test-iptables] action create
================================================================================
Error executing action `create` on resource 'ruby_block[test-iptables]'
================================================================================
NoMethodError
-------------
undefined method `error?' for #<Mixlib::ShellOut:0x00000004bf2fa8>
Cookbook Trace:
---------------
/root/chef-solo/cookbooks-1/simple_iptables/recipes/default.rb:70:in `block (2 levels) in from_file'
Resource Declaration:
---------------------
# In /root/chef-solo/cookbooks-1/simple_iptables/recipes/default.rb
65: ruby_block "test-iptables" do
66: block do
67: cmd = Mixlib::ShellOut.new("iptables-restore --test < #{iptable_rules}",
68: :user => "root")
69: cmd.run_command
70: if cmd.error?
71: msg = <<-eos
72: iptables-restore exited with code #{cmd.exitstatus} while testing new rules
73: STDOUT:
74: #{cmd.stdout}
75: STDERR:
76: #{cmd.stderr}
77: eos
78: match = cmd.stderr.match /Error occurred at line: (\d+)/
79: if match
80: line_no = match[1].to_i
81: msg << "Line #{line_no}: #{IO.readlines(iptable_rules)[line_no-1]}"
82: end
83: # Delete the file so that the next Chef run is forced to recreate it
84: # and retest it. Otherwise, if the rules remain unchanged, the template
85: # resource won't recreate the file, won't notify the test resource,
86: # and the Chef run will be allowed to complete successfully despite
87: # and invalid rule being present.
88: File.delete(iptable_rules)
89: raise msg
90: end
[2014-06-27T19:39:50+00:00] ERROR: Exception handlers complete
[2014-06-27T19:39:50+00:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
Chef Client failed. 86 resources updated in 156.488429846 seconds
[2014-06-27T19:39:50+00:00] ERROR: ruby_block[test-iptables] (simple_iptables::default line 65) had an error: NoMethodError: undefined method `error?' for #<Mixlib::ShellOut:0x00000004bf2fa8>
[2014-06-27T19:39:50+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
Getting an NoMethodError on the '<<' method for setting node values on 0.6.4, 0.6.5 and the master branch. Using Chef 11.12.8 on CentOS 6.5 and a simple test cookbook with one simple_iptables_rule entry in it. This is a copy of one of the example rules.
* simple_iptables_rule[established] action append
================================================================================
Error executing action `append` on resource 'simple_iptables_rule[established]'
================================================================================
NoMethodError
-------------
Undefined node attribute or method `<<' on `node'. To set an attribute, use `<<=value' instead.
Cookbook Trace:
---------------
/var/chef/cache/cookbooks/simple_iptables/providers/rule.rb:14:in `block in class_from_file'
Resource Declaration:
---------------------
# In /var/chef/cache/cookbooks/test/recipes/default.rb
1: simple_iptables_rule "established" do
2: direction "INPUT"
3: weight 1
4: rule "-m conntrack --ctstate ESTABLISHED,RELATED"
5: jump "ACCEPT"
6: end
Compiled Resource:
------------------
# Declared in /var/chef/cache/cookbooks/test/recipes/default.rb:1:in `from_file'
simple_iptables_rule("established") do
action :append
retries 0
retry_delay 2
guard_interpreter :default
cookbook_name "test"
recipe_name "default"
direction "INPUT"
weight 1
rule "-m conntrack --ctstate ESTABLISHED,RELATED"
jump "ACCEPT"
table "filter"
chain "established"
end
Running handlers:
[2014-08-07T05:48:23+00:00] ERROR: Running exception handlers
Running handlers complete
[2014-08-07T05:48:23+00:00] ERROR: Exception handlers complete
[2014-08-07T05:48:23+00:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
Chef Client failed. 4 resources updated in 13.118655418 seconds
[2014-08-07T05:48:23+00:00] ERROR: simple_iptables_rule[established] (test::default line 1) had an error: NoMethodError: Undefined node attribute or method `<<' on `node'. To set an attribute, use `<<=value' instead.
[2014-08-07T05:48:23+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
Generated at 2014-08-07 05:48:23 +0000
NoMethodError: simple_iptables_rule[established] (test::default line 1) had an error: NoMethodError: Undefined node attribute or method `<<' on `node'. To set an attribute, use `<<=value' instead.
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/node/attribute_collections.rb:177:in `method_missing'
/var/chef/cache/cookbooks/simple_iptables/providers/rule.rb:14:in `block in class_from_file'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/provider/lwrp_base.rb:138:in `instance_eval'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/provider/lwrp_base.rb:138:in `block in action'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/provider.rb:124:in `run_action'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/resource.rb:637:in `run_action'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/runner.rb:49:in `run_action'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/runner.rb:81:in `block (2 levels) in converge'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/runner.rb:81:in `each'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/runner.rb:81:in `block in converge'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/resource_collection.rb:98:in `block in execute_each_resource'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/resource_collection/stepable_iterator.rb:116:in `call'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/resource_collection/stepable_iterator.rb:116:in `call_iterator_block'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/resource_collection/stepable_iterator.rb:85:in `step'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/resource_collection/stepable_iterator.rb:104:in `iterate'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/resource_collection/stepable_iterator.rb:55:in `each_with_index'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/resource_collection.rb:96:in `execute_each_resource'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/runner.rb:80:in `converge'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/client.rb:345:in `converge'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/client.rb:431:in `do_run'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/client.rb:213:in `block in run'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/client.rb:207:in `fork'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/client.rb:207:in `run'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/application.rb:217:in `run_chef_client'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/application/client.rb:328:in `block in run_application'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/application/client.rb:317:in `loop'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/application/client.rb:317:in `run_application'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/application.rb:67:in `run'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/bin/chef-client:26:in `<top (required)>'
/usr/bin/chef-client:23:in `load'
I attempted wrapping a simple_iptables_rule
resource in my own LWRP (eg. to allow custom cookbooks to easily open ports on a restrictive firewall); the rules execute (I can see log messages when running with log_level :debug and I can even see my rules persisted in the node normal attributes) however my firewall rules never appear in /etc/iptable-rules
(and even less in the running iptable rules).
Is there any reason why:
simple_iptables_rule 'system' do
rule '-i eth2 -p tcp --dport 1337'
jump 'ACCEPT'
end
would work while:
my_firewall_port '1337'
would not, assuming a my_firewall_port
LWRP that could be implemented like this (please forgive eventual typos):
#resource
actions :whitelist
default_action :whitelist
attribute :port, kind_of: [String, Integer], name_attribute => true
attribute :proto, kind_of: String, equal_to: %w[tcp udp], default: 'tcp'
attribute :lan_ifname, kind_of: String, default: node['my-firewall']['lan-interface']
attribute :chain, kind_of: String, default: node['my-firewall']['iptables-chain']
#provider
#use_inline_resources # have tried both with and without -- with does not produce CHEF-3694 spam
action :whitelist do
simple_iptables_rule new_resource.chain do
rule "-i #{new_resource.lan_ifname} -p #{new_resource.proto} --dport #{new_resource.port}'
jump 'ACCEPT'
end
end
From browsing the code of the simple-iptables cookbooks, I found at least one place where the resource collection is scanned for instances of Chef::Resource::SimpleIptablesRules (and Policy). It may explain why wrapping with LWRP is broken, at least in the use_inline_resources case (if using that option then the SimpleIptableRules instances won't appear in the top-level resource collection at all). For the non use_inline_resources cases, I think it is because the /etc/iptable-rules
template is already rendered when my LWRP is converged but I don't see any clean way to converge my LWRP early other than forcing it to run at compile time (which is a first but very ugly workaround).
As a workaround, I ended up implementing the LWRP with a chef 'definition' but I understand that this is a bit like hack (and the CHEF-3694 spam reminds it to me at every chef run).
Thank you very much in advance.
The run-iptables-resources-early
ruby block in the default recipe runs on every single Chef run even if no rules are changed. Is there a way to avoid running this if there are no rules changing? It shows in the run as a changed resource.
From what I can tell the cookbook does not remove iptables rules if I change them. That is, if I have a rule in a recipe such as:
simple_iptables_rule "allow_ssh_from_external" do
direction "INPUT"
rule "-i eth0 -p tcp --dport 22"
jump "ACCEPT"
end
and assign the recipe to a node, all works. But if I remove the rule from the recipe, the rule persists on the node. It stays in the node configuration and thus saved in /etc/iptables-rules etc. The solution is to edit the node configuration and remove it, but I think the cookbook should handle that.
Is that by design or a bug?
Other than that this cookbook is excellent, thanks for publishing it!
mike
I'm seeing a runtime error when attempting to use this under any Chef 13 client. The below occurs under a simple Ubuntu 14.04 VM under Test Kitchen:
Recipe: simple_iptables::default
* apt_package[iptables] action install (up to date)
* ruby_block[run-iptables-resources-early] action run
================================================================================
Error executing action `run` on resource 'ruby_block[run-iptables-resources-early]'
================================================================================
NameError
---------
uninitialized constant Chef::Resource::SimpleIptablesRule
Cookbook Trace:
---------------
/tmp/kitchen/cache/cookbooks/simple_iptables/recipes/default.rb:41:in `block (3 levels) in from_file'
/tmp/kitchen/cache/cookbooks/simple_iptables/recipes/default.rb:40:in `block (2 levels) in from_file'
Resource Declaration:
---------------------
# In /tmp/kitchen/cache/cookbooks/simple_iptables/recipes/default.rb
34: ruby_block "run-iptables-resources-early" do
35: block do
36: # Clear old normal-level attributes set by previous versions of the cookbook
37: node.rm_normal("simple_iptables", "ipv4")
38: node.rm_normal("simple_iptables", "ipv6")
39: # Then run all the simple_iptables_* resources
40: run_context.resource_collection.each do |resource|
41: if resource.kind_of?(Chef::Resource::SimpleIptablesRule)
42: Chef::Log.debug("about to run simple_iptables_rule[#{resource.chain}]")
43: resource.run_action(resource.action)
44: elsif resource.kind_of?(Chef::Resource::SimpleIptablesPolicy)
45: Chef::Log.debug("about to run simple_iptables_policy[#{resource.chain}]")
46: resource.run_action(resource.action)
47: end
48: end
49:
50: Chef::Log.debug("After run-iptables-resources-early data is: #{node['simple_iptables']}")
51: end
52: end
Compiled Resource:
------------------
# Declared in /tmp/kitchen/cache/cookbooks/simple_iptables/recipes/default.rb:34:in `from_file'
ruby_block("run-iptables-resources-early") do
action [:run]
default_guard_interpreter :default
block_name "run-iptables-resources-early"
declared_type :ruby_block
cookbook_name "simple_iptables"
recipe_name "default"
block #<Proc:0x00000004a97460@/tmp/kitchen/cache/cookbooks/simple_iptables/recipes/default.rb:35>
end
System Info:
------------
chef_version=13.0.118
platform=ubuntu
platform_version=14.04
ruby=ruby 2.4.1p111 (2017-03-22 revision 58053) [x86_64-linux]
program_name=chef-client worker: ppid=27618;start=22:51:20;
executable=/opt/chef/bin/chef-client
Running handlers:
[2017-04-17T22:51:23+00:00] ERROR: Running exception handlers
[2017-04-17T22:51:23+00:00] ERROR: Running exception handlers
Running handlers complete
[2017-04-17T22:51:23+00:00] ERROR: Exception handlers complete
[2017-04-17T22:51:23+00:00] ERROR: Exception handlers complete
Chef Client failed. 19 resources updated in 02 seconds
[2017-04-17T22:51:23+00:00] FATAL: Stacktrace dumped to /tmp/kitchen/cache/chef-stacktrace.out
[2017-04-17T22:51:23+00:00] FATAL: Stacktrace dumped to /tmp/kitchen/cache/chef-stacktrace.out
[2017-04-17T22:51:23+00:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
[2017-04-17T22:51:23+00:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
[2017-04-17T22:51:23+00:00] ERROR: ruby_block[run-iptables-resources-early] (simple_iptables::default line 34) had an error: NameError: uninitialized constant Chef::Resource::SimpleIptablesRule
[2017-04-17T22:51:23+00:00] ERROR: ruby_block[run-iptables-resources-early] (simple_iptables::default line 34) had an error: NameError: uninitialized constant Chef::Resource::SimpleIptablesRule
[2017-04-17T22:51:23+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
[2017-04-17T22:51:23+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
I downloaded 0.7.4 of simple_iptables, and tried to implement the first example rule:
# Allow SSH
simple_iptables_rule "ssh" do
rule "--proto tcp --dport 22"
jump "ACCEPT"
end
And I'm getting this during a chef run:
* simple_iptables_rule[ssh] action append
================================================================================
Error executing action `append` on resource 'simple_iptables_rule[ssh]'
================================================================================
NoMethodError
-------------
Undefined node attribute or method `<<' on `node'. To set an attribute, use `<<=value' instead.
Cookbook Trace:
---------------
/var/chef/cache/cookbooks/simple_iptables/providers/rule.rb:27:in `handle_rule'
/var/chef/cache/cookbooks/simple_iptables/providers/rule.rb:8:in `block in class_from_file'
Resource Declaration:
---------------------
# In /var/chef/cache/cookbooks/jump_server/recipes/default.rb
26: simple_iptables_rule "ssh" do
27: rule "--proto tcp --dport 22"
28: jump "ACCEPT"
29: end
30:
Compiled Resource:
------------------
# Declared in /var/chef/cache/cookbooks/jump_server/recipes/default.rb:26:in `from_file'
simple_iptables_rule("ssh") do
action :append
retries 0
retry_delay 2
default_guard_interpreter :default
declared_type :simple_iptables_rule
cookbook_name "jump_server"
recipe_name "default"
rule "--proto tcp --dport 22"
jump "ACCEPT"
table "filter"
chain "ssh"
direction "INPUT"
end
Platform:
---------
x86_64-linux
Running handlers:
[2016-06-26T21:25:21+00:00] ERROR: Running exception handlers
Running handlers complete
[2016-06-26T21:25:21+00:00] ERROR: Exception handlers complete
Chef Client failed. 2 resources updated in 10 seconds
[2016-06-26T21:25:21+00:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
[2016-06-26T21:25:21+00:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
[2016-06-26T21:25:21+00:00] ERROR: simple_iptables_rule[ssh] (jump_server::default line 26) had an error: NoMethodError: Undefined node attribute or method `<<' on `node'. To set an attribute, use `<<=value' instead.
[2016-06-26T21:25:21+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
Let me know if there's anything else I can provide to help, thanks!
Is it possible to append rules to iptables instead of clearing out all existing rules? I have a setup with Docker which adds its own rules to iptables, but I can only run this to add my own rules after Docker is already running. I can restart Docker to restore its rules when my rules are modified, but that is a little too disruptive.
NameError
Cannot find a resource for simple_iptables_rule on centos version 6.4
Any ideas?
The attribute being set with node.set
in simple_iptables_policy
doesn't carry over to the template resource. Changing node.set
to node.default
makes it work, but since I'm not clear on the side-effects of that change, I'm not submitting it as a patch.
https://github.com/dcrosta/cookbook-simple-iptables/blob/master/providers/policy.rb#L3
The example shows how to add a redirect rule to iptables
, following this guide I added:
# Redirect 80 to 8080
simple_iptables_rule 'jenkins' do
table 'nat'
direction 'PREROUTING'
rule '--protocol tcp --dport 80 --jump REDIRECT --to-port 8080'
jump false
end
However, this rule does not add anything to the final iptables
rules.
The /etc/iptables-rules
file does contain the prerouting:
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:jenkins - [0:0]
-A PREROUTING --jump jenkins
-A jenkins --protocol tcp --dport 80 --jump REDIRECT --to-port 8080
COMMIT
However, the final iptables -L
does not show these routes:
Chain INPUT (policy DROP)
target prot opt source destination
system all -- anywhere anywhere
ssh all -- anywhere anywhere
http all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain http (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
Chain ssh (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
Chain system (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
The following error occurs in Chef Client 12.2.1:
NoMethodError
-------------
Undefined node attribute or method `<<' on `node'. To set an attribute, use `<<=value' instead.
Cookbook Trace:
---------------
/tmp/kitchen/cache/cookbooks/simple_iptables/providers/rule.rb:34:in `block in handle_rule'
/tmp/kitchen/cache/cookbooks/simple_iptables/providers/rule.rb:28:in `each'
/tmp/kitchen/cache/cookbooks/simple_iptables/providers/rule.rb:28:in `handle_rule'
/tmp/kitchen/cache/cookbooks/simple_iptables/providers/rule.rb:7:in `block in class_from_file'
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.