Neti-cookbook

Cookbook to setup Neti (EC2-VPC firewall sync).

Requirements

Currently, Neti works on Ubuntu/Debian, but should work on many more platforms with a few tweaks to the package management. Also, if you don't use AWS, you can just stop reading now...not even sure how you got here. You'll need a set of AWS keys that allows instance metadata modification. You will need to create a Zookeeper cluster, so familiarity with Zookeeper s necessary, but all that is needed is a very basic installation.

Attributes

These attributes set up the Neti config file for you:

• ssh_whitelist: The IPs that you want Neti to always allow on port 22, regardless of any firewall
• zk_hosts:
  • ec2: hostname/ip and zookeeper port of zk proxies in EC2
  • vpc: hostname/ip and zookeeper port of zookeeper hosts in VPC
• nat_overrides: hash of source and destination ips for overriding Neti's NAT manipulation
• open_ports: ports to open to all access on the host
• bin: location of Neti bin script
• log_file: location of log file
• table_files_path: location to store the iptables-save files for restoration
• reject_all: Whether or not to reject all traffic that is not specifically specified in the iptables rules (when you open up access to all public AWS ranges)
• aws_key: your aws key
• aws_secret_key: your aws secret key
• zk_update_interval_path: zookeeper node to store interval value
• zk_max_change_threshold_path: zookeeper node to store max change threshold (how many rules can be changed at once...safeguard)
• zk_prefix: zookeeper node prefix for all neti data
• zk_iptoid_node: zookeeper node for map
• zk_idtoip_node: zookeeper node for map
• zk_ip_map_node: zookeeper node for map
• overlay_subnet: subnet to pull overlay addresses from
• overlay_ip_cache_file_path: path for file cache of ips

How Neti works

See Neti

See the CONTRIBUTING file for how to help out.

License

Neti is BSD-licensed. We also provide an additional patent grant.