rtkwlf / cookbook-simple-iptables Goto Github PK

View Code? Open in Web Editor NEW

85.0 85.0 63.0 147 KB

Simple Chef iptables cookbook

Ruby 77.45% HTML 22.55%

cookbook-simple-iptables's People

Contributors

Stargazers

Watchers

Forkers

nathenharvey scribd gwik spheromak phoolish hw-cookbooks nmische vertipub warwickp eashman pioneerit tmatilai jblaine toxsick ankushgupta pimpin waelcyrie mohae glamurchenok swiftype rtkmparrott dldinternet minicodemonkey recmend rtkrruvinskiy kasen unflores jordane frostyslav kimtore coderanger chantra gleamicus roman-yepishev-enoc l2g macbutch altiscale dblessing coolestprojects oyonax aspring dmz boonchu jtslear rtkcstegel jaysonsperling iroller 4sp1r3 andrewheald alfssobsd chrisjbray anuriq applovin guoyu07 dschlenk alokdnb abriel tayasu flaketill roman513 shatterhats

cookbook-simple-iptables's Issues

Dead?

Is this branch dead? Do you want someone else to take it over?

Use of <<

Undefined node attribute or method '<<' on 'node'. To set an attribute, use `<<=value' instead.

Cookbook Trace:

/root/chef/cookbooks/simple-iptables/providers/rule.rb:16:in `block in class_from_file'

Add support for mangle table?

This StackOverflow question, iptables redirect 80 to 8080 but block public 8080 access, and its top answer, is spot on for what I'm trying to do:

One way I've found to accomplish this is to use the MARK target in the mangle table's PREROUTING chain.
Add a rule to tag the packets you want to block:
iptables -t mangle -A PREROUTING -p tcp --dport 8080 -j MARK --set-mark 1
Then, before you allow port 8080 add this to DROP marked packets:
iptables -A INPUT -m mark --mark 1 -j DROP

Based on a quick read of policy.rb, it looks like the mangle table is not currently allowed in this cookbook:

attribute :table,
  :equal_to => ["filter", "nat"],
  :default => "filter"

I'm planning on simply adding "mangle" to the above. I'm going to give this a shot in a fork. Sound ok?

Chef warnings for duplicate names

The readme specifies the following examples:

# Allow all traffic on the loopback device
simple_iptables_rule 'system' do
  rule '--in-interface lo'
  jump 'ACCEPT'
end

# Allow any established connections to continue, even
# if they would be in violation of other rules.
simple_iptables_rule 'system' do
  rule '-m conntrack --ctstate ESTABLISHED,RELATED'
  jump 'ACCEPT'
end

However, if I use this example, Chef sends a warning about duplicate names:

[2013-03-25T12:17:08+00:00] WARN: Previous simple_iptables_rule[system]:
/tmp/vagrant-chef-1/chef-solo-1/cookbooks/firewall-rules/recipes/default.rb:10:in `from_file'

[2013-03-25T12:17:08+00:00] WARN: Current  simple_iptables_rule[system]:
/tmp/vagrant-chef-1/chef-solo-1/cookbooks/firewall-rules/recipes/default.rb:17:in `from_file'

Things still work as expected, just wanted to notify you about this.

Use of node.set (normal attributes) for state presents problems with bad rules

Ran into painful issue today and wanted to throw down the details, offer up a potential alternative and get input before embarking on implementation.

I configured an LWRP to write a rule, the first version of which IPTables didn't like because the chain name violated length policy. No problem, I thought: I just went into recipe and shortened the name and re-pushed the code. Unfortunately when I ran Chef, no matter what I did the old/bad rules kept getting written back to /etc/sysconfig/iptables. I purged all the iptables config data, blew away chef-cache, re-pushed my cookbooks and even rebooted, but nothing worked.

It finally dawned on me to look into node attributes and that's when I noticed that the old rules persisted as normal attributes in the node object. The challenge, IMHO, with normal attribs is that they don't get reset/rewritten with each Chef run so if there are bad values from a previous run the only way to resolve is to manually edit the node object (e.g. knife node edit or nodes.transform), purge the bad data and save.

Would it be possible to achieve persistence via node.run_state rather than relying on normal attributes so as to avoid this sort of problem? Or is there a better way to solve this problem? I honestly don't have a working alternative at this point, but I'd be willing to take a shot at it. Figured I'd throw out for comment first though.

Absolutely love this cookbook, by the way. Really appreciate the fine work.

Cheers!

Todd Michael

getting error on Centos 6.4

NameError
Cannot find a resource for simple_iptables_rule on centos version 6.4

Any ideas?

Error using chef-client 12.2.1

The following error occurs in Chef Client 12.2.1:

           NoMethodError
           -------------
           Undefined node attribute or method `<<' on `node'. To set an attribute, use `<<=value' instead.

           Cookbook Trace:
           ---------------
           /tmp/kitchen/cache/cookbooks/simple_iptables/providers/rule.rb:34:in `block in handle_rule'
           /tmp/kitchen/cache/cookbooks/simple_iptables/providers/rule.rb:28:in `each'
           /tmp/kitchen/cache/cookbooks/simple_iptables/providers/rule.rb:28:in `handle_rule'
           /tmp/kitchen/cache/cookbooks/simple_iptables/providers/rule.rb:7:in `block in class_from_file'

NoMethodError on simple policy

Getting an NoMethodError on the '<<' method for setting node values on 0.6.4, 0.6.5 and the master branch. Using Chef 11.12.8 on CentOS 6.5 and a simple test cookbook with one simple_iptables_rule entry in it. This is a copy of one of the example rules.

Error Message

  * simple_iptables_rule[established] action append
================================================================================
Error executing action `append` on resource 'simple_iptables_rule[established]'
================================================================================


NoMethodError
-------------
Undefined node attribute or method `<<' on `node'. To set an attribute, use `<<=value' instead.


Cookbook Trace:
---------------
/var/chef/cache/cookbooks/simple_iptables/providers/rule.rb:14:in `block in class_from_file'


Resource Declaration:
---------------------
# In /var/chef/cache/cookbooks/test/recipes/default.rb

1: simple_iptables_rule "established" do
2:         direction "INPUT"
3:         weight 1
4:         rule "-m conntrack --ctstate ESTABLISHED,RELATED"
5:         jump "ACCEPT"
6: end



Compiled Resource:
------------------
# Declared in /var/chef/cache/cookbooks/test/recipes/default.rb:1:in `from_file'

simple_iptables_rule("established") do
  action :append
  retries 0
  retry_delay 2
  guard_interpreter :default
  cookbook_name "test"
  recipe_name "default"
  direction "INPUT"
  weight 1
  rule "-m conntrack --ctstate ESTABLISHED,RELATED"
  jump "ACCEPT"
  table "filter"
  chain "established"
end




Running handlers:
[2014-08-07T05:48:23+00:00] ERROR: Running exception handlers
Running handlers complete

[2014-08-07T05:48:23+00:00] ERROR: Exception handlers complete
[2014-08-07T05:48:23+00:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
Chef Client failed. 4 resources updated in 13.118655418 seconds
[2014-08-07T05:48:23+00:00] ERROR: simple_iptables_rule[established] (test::default line 1) had an error: NoMethodError: Undefined node attribute or method `<<' on `node'. To set an attribute, use `<<=value' instead.
[2014-08-07T05:48:23+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)

Stack Trace

Generated at 2014-08-07 05:48:23 +0000
NoMethodError: simple_iptables_rule[established] (test::default line 1) had an error: NoMethodError: Undefined node attribute or method `<<' on `node'. To set an attribute, use `<<=value' instead.
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/node/attribute_collections.rb:177:in `method_missing'
/var/chef/cache/cookbooks/simple_iptables/providers/rule.rb:14:in `block in class_from_file'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/provider/lwrp_base.rb:138:in `instance_eval'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/provider/lwrp_base.rb:138:in `block in action'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/provider.rb:124:in `run_action'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/resource.rb:637:in `run_action'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/runner.rb:49:in `run_action'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/runner.rb:81:in `block (2 levels) in converge'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/runner.rb:81:in `each'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/runner.rb:81:in `block in converge'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/resource_collection.rb:98:in `block in execute_each_resource'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/resource_collection/stepable_iterator.rb:116:in `call'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/resource_collection/stepable_iterator.rb:116:in `call_iterator_block'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/resource_collection/stepable_iterator.rb:85:in `step'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/resource_collection/stepable_iterator.rb:104:in `iterate'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/resource_collection/stepable_iterator.rb:55:in `each_with_index'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/resource_collection.rb:96:in `execute_each_resource'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/runner.rb:80:in `converge'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/client.rb:345:in `converge'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/client.rb:431:in `do_run'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/client.rb:213:in `block in run'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/client.rb:207:in `fork'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/client.rb:207:in `run'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/application.rb:217:in `run_chef_client'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/application/client.rb:328:in `block in run_application'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/application/client.rb:317:in `loop'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/application/client.rb:317:in `run_application'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/lib/chef/application.rb:67:in `run'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.8/bin/chef-client:26:in `<top (required)>'
/usr/bin/chef-client:23:in `load'

Please upload new version

There are lots of nice improvements since the last upload to the SuperMarket. Namely, the comment feature is what I'm looking for. Can you please upload a new version?

One-shot Testing for IPTables Rules breaks initial cook on new ubuntu host

Commit 9fbe398 broke initial cook of a new host in the following way. Subsequent runs do not throw this error. Ubuntu 12.04/14.04 running knife solo/chef-solo.

Recipe: simple_iptables::default
  * ruby_block[test-iptables] action create
================================================================================
Error executing action `create` on resource 'ruby_block[test-iptables]'
================================================================================


NoMethodError
-------------
undefined method `error?' for #<Mixlib::ShellOut:0x00000004bf2fa8>


Cookbook Trace:
---------------
/root/chef-solo/cookbooks-1/simple_iptables/recipes/default.rb:70:in `block (2 levels) in from_file'


Resource Declaration:
---------------------
# In /root/chef-solo/cookbooks-1/simple_iptables/recipes/default.rb

 65: ruby_block "test-iptables" do
 66:   block do
 67:     cmd = Mixlib::ShellOut.new("iptables-restore --test < #{iptable_rules}",
 68:                                :user => "root")
 69:     cmd.run_command
 70:     if cmd.error?
 71:       msg = <<-eos
 72: iptables-restore exited with code #{cmd.exitstatus} while testing new rules
 73: STDOUT:
 74: #{cmd.stdout}
 75: STDERR:
 76: #{cmd.stderr}
 77: eos
 78:       match = cmd.stderr.match /Error occurred at line: (\d+)/
 79:       if match
 80:         line_no = match[1].to_i
 81:         msg << "Line #{line_no}: #{IO.readlines(iptable_rules)[line_no-1]}"
 82:       end
 83:       # Delete the file so that the next Chef run is forced to recreate it
 84:       # and retest it. Otherwise, if the rules remain unchanged, the template
 85:       # resource won't recreate the file, won't notify the test resource,
 86:       # and the Chef run will be allowed to complete successfully despite
 87:       # and invalid rule being present.
 88:       File.delete(iptable_rules)
 89:       raise msg
 90:     end

[2014-06-27T19:39:50+00:00] ERROR: Exception handlers complete
[2014-06-27T19:39:50+00:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
Chef Client failed. 86 resources updated in 156.488429846 seconds
[2014-06-27T19:39:50+00:00] ERROR: ruby_block[test-iptables] (simple_iptables::default line 65) had an error: NoMethodError: undefined method `error?' for #<Mixlib::ShellOut:0x00000004bf2fa8>
[2014-06-27T19:39:50+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)

undefined method `weight' for Chef::Resource::SimpleIptablesRule

9:
10: simple_iptables_rule "established" do
11: chain "INPUT"
12: rule "-m conntrack --ctstate ESTABLISHED,RELATED"
13: jump "ACCEPT"
14>> weight 1
15: end
16:
17: simple_iptables_rule "icmp" do
18: chain "INPUT"
19: rule "--proto icmp"
20: jump "ACCEPT"
21: weight 2
22: end
23:

[2014-05-22T15:05:13+00:00] ERROR: Running exception handlers
[2014-05-22T15:05:13+00:00] ERROR: Exception handlers complete
[2014-05-22T15:05:13+00:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
[2014-05-22T15:05:13+00:00] ERROR: undefined method `weight' for Chef::Resource::SimpleIptablesRule

Experimenting with the examples provided at docs I stumbled upon this error...

is "weight" deprecated ?

Appending rules instead of replacing

Is it possible to append rules to iptables instead of clearing out all existing rules? I have a setup with Docker which adds its own rules to iptables, but I can only run this to add my own rules after Docker is already running. I can restart Docker to restore its rules when my rules are modified, but that is a little too disruptive.

Runtime errors under Chef 13 client

I'm seeing a runtime error when attempting to use this under any Chef 13 client. The below occurs under a simple Ubuntu 14.04 VM under Test Kitchen:

       Recipe: simple_iptables::default
         * apt_package[iptables] action install (up to date)
         * ruby_block[run-iptables-resources-early] action run

           ================================================================================
           Error executing action `run` on resource 'ruby_block[run-iptables-resources-early]'
           ================================================================================

           NameError
           ---------
           uninitialized constant Chef::Resource::SimpleIptablesRule

           Cookbook Trace:
           ---------------
           /tmp/kitchen/cache/cookbooks/simple_iptables/recipes/default.rb:41:in `block (3 levels) in from_file'
           /tmp/kitchen/cache/cookbooks/simple_iptables/recipes/default.rb:40:in `block (2 levels) in from_file'

           Resource Declaration:
           ---------------------
           # In /tmp/kitchen/cache/cookbooks/simple_iptables/recipes/default.rb

            34: ruby_block "run-iptables-resources-early" do
            35:   block do
            36:     # Clear old normal-level attributes set by previous versions of the cookbook
            37:     node.rm_normal("simple_iptables", "ipv4")
            38:     node.rm_normal("simple_iptables", "ipv6")
            39:     # Then run all the simple_iptables_* resources
            40:     run_context.resource_collection.each do |resource|
            41:       if resource.kind_of?(Chef::Resource::SimpleIptablesRule)
            42:         Chef::Log.debug("about to run simple_iptables_rule[#{resource.chain}]")
            43:         resource.run_action(resource.action)
            44:       elsif resource.kind_of?(Chef::Resource::SimpleIptablesPolicy)
            45:         Chef::Log.debug("about to run simple_iptables_policy[#{resource.chain}]")
            46:         resource.run_action(resource.action)
            47:       end
            48:     end
            49:
            50:     Chef::Log.debug("After run-iptables-resources-early data is: #{node['simple_iptables']}")
            51:   end
            52: end

           Compiled Resource:
           ------------------
           # Declared in /tmp/kitchen/cache/cookbooks/simple_iptables/recipes/default.rb:34:in `from_file'

           ruby_block("run-iptables-resources-early") do
             action [:run]
             default_guard_interpreter :default
             block_name "run-iptables-resources-early"
             declared_type :ruby_block
             cookbook_name "simple_iptables"
             recipe_name "default"
             block #<Proc:0x00000004a97460@/tmp/kitchen/cache/cookbooks/simple_iptables/recipes/default.rb:35>
           end

           System Info:
           ------------
           chef_version=13.0.118
           platform=ubuntu
           platform_version=14.04
           ruby=ruby 2.4.1p111 (2017-03-22 revision 58053) [x86_64-linux]
           program_name=chef-client worker: ppid=27618;start=22:51:20;
           executable=/opt/chef/bin/chef-client


       Running handlers:
       [2017-04-17T22:51:23+00:00] ERROR: Running exception handlers
       [2017-04-17T22:51:23+00:00] ERROR: Running exception handlers
       Running handlers complete
       [2017-04-17T22:51:23+00:00] ERROR: Exception handlers complete
       [2017-04-17T22:51:23+00:00] ERROR: Exception handlers complete
       Chef Client failed. 19 resources updated in 02 seconds
       [2017-04-17T22:51:23+00:00] FATAL: Stacktrace dumped to /tmp/kitchen/cache/chef-stacktrace.out
       [2017-04-17T22:51:23+00:00] FATAL: Stacktrace dumped to /tmp/kitchen/cache/chef-stacktrace.out
       [2017-04-17T22:51:23+00:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
       [2017-04-17T22:51:23+00:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
       [2017-04-17T22:51:23+00:00] ERROR: ruby_block[run-iptables-resources-early] (simple_iptables::default line 34) had an error: NameError: uninitialized constant Chef::Resource::SimpleIptablesRule
       [2017-04-17T22:51:23+00:00] ERROR: ruby_block[run-iptables-resources-early] (simple_iptables::default line 34) had an error: NameError: uninitialized constant Chef::Resource::SimpleIptablesRule
       [2017-04-17T22:51:23+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
       [2017-04-17T22:51:23+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)

custom nat PREROUTING rule not loading properly

The example shows how to add a redirect rule to iptables, following this guide I added:

# Redirect 80 to 8080
simple_iptables_rule 'jenkins' do
  table 'nat'
  direction 'PREROUTING'
  rule '--protocol tcp --dport 80 --jump REDIRECT --to-port 8080'
  jump false
end

However, this rule does not add anything to the final iptables rules.

The /etc/iptables-rules file does contain the prerouting:

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:jenkins - [0:0]
-A PREROUTING --jump jenkins
-A jenkins --protocol tcp --dport 80 --jump REDIRECT --to-port 8080
COMMIT

However, the final iptables -L does not show these routes:

Chain INPUT (policy DROP)
target     prot opt source               destination         
system     all  --  anywhere             anywhere            
ssh        all  --  anywhere             anywhere            
http       all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain http (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https

Chain ssh (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh

Chain system (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

kitchen converge gives error when using chef 12.5.1

Hi,

I get the following error when going a kitchen converge using chef 12.5.1:

   ================================================================================
   Recipe Compile Error in /tmp/kitchen/cache/cookbooks/simple_iptables/resources/policy.rb
   ================================================================================

   NameError
   ---------
   undefined method `log_deprecation' for class `Class'

   Cookbook Trace:
   ---------------
     /tmp/kitchen/cache/cookbooks/compat_resource/files/lib/chef_compat/monkeypatches/chef.rb:6:in `method'
     /tmp/kitchen/cache/cookbooks/compat_resource/files/lib/chef_compat/monkeypatches/chef.rb:6:in `log_deprecation'
     /tmp/kitchen/cache/cookbooks/simple_iptables/resources/policy.rb:3:in `class_from_file'
     /tmp/kitchen/cache/cookbooks/compat_resource/files/lib/chef_compat/monkeypatches/chef/resource/lwrp_base.rb:50:in `build_from_file'

   Relevant File Content:
   ----------------------
   /tmp/kitchen/cache/cookbooks/compat_resource/files/lib/chef_compat/monkeypatches/chef.rb:

     1:  class Chef
     2:    NOT_PASSED = Object.new if !defined?(NOT_PASSED)
     3:    # Earlier versions of Chef didn't have this message
     4:    module ChefCompatDeprecation
     5:      def log_deprecation(message, location=nil)
     6>>       if superclass.method(:log_deprecation).owner != ChefCompatDeprecation
     7:          if !location
     8:            # Pick the first caller that is *not* part of the Chef or ChefCompat gem,
     9:            # that's the thing the user wrote.
    10:            chef_compat_gem_path = File.expand_path("../../..", __FILE__)
    11:            chef_gem_path = File.expand_path("../..",::Chef::Resource.instance_method(:initialize).source_location[0])
    12:            caller(0..10).each do |c|
    13:              if !c.start_with?(chef_gem_path) && !c.start_with?(chef_compat_gem_path)
    14:                location = c
    15:                break


   Running handlers:
   [2015-11-02T10:53:24+00:00] ERROR: Running exception handlers
   Running handlers complete
   [2015-11-02T10:53:24+00:00] ERROR: Exception handlers complete
   Chef Client failed. 0 resources updated in 12 seconds
   [2015-11-02T10:53:24+00:00] FATAL: Stacktrace dumped to /tmp/kitchen/cache/chef-stacktrace.out
   [2015-11-02T10:53:24+00:00] ERROR: undefined method `log_deprecation' for class `Class'
   [2015-11-02T10:53:26+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)

Converge failed on instance .
Please see .kitchen/logs/default-centos-66.log for more details
------Exception-------
Class: Kitchen::ActionFailed
Message: SSH exited (1) for command: [sh -c '

sudo -E /opt/chef/bin/chef-client --local-mode --config /tmp/kitchen/client.rb --log_level auto --force-formatter --no-color --json-attributes /tmp/kitchen/dna.json --chef-zero-port 8889
']

Wrapping simple_iptables_rule in LWRP

I attempted wrapping a simple_iptables_rule resource in my own LWRP (eg. to allow custom cookbooks to easily open ports on a restrictive firewall); the rules execute (I can see log messages when running with log_level :debug and I can even see my rules persisted in the node normal attributes) however my firewall rules never appear in /etc/iptable-rules (and even less in the running iptable rules).

Is there any reason why:

simple_iptables_rule 'system' do
  rule '-i eth2 -p tcp --dport 1337'
  jump 'ACCEPT'
end

would work while:

my_firewall_port '1337'

would not, assuming a my_firewall_port LWRP that could be implemented like this (please forgive eventual typos):

#resource
actions :whitelist
default_action :whitelist

attribute :port, kind_of: [String, Integer], name_attribute => true
attribute :proto, kind_of: String, equal_to: %w[tcp udp], default: 'tcp'
attribute :lan_ifname, kind_of: String, default: node['my-firewall']['lan-interface']
attribute :chain, kind_of: String, default: node['my-firewall']['iptables-chain']

#provider
#use_inline_resources # have tried both with and without -- with does not produce CHEF-3694 spam

action :whitelist do
  simple_iptables_rule new_resource.chain do
    rule "-i #{new_resource.lan_ifname} -p #{new_resource.proto} --dport #{new_resource.port}'
    jump 'ACCEPT'
  end
end

From browsing the code of the simple-iptables cookbooks, I found at least one place where the resource collection is scanned for instances of Chef::Resource::SimpleIptablesRules (and Policy). It may explain why wrapping with LWRP is broken, at least in the use_inline_resources case (if using that option then the SimpleIptableRules instances won't appear in the top-level resource collection at all). For the non use_inline_resources cases, I think it is because the /etc/iptable-rules template is already rendered when my LWRP is converged but I don't see any clean way to converge my LWRP early other than forcing it to run at compile time (which is a first but very ugly workaround).

As a workaround, I ended up implementing the LWRP with a chef 'definition' but I understand that this is a bit like hack (and the CHEF-3694 spam reminds it to me at every chef run).

Thank you very much in advance.

Error in rule generation

This code:

simple_iptables_rule "forward-reject" do
    chain "FORWARD"
    rule ""
    jump "REJECT"
    weight 10000
end

generates the following iptables rule, which is wrong, and fails:

-A INPUT --jump FORWARD

However, I would expect that it generated this rule:

-A FORWARD --jump REJECT

Issue with chef 12.11.18 and simple_iptables

I downloaded 0.7.4 of simple_iptables, and tried to implement the first example rule:

# Allow SSH
simple_iptables_rule "ssh" do
  rule "--proto tcp --dport 22"
  jump "ACCEPT"
end

And I'm getting this during a chef run:

  * simple_iptables_rule[ssh] action append

    ================================================================================
    Error executing action `append` on resource 'simple_iptables_rule[ssh]'
    ================================================================================

    NoMethodError
    -------------
    Undefined node attribute or method `<<' on `node'. To set an attribute, use `<<=value' instead.

    Cookbook Trace:
    ---------------
    /var/chef/cache/cookbooks/simple_iptables/providers/rule.rb:27:in `handle_rule'
    /var/chef/cache/cookbooks/simple_iptables/providers/rule.rb:8:in `block in class_from_file'

    Resource Declaration:
    ---------------------
    # In /var/chef/cache/cookbooks/jump_server/recipes/default.rb

     26: simple_iptables_rule "ssh" do
     27:   rule "--proto tcp --dport 22"
     28:   jump "ACCEPT"
     29: end
     30:

    Compiled Resource:
    ------------------
    # Declared in /var/chef/cache/cookbooks/jump_server/recipes/default.rb:26:in `from_file'

    simple_iptables_rule("ssh") do
      action :append
      retries 0
      retry_delay 2
      default_guard_interpreter :default
      declared_type :simple_iptables_rule
      cookbook_name "jump_server"
      recipe_name "default"
      rule "--proto tcp --dport 22"
      jump "ACCEPT"
      table "filter"
      chain "ssh"
      direction "INPUT"
    end

    Platform:
    ---------
    x86_64-linux


Running handlers:
[2016-06-26T21:25:21+00:00] ERROR: Running exception handlers
Running handlers complete
[2016-06-26T21:25:21+00:00] ERROR: Exception handlers complete
Chef Client failed. 2 resources updated in 10 seconds
[2016-06-26T21:25:21+00:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
[2016-06-26T21:25:21+00:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
[2016-06-26T21:25:21+00:00] ERROR: simple_iptables_rule[ssh] (jump_server::default line 26) had an error: NoMethodError: Undefined node attribute or method `<<' on `node'. To set an attribute, use `<<=value' instead.
[2016-06-26T21:25:21+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)

Let me know if there's anything else I can provide to help, thanks!

Attribute precedence rules allow duplicate entries

include_recipe 'simple_iptables::redhat'

simple_iptables_rule 'https' do
  rule '--proto tcp --dport 443'
  jump 'ACCEPT'
end

simple_iptables_rule 'https' do
  rule '--proto tcp --dport 443'
  jump 'ACCEPT'
end

Produces the following rule set with chef 11.16.2, note two -A https --jump ACCEPT --proto tcp --dport 443 rules:

# This file generated by Chef. Changes will be overwritten.
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# This file generated by Chef. Changes will be overwritten.
*mangle
:PREROUTING ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# This file generated by Chef. Changes will be overwritten.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:https - [0:0]
-A INPUT --jump ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED
-A INPUT --jump ACCEPT --proto icmp
-A INPUT --jump ACCEPT --in-interface lo
-A https --jump ACCEPT --proto tcp --dport 443
-A INPUT  --jump https
-A https --jump ACCEPT --proto tcp --dport 443
-A INPUT --jump ACCEPT --proto tcp --dport 22 -m conntrack --ctstate NEW
-A INPUT --jump REJECT --reject-with icmp-host-prohibited 
-A FORWARD --jump REJECT --reject-with icmp-host-prohibited 
COMMIT
# Completed
# This file generated by Chef. Changes will be overwritten.
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed

This is caused by reading merged node attribute while writing the attributes with node.set.

support for ipv6 is broken

Running git bisect, it seems the first bad commit is:

ff467b7 is the first bad commit
commit ff467b7
Author: Cory Stegelmeier [email protected]
Date: Wed Jun 10 16:26:00 2015 -0400

fixed foodcritic error

about not always calling new_resource.updated_by_last_action

:100644 100644 63e49a3c00c52475e8637fd60a0209014ff3c8ca 3defc347e3081ef31d12741cd87e0babf1ef5a79 M README.md
:040000 040000 5fda79e664608f96f971c57f35b3cce0d4f8f4b2 1b8f7606a4f1b6ad491aad9c8647ecb6ccc274c2 M providers

NoMethodError: undefined method `lazy'

I got this error message when I provisioning.
I used ruby 2.2.0 and chef 11.12.4

$ sudo head /var/chef/cache/chef-stacktrace.out
Generated at 2015-06-24 14:13:14 +0000
NoMethodError: undefined method `lazy' for #<Class:0x00000002acebb0>
/tmp/vagrant-chef/24908995bd1fac04ad7e673dc8bbe2b2/cookbooks/simple_iptables/resources/rule.rb:10:in `class_from_file'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.2/lib/chef/mixin/from_file.rb:42:in `class_eval'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.2/lib/chef/mixin/from_file.rb:42:in `class_from_file'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.2/lib/chef/resource/lwrp_base.rb:54:in `build_from_file'
/opt/chef/embedded/lib/ruby/gems/1.9.1/gems/chef-11.12.2/lib/chef/run_context/cookbook_compiler.rb:220:in `load_lwrp_resource'

Maybe, This line seems wrong...?
https://github.com/rtkwlf/cookbook-simple-iptables/blob/master/resources/rule.rb

attribute :comment, :kind_of => String, :default => lazy { |r| r.name }

deleting iptables rules

From what I can tell the cookbook does not remove iptables rules if I change them. That is, if I have a rule in a recipe such as:

simple_iptables_rule "allow_ssh_from_external" do
    direction "INPUT"
    rule "-i eth0 -p tcp --dport 22"
    jump "ACCEPT"
end

and assign the recipe to a node, all works. But if I remove the rule from the recipe, the rule persists on the node. It stays in the node configuration and thus saved in /etc/iptables-rules etc. The solution is to edit the node configuration and remove it, but I think the cookbook should handle that.

Is that by design or a bug?

Other than that this cookbook is excellent, thanks for publishing it!

mike

Example config fail for web access

Might not be an issue due to the cookbook as long as I'm noob with chef-solo and iptables also... but, I used the recipe given in Readme example and had expected config but not expected behaviour.

My changes in recipe

As long as my web server listen on 3000 and not on 8080, I change this and let the name tomcat.
I do not have https service for now so I deleted also both lines about 443 port.

Generated conf

iptables -l is similar to given example and so is for -t nat

Behaviour

ssh connection still works as expected
http connection does'nt work any more on port 3000 as expected
but http connection does not work neither on port 80...

And If I change manualy iptables to remove the first drop all rule, http connection works either on port 80 and 3000, showing that the nat fwd is at least partialy working and my web server is working.

Any idea about it ? Thanks

simple_iptables_policy not working with chef-solo

The attribute being set with node.set in simple_iptables_policy doesn't carry over to the template resource. Changing node.set to node.default makes it work, but since I'm not clear on the side-effects of that change, I'm not submitting it as a patch.

https://github.com/dcrosta/cookbook-simple-iptables/blob/master/providers/policy.rb#L3

support aws AMI

aws AMI report as rhel platform, but their platform versioning is totally different and based on year/month rahter than release number.

exception with 'nat' chain on version 0.8.0

Hello. On cookbook version 0.8.0 i get a following error at the end of the converge:

       [2016-11-25T18:02:59+03:00] ERROR: Exception handlers complete
       Chef Client failed. 180 resources updated in 05 minutes 13 seconds
       [2016-11-25T18:02:59+03:00] FATAL: Stacktrace dumped to /tmp/kitchen/cache/chef-stacktrace.out
       [2016-11-25T18:02:59+03:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
       [2016-11-25T18:02:59+03:00] ERROR: ruby_block[test-iptables] (simple_iptables::default line 67) had an error: RuntimeError: iptables-restore exited with code 2 while testing new rules
       STDOUT:

       STDERR:
       iptables-restore v1.4.7: iptables-restore: unable to initialize table 'nat'

       Error occurred at line: 2
       Try `iptables-restore -h' or 'iptables-restore --help' for more information.

       Line 2: *nat

       [2016-11-25T18:02:59+03:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)

Same converge but with version 0.7.5 succeeds. I can't understand why.

Looking for a new maintainer

Hi Guys,

I originally built this to meet a need I had for my personal servers, which it did nicely. Since then it seems a lot of people have found it and found that it meets some of their needs as well. That's awesome! I'd love for simple-iptables to live on, and grow to meet new needs, but I simply don't have the time, energy, or familiarity with iptables itself to be very involved in that growth. So, I'd like to open a call to contributors, watchers, or any other interested parties to take a more active role in maintaining the project.

Now, if you'll forgive the spam, I'd like to CC everyone who's sent a pull request, in case any of you are interested: @nathenharvey @SchraderMJ11 @david415 @gwik @phoolish @hecastro @nmische @warwickp @tmatilai @jblaine @svanharmelen @rtkmhart @pimpin @blackstar257. Please also feel free to nominate anyone else who you think might be interested.

I've never done this before, but I'm hoping that one or a few people will step up. If that happens, I'll turn over commit bit on the repository (or assist in moving it to a new home -- perhaps https://github.com/chef-community? CC @miketheman) and publish rights on the community site.

Release recent versions?

Hi,

I was wondering if the version listed at http://community.opscode.com/cookbooks/simple_iptables is intentionally older? It's currently at 0.6.0 when the repo is at 0.6.4. This means the older one is picked up by Berkshelf.

Thanks!
Andrew

Ruby block executes on every run

The run-iptables-resources-early ruby block in the default recipe runs on every single Chef run even if no rules are changed. Is there a way to avoid running this if there are no rules changing? It shows in the run as a changed resource.

error parse kernel release

I have error in file simple_iptables/templates/default/iptables-rules.erb, line 3
because

node["kernel"]["release"] contains "3.6-trunk-amd64"