Comments (10)
rtkrruvinskiy
commented on August 17, 2024
Can you attach the /etc/iptables-rules (Debian/Ubuntu) or /etc/sysconfig/iptables (CentOS/Fedora/Red Hat) files generated with the two versions of the cookbook? Thanks!
from cookbook-simple-iptables.
anuriq
commented on August 17, 2024
Content of /etc/sysconfig/iptables-config with cookbook 0.8.0
# Load additional iptables modules (nat helpers)
# Default: -none-
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
# are loaded after the firewall rules are applied. Options for the helpers are
# stored in /etc/modprobe.conf.
IPTABLES_MODULES=""
# Unload modules on restart and stop
# Value: yes|no, default: yes
# This option has to be 'yes' to get to a sane state for a firewall
# restart or stop. Only set to 'no' if there are problems unloading netfilter
# modules.
IPTABLES_MODULES_UNLOAD="yes"
# Save current firewall rules on stop.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).
IPTABLES_SAVE_ON_STOP="no"
# Save current firewall rules on restart.
# Value: yes|no, default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
# restarted.
IPTABLES_SAVE_ON_RESTART="no"
# Save (and restore) rule and chain counter.
# Value: yes|no, default: no
# Save counters for rules and chains to /etc/sysconfig/iptables if
# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
# SAVE_ON_RESTART is enabled.
IPTABLES_SAVE_COUNTER="no"
# Numeric status output
# Value: yes|no, default: yes
# Print IP addresses and port numbers in numeric format in the status output.
IPTABLES_STATUS_NUMERIC="yes"
# Verbose status output
# Value: yes|no, default: yes
# Print info about the number of packets and bytes plus the "input-" and
# "outputdevice" in the status output.
IPTABLES_STATUS_VERBOSE="no"
# Status output with numbered lines
# Value: yes|no, default: yes
# Print a counter/number for every rule in the status output.
IPTABLES_STATUS_LINENUMBERS="yes"
# Reload sysctl settings on start and restart
# Default: -none-
# Space separated list of sysctl items which are to be reloaded on start.
# List items will be matched by fgrep.
#IPTABLES_SYSCTL_LOAD_LIST=".nf_conntrack .bridge-nf"
from cookbook-simple-iptables.
rtkrruvinskiy
commented on August 17, 2024
I'm looking for the rule file, not the configuration file. What Linux distribution and version are you running?
from cookbook-simple-iptables.
anuriq
commented on August 17, 2024
This is a Virtuozzo Server 6 which is based on Centos 6. A file you requested was absent :-)
from cookbook-simple-iptables.
rtkrruvinskiy
commented on August 17, 2024
The simple_iptables::default recipe has a line that reads "File.delete(iptable_rules)". Can you comment it out, and run chef again? The file I'm looking for should be there at that point.
from cookbook-simple-iptables.
anuriq
commented on August 17, 2024
hi again. contents of /etc/sysconfig/iptables:
# This file generated by Chef. Changes will be overwritten.
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# This file generated by Chef. Changes will be overwritten.
*mangle
:PREROUTING ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# This file generated by Chef. Changes will be overwritten.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:nrpe - [0:0]
:PVA-INPUT - [0:0]
:storage - [0:0]
:migration - [0:0]
:pstorage - [0:0]
-A INPUT --jump ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED -m comment --comment "established"
-A INPUT -p tcp --jump PVA-INPUT
-A PVA-INPUT --jump ACCEPT -p tcp -m tcp --dport 4533 -m comment --comment "pva-input"
-A PVA-INPUT --jump ACCEPT -p tcp -m tcp --dport 4534 -m comment --comment "pva-input"
-A PVA-INPUT --jump ACCEPT -p tcp -m tcp --dport 4433 -m comment --comment "pva-input"
-A PVA-INPUT --jump ACCEPT -p tcp -m tcp --dport 4434 -m comment --comment "pva-input"
-A PVA-INPUT --jump ACCEPT -p tcp -m tcp --dport 4435 -m comment --comment "pva-input"
-A PVA-INPUT --jump ACCEPT -p tcp -m tcp --dport 5800:5899 -m comment --comment "pva-input"
-A PVA-INPUT --jump ACCEPT -p tcp -m tcp --dport 4643 -m comment --comment "pva-input"
-A PVA-INPUT --jump ACCEPT -p tcp -m tcp --dport 8443 -m comment --comment "pva-input"
-A FORWARD --jump ACCEPT -m comment --comment "foward"
-A INPUT --jump ACCEPT --proto icmp -m comment --comment "icmp"
-A INPUT --jump ACCEPT --in-interface lo -m comment --comment "loopback"
-A INPUT -i bond0.219 --jump storage
-A storage --jump ACCEPT -s 192.168.0.0/24 -m comment --comment "storage"
-A INPUT --jump nrpe
-A nrpe --jump ACCEPT -i eth0 --proto tcp --dport 5666 -m state --state NEW -m comment --comment "nrpe"
-A INPUT --jump migration
-A migration --jump ACCEPT -p tcp --dport 64000 -m comment --comment "migration"
-A INPUT --jump pstorage
-A pstorage --jump ACCEPT -i bond0 -s 192.168.0.0/24 -m comment --comment "pstorage"
-A INPUT --jump ACCEPT --proto tcp --dport 22 -m conntrack --ctstate NEW -m comment --comment "ssh"
-A INPUT --jump REJECT --reject-with icmp-host-prohibited -m comment --comment "reject"
-A FORWARD --jump REJECT --reject-with icmp-host-prohibited -m comment --comment "reject"
COMMIT
# Completed
# This file generated by Chef. Changes will be overwritten.
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed
from cookbook-simple-iptables.
rtkrruvinskiy
commented on August 17, 2024
Thanks for sending me the file. To confirm, this file fails to load for you on your Virtuozzo server? But when you run version 0.7.5, it works fine? Is there a difference between the contents of the /etc/sysconfig/iptables file generated by version 0.7.5 and version 0.8.0?
from cookbook-simple-iptables.
anuriq
commented on August 17, 2024
difference is in nat and raw blocks. they are absent in version 0.7.5
2,8d1
< *nat
< :PREROUTING ACCEPT [0:0]
< :OUTPUT ACCEPT [0:0]
< :POSTROUTING ACCEPT [0:0]
< COMMIT
< # Completed
< # This file generated by Chef. Changes will be overwritten.
51,56d43
< # Completed
< # This file generated by Chef. Changes will be overwritten.
< *raw
< :PREROUTING ACCEPT [0:0]
< :OUTPUT ACCEPT [0:0]
< COMMIT
from cookbook-simple-iptables.
rtkrruvinskiy
commented on August 17, 2024
I wonder if the switch from normal to default attributes is interfering with something you're doing to get around the fact that the raw and nat tables aren't available in your container. Do you have any code in any of your recipes that looks something like this?
node.set["simple_iptables"]["tables"] = %w(filter mangle)Regardless, try to override the attribute. In a recipe, try writing this:
node.override["simple_iptables"]["tables"] = %w(filter mangle)You can also do something equivalent in a role via override_attributes.
from cookbook-simple-iptables.
anuriq
commented on August 17, 2024
thank you, this really resolved the issue.
from cookbook-simple-iptables.
Related Issues (20)
- Use of << HOT 6
- undefined method `weight' for Chef::Resource::SimpleIptablesRule HOT 2
- Release recent versions? HOT 1
- One-shot Testing for IPTables Rules breaks initial cook on new ubuntu host HOT 5
- Error in rule generation HOT 1
- NoMethodError on simple policy HOT 1
- Attribute precedence rules allow duplicate entries
- Please upload new version HOT 2
- Dead? HOT 1
- Ruby block executes on every run HOT 3
- Wrapping simple_iptables_rule in LWRP HOT 4
- Error using chef-client 12.2.1 HOT 1
- support aws AMI HOT 2
- NoMethodError: undefined method `lazy' HOT 3
- Appending rules instead of replacing HOT 1
- support for ipv6 is broken
- kitchen converge gives error when using chef 12.5.1 HOT 2
- Issue with chef 12.11.18 and simple_iptables HOT 1
- Runtime errors under Chef 13 client HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cookbook-simple-iptables.