changelog | [dw-ops] Add ability to open up certain ports for external traffic. There may be a better way to do

[commit: http://hg.dwscoalition.org/dw-ops/rev/e42af4b542a1]

Add ability to open up certain ports for external traffic. There may be a
better way to do this in Puppet, but this works for now.

Patch by

mark.

Files modified:

puppet/manifests/serverclass/perlbal.pp
puppet/manifests/site.pp
puppet/modules/iptables/manifests/dreamwidth.pp
puppet/modules/iptables/manifests/init.pp
puppet/modules/iptables/templates/dreamwidth.erb

--------------------------------------------------------------------------------
diff -r 2d08d9cbfad3 -r e42af4b542a1 puppet/manifests/serverclass/perlbal.pp
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/manifests/serverclass/perlbal.pp	Mon Mar 30 01:10:51 2009 +0000
@@ -0,0 +1,23 @@
+#
+# serverclass::perlbal
+#
+# Defines functionality for the configuration of the Perlbal machines.
+#
+# Authors:
+#      Mark Smith <mark@dreamwidth.org>
+#
+# Copyright (c) 2009 by Dreamwidth Studios, LLC.
+#
+# This program is free software; you may redistribute it and/or modify it under
+# the same terms as Perl itself.  For a copy of the license, please reference
+# 'perldoc perlartistic' or 'perldoc perlgpl'.
+#
+
+class iptables::dreamwidth::perlbal inherits iptables::dreamwidth {
+    # open up incoming port 80
+    Iptables::Rules["dreamwidth"] { allowed_ports => [ 80 ] }
+}
+
+class serverclass::perlbal inherits serverclass::dreamwidth {
+    include iptables::dreamwidth::perlbal
+}
diff -r 2d08d9cbfad3 -r e42af4b542a1 puppet/manifests/site.pp
--- a/puppet/manifests/site.pp	Fri Mar 27 08:27:02 2009 +0000
+++ b/puppet/manifests/site.pp	Mon Mar 30 01:10:51 2009 +0000
@@ -59,8 +59,8 @@ import "serverclass/*"
 #  -OR-
 # node nodename { include serverclass::nonwebserver }
 
-node example {include serverclass::webserver }
-node dh01 {include serverclass::webserver }
+node dfw-lb01 { include serverclass::perlbal }
+node dfw-lb02 { include serverclass::perlbal }
 
 # A special case exists for the node that will run the Puppet master service.
 # This node can be specified as following:
diff -r 2d08d9cbfad3 -r e42af4b542a1 puppet/modules/iptables/manifests/dreamwidth.pp
--- a/puppet/modules/iptables/manifests/dreamwidth.pp	Fri Mar 27 08:27:02 2009 +0000
+++ b/puppet/modules/iptables/manifests/dreamwidth.pp	Mon Mar 30 01:10:51 2009 +0000
@@ -4,5 +4,5 @@
 ###############################################################################
 
 class iptables::dreamwidth inherits iptables {
-    iptables::rules { "dreamwidth": ensure => present }
+    iptables::rules { "dreamwidth": ensure => present, allowed_ports => [] }
 }
diff -r 2d08d9cbfad3 -r e42af4b542a1 puppet/modules/iptables/manifests/init.pp
--- a/puppet/modules/iptables/manifests/init.pp	Fri Mar 27 08:27:02 2009 +0000
+++ b/puppet/modules/iptables/manifests/init.pp	Mon Mar 30 01:10:51 2009 +0000
@@ -35,7 +35,7 @@ class iptables {
 
     # Load the iptables rules, write the file, and notify the iptables-restore
     # exec to reload the rules
-    define rules ( $ensure = 'present', $content = '' ) {
+    define rules ( $ensure = 'present', $content = '', $allowed_ports = [] ) {
         $real_content = $content ? {
                 '' => template ("iptables/${name}.erb"),
                 default => $content
diff -r 2d08d9cbfad3 -r e42af4b542a1 puppet/modules/iptables/templates/dreamwidth.erb
--- a/puppet/modules/iptables/templates/dreamwidth.erb	Fri Mar 27 08:27:02 2009 +0000
+++ b/puppet/modules/iptables/templates/dreamwidth.erb	Mon Mar 30 01:10:51 2009 +0000
@@ -32,6 +32,13 @@
 # Allows all outbound traffic
 -A OUTPUT -j ACCEPT
 
+<% if has_variable?("allowed_ports") && !allowed_ports.empty? -%>
+# Allow inbound traffic on certain public ports
+<% allowed_ports.each do |val| -%>
+-A INPUT --proto tcp --dport <%= val %> -j ACCEPT
+<% end -%>
+
+<% end -%>
 # Reject all other inbound - default deny unless explicitly allowed policy
 -A INPUT -j REJECT
 -A FORWARD -j REJECT
--------------------------------------------------------------------------------