[dw-ops] Add ability to open up certain ports for external traffic. There may be a better way to do
[commit: http://hg.dwscoalition.org/dw-ops/rev/e42af4b542a1]
Add ability to open up certain ports for external traffic. There may be a
better way to do this in Puppet, but this works for now.
Patch by
mark.
Files modified:
Add ability to open up certain ports for external traffic. There may be a
better way to do this in Puppet, but this works for now.
Patch by
![[staff profile]](https://www.dreamwidth.org/img/silk/identity/user_staff.png)
Files modified:
- puppet/manifests/serverclass/perlbal.pp
- puppet/manifests/site.pp
- puppet/modules/iptables/manifests/dreamwidth.pp
- puppet/modules/iptables/manifests/init.pp
- puppet/modules/iptables/templates/dreamwidth.erb
-------------------------------------------------------------------------------- diff -r 2d08d9cbfad3 -r e42af4b542a1 puppet/manifests/serverclass/perlbal.pp --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/puppet/manifests/serverclass/perlbal.pp Mon Mar 30 01:10:51 2009 +0000 @@ -0,0 +1,23 @@ +# +# serverclass::perlbal +# +# Defines functionality for the configuration of the Perlbal machines. +# +# Authors: +# Mark Smith <mark@dreamwidth.org> +# +# Copyright (c) 2009 by Dreamwidth Studios, LLC. +# +# This program is free software; you may redistribute it and/or modify it under +# the same terms as Perl itself. For a copy of the license, please reference +# 'perldoc perlartistic' or 'perldoc perlgpl'. +# + +class iptables::dreamwidth::perlbal inherits iptables::dreamwidth { + # open up incoming port 80 + Iptables::Rules["dreamwidth"] { allowed_ports => [ 80 ] } +} + +class serverclass::perlbal inherits serverclass::dreamwidth { + include iptables::dreamwidth::perlbal +} diff -r 2d08d9cbfad3 -r e42af4b542a1 puppet/manifests/site.pp --- a/puppet/manifests/site.pp Fri Mar 27 08:27:02 2009 +0000 +++ b/puppet/manifests/site.pp Mon Mar 30 01:10:51 2009 +0000 @@ -59,8 +59,8 @@ import "serverclass/*" # -OR- # node nodename { include serverclass::nonwebserver } -node example {include serverclass::webserver } -node dh01 {include serverclass::webserver } +node dfw-lb01 { include serverclass::perlbal } +node dfw-lb02 { include serverclass::perlbal } # A special case exists for the node that will run the Puppet master service. # This node can be specified as following: diff -r 2d08d9cbfad3 -r e42af4b542a1 puppet/modules/iptables/manifests/dreamwidth.pp --- a/puppet/modules/iptables/manifests/dreamwidth.pp Fri Mar 27 08:27:02 2009 +0000 +++ b/puppet/modules/iptables/manifests/dreamwidth.pp Mon Mar 30 01:10:51 2009 +0000 @@ -4,5 +4,5 @@ ############################################################################### class iptables::dreamwidth inherits iptables { - iptables::rules { "dreamwidth": ensure => present } + iptables::rules { "dreamwidth": ensure => present, allowed_ports => [] } } diff -r 2d08d9cbfad3 -r e42af4b542a1 puppet/modules/iptables/manifests/init.pp --- a/puppet/modules/iptables/manifests/init.pp Fri Mar 27 08:27:02 2009 +0000 +++ b/puppet/modules/iptables/manifests/init.pp Mon Mar 30 01:10:51 2009 +0000 @@ -35,7 +35,7 @@ class iptables { # Load the iptables rules, write the file, and notify the iptables-restore # exec to reload the rules - define rules ( $ensure = 'present', $content = '' ) { + define rules ( $ensure = 'present', $content = '', $allowed_ports = [] ) { $real_content = $content ? { '' => template ("iptables/${name}.erb"), default => $content diff -r 2d08d9cbfad3 -r e42af4b542a1 puppet/modules/iptables/templates/dreamwidth.erb --- a/puppet/modules/iptables/templates/dreamwidth.erb Fri Mar 27 08:27:02 2009 +0000 +++ b/puppet/modules/iptables/templates/dreamwidth.erb Mon Mar 30 01:10:51 2009 +0000 @@ -32,6 +32,13 @@ # Allows all outbound traffic -A OUTPUT -j ACCEPT +<% if has_variable?("allowed_ports") && !allowed_ports.empty? -%> +# Allow inbound traffic on certain public ports +<% allowed_ports.each do |val| -%> +-A INPUT --proto tcp --dport <%= val %> -j ACCEPT +<% end -%> + +<% end -%> # Reject all other inbound - default deny unless explicitly allowed policy -A INPUT -j REJECT -A FORWARD -j REJECT --------------------------------------------------------------------------------