mark: A photo of Mark kneeling on top of the Taal Volcano in the Philippines. It was a long hike. (Default)
Mark Smith ([staff profile] mark) wrote in [site community profile] changelog2009-03-30 01:10 am

[dw-ops] Add ability to open up certain ports for external traffic. There may be a better way to do

[commit: http://hg.dwscoalition.org/dw-ops/rev/e42af4b542a1]

Add ability to open up certain ports for external traffic. There may be a
better way to do this in Puppet, but this works for now.

Patch by [staff profile] mark.

Files modified:
  • puppet/manifests/serverclass/perlbal.pp
  • puppet/manifests/site.pp
  • puppet/modules/iptables/manifests/dreamwidth.pp
  • puppet/modules/iptables/manifests/init.pp
  • puppet/modules/iptables/templates/dreamwidth.erb
--------------------------------------------------------------------------------
diff -r 2d08d9cbfad3 -r e42af4b542a1 puppet/manifests/serverclass/perlbal.pp
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/puppet/manifests/serverclass/perlbal.pp	Mon Mar 30 01:10:51 2009 +0000
@@ -0,0 +1,23 @@
+#
+# serverclass::perlbal
+#
+# Defines functionality for the configuration of the Perlbal machines.
+#
+# Authors:
+#      Mark Smith <mark@dreamwidth.org>
+#
+# Copyright (c) 2009 by Dreamwidth Studios, LLC.
+#
+# This program is free software; you may redistribute it and/or modify it under
+# the same terms as Perl itself.  For a copy of the license, please reference
+# 'perldoc perlartistic' or 'perldoc perlgpl'.
+#
+
+class iptables::dreamwidth::perlbal inherits iptables::dreamwidth {
+    # open up incoming port 80
+    Iptables::Rules["dreamwidth"] { allowed_ports => [ 80 ] }
+}
+
+class serverclass::perlbal inherits serverclass::dreamwidth {
+    include iptables::dreamwidth::perlbal
+}
diff -r 2d08d9cbfad3 -r e42af4b542a1 puppet/manifests/site.pp
--- a/puppet/manifests/site.pp	Fri Mar 27 08:27:02 2009 +0000
+++ b/puppet/manifests/site.pp	Mon Mar 30 01:10:51 2009 +0000
@@ -59,8 +59,8 @@ import "serverclass/*"
 #  -OR-
 # node nodename { include serverclass::nonwebserver }
 
-node example {include serverclass::webserver }
-node dh01 {include serverclass::webserver }
+node dfw-lb01 { include serverclass::perlbal }
+node dfw-lb02 { include serverclass::perlbal }
 
 # A special case exists for the node that will run the Puppet master service.
 # This node can be specified as following:
diff -r 2d08d9cbfad3 -r e42af4b542a1 puppet/modules/iptables/manifests/dreamwidth.pp
--- a/puppet/modules/iptables/manifests/dreamwidth.pp	Fri Mar 27 08:27:02 2009 +0000
+++ b/puppet/modules/iptables/manifests/dreamwidth.pp	Mon Mar 30 01:10:51 2009 +0000
@@ -4,5 +4,5 @@
 ###############################################################################
 
 class iptables::dreamwidth inherits iptables {
-    iptables::rules { "dreamwidth": ensure => present }
+    iptables::rules { "dreamwidth": ensure => present, allowed_ports => [] }
 }
diff -r 2d08d9cbfad3 -r e42af4b542a1 puppet/modules/iptables/manifests/init.pp
--- a/puppet/modules/iptables/manifests/init.pp	Fri Mar 27 08:27:02 2009 +0000
+++ b/puppet/modules/iptables/manifests/init.pp	Mon Mar 30 01:10:51 2009 +0000
@@ -35,7 +35,7 @@ class iptables {
 
     # Load the iptables rules, write the file, and notify the iptables-restore
     # exec to reload the rules
-    define rules ( $ensure = 'present', $content = '' ) {
+    define rules ( $ensure = 'present', $content = '', $allowed_ports = [] ) {
         $real_content = $content ? {
                 '' => template ("iptables/${name}.erb"),
                 default => $content
diff -r 2d08d9cbfad3 -r e42af4b542a1 puppet/modules/iptables/templates/dreamwidth.erb
--- a/puppet/modules/iptables/templates/dreamwidth.erb	Fri Mar 27 08:27:02 2009 +0000
+++ b/puppet/modules/iptables/templates/dreamwidth.erb	Mon Mar 30 01:10:51 2009 +0000
@@ -32,6 +32,13 @@
 # Allows all outbound traffic
 -A OUTPUT -j ACCEPT
 
+<% if has_variable?("allowed_ports") && !allowed_ports.empty? -%>
+# Allow inbound traffic on certain public ports
+<% allowed_ports.each do |val| -%>
+-A INPUT --proto tcp --dport <%= val %> -j ACCEPT
+<% end -%>
+
+<% end -%>
 # Reject all other inbound - default deny unless explicitly allowed policy
 -A INPUT -j REJECT
 -A FORWARD -j REJECT
--------------------------------------------------------------------------------

Post a comment in response:

This account has disabled anonymous posting.
If you don't have an account you can create one now.
HTML doesn't work in the subject.
More info about formatting

If you are unable to use this captcha for any reason, please contact us by email at support@dreamwidth.org