{"id":22700204,"url":"https://github.com/simp/pupmod-simp-iptables","last_synced_at":"2025-08-22T11:06:30.463Z","repository":{"id":32298689,"uuid":"35873649","full_name":"simp/pupmod-simp-iptables","owner":"simp","description":"The SIMP iptables Puppet Module","archived":false,"fork":false,"pushed_at":"2024-09-16T16:07:01.000Z","size":632,"stargazers_count":3,"open_issues_count":4,"forks_count":21,"subscribers_count":17,"default_branch":"master","last_synced_at":"2025-04-13T05:53:32.270Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/simp.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2015-05-19T09:49:35.000Z","updated_at":"2024-09-16T16:07:05.000Z","dependencies_parsed_at":"2022-07-25T18:22:25.590Z","dependency_job_id":"b7d48f1c-0a14-4e0c-963a-84ce896c2704","html_url":"https://github.com/simp/pupmod-simp-iptables","commit_stats":{"total_commits":100,"total_committers":21,"mean_commits":4.761904761904762,"dds":0.6699999999999999,"last_synced_commit":"828cb2b76aafd3dfd64ae8cf37dabca7fb4532ac"},"previous_names":[],"tags_count":35,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/simp%2Fpupmod-simp-iptables","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/simp%2Fpupmod-simp-iptables/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/simp%2Fpupmod-simp-iptables/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/simp%2Fpupmod-simp-iptables/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/simp","download_url":"https://codeload.github.com/simp/pupmod-simp-iptables/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248670502,"owners_count":21142901,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-10T06:10:28.715Z","updated_at":"2025-04-13T05:53:38.365Z","avatar_url":"https://github.com/simp.png","language":"Ruby","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![License](https://img.shields.io/:license-apache-blue.svg)](http://www.apache.org/licenses/LICENSE-2.0.html)\n[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/73/badge)](https://bestpractices.coreinfrastructure.org/projects/73)\n[![Puppet Forge](https://img.shields.io/puppetforge/v/simp/iptables.svg)](https://forge.puppetlabs.com/simp/iptables)\n[![Puppet Forge Downloads](https://img.shields.io/puppetforge/dt/simp/iptables.svg)](https://forge.puppetlabs.com/simp/iptables)\n[![Build Status](https://travis-ci.org/simp/pupmod-simp-iptables.svg)](https://travis-ci.org/simp/pupmod-simp-iptables)\n\n#### Table of Contents\n\n\u003c!-- vim-markdown-toc GFM --\u003e\n\n* [Overview](#overview)\n* [This is a SIMP module](#this-is-a-simp-module)\n* [Module Description](#module-description)\n* [Setup](#setup)\n  * [What iptables affects](#what-iptables-affects)\n  * [Beginning with iptables](#beginning-with-iptables)\n    * [I want a basic secure iptables setup](#i-want-a-basic-secure-iptables-setup)\n* [Usage](#usage)\n    * [I want to open a specific port or allow access](#i-want-to-open-a-specific-port-or-allow-access)\n    * [This module doesn't cover my specific iptables rule](#this-module-doesnt-cover-my-specific-iptables-rule)\n  * [Firewalld Mode](#firewalld-mode)\n    * [Enabling Firewalld Mode](#enabling-firewalld-mode)\n* [Reference](#reference)\n* [Limitations](#limitations)\n* [Development](#development)\n  * [Acceptance tests](#acceptance-tests)\n\n\u003c!-- vim-markdown-toc --\u003e\n\n## Overview\n\nThis module provides native types for managing the system IPTables and\nIP6Tables as well as convenience defines and general system configuration\ncapabilities.\n\nThe ability to use this module to automatically shim through to firewalld is\noptionally supported for legacy systems and modules that are working on\nmigrating to firewalld support.\n\n## This is a SIMP module\n\nThis module is a component of the [System Integrity Management Platform](https://simp-project.com),\na compliance-management framework built on Puppet.\n\nMost SIMP modules actively take advantage of this module when used within the\nSIMP ecosystem.\n\n## Module Description\n\nThe ``iptables`` module manages all IPTables and IP6Tables rules in an atomic\nfashion. All rules are applied only once per puppet agent run during the\napplication of the last executed ``iptables`` resource.\n\nApplying the rules in this manner ensures that avoid situations where you have\na partially applied IPTables rule set during a failure in your run of puppet\n(someone hits ^C, your system runs out of memory, etc...).\n\nThe module also takes additional safety measures to attempt to keep your\nfirewall rules in a consistent state over time to include:\n\n* Rolling back to the last configuration if the application of the new configuration fails\n* Rolling back to an 'ssh-only' mode if application of all configurations fail\n\nThe goal is to remain in a state where you can be sure that your system is\ntightly restricted but also able to be recovered.\n\nFinally, the module works to ensure that services such as OpenStack, Docker,\nVirtualBox, etc... can apply their rules without being affected by this module.\nThe module provides mechanisms to preserve these rules as managed by external\nsystems based on regular expression matches.\n\n## Setup\n\n### What iptables affects\n\nThe module manages the ``iptables`` package, service, and rules.\n\nOn systems containing the ``firewalld`` service, it is ensured to be stopped\nunless ``iptables::use_firewalld`` is set to ``true``.\n\n### Beginning with iptables\n\n#### I want a basic secure iptables setup\n\nA basic setup with iptables will allow the following:\n\n* ICMP\n* Loopback\n* SSH\n* Established and Related traffic (Return Traffic)\n\n```puppet\n# Set up iptables with the default settings\n\ninclude 'iptables'\n```\nOutput (to /`etc/sysconfig/iptables`)\n\n```bash\n*filter\n:INPUT DROP [0:0]\n:FORWARD DROP [0:0]\n:OUTPUT ACCEPT [0:0]\n:LOCAL-INPUT - [0:0]\n-A INPUT -j LOCAL-INPUT\n-A FORWARD -j LOCAL-INPUT\n-A LOCAL-INPUT -p icmp --icmp-type 8 -j ACCEPT\n-A LOCAL-INPUT -i lo -j ACCEPT\n-A LOCAL-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT\n-A LOCAL-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT\n-A LOCAL-INPUT -j LOG --log-prefix \"IPT:\"\n-A LOCAL-INPUT -j DROP\nCOMMIT\n```\n\n## Usage\n\n#### I want to open a specific port or allow access\n\nThe `iptables` module has a set of defined types for adding in new firewall\nrules.\n\n```puppet\n#open TCP port 443 (HTTPS) and a custom 8443 from any IP Address\n\niptables::listen::tcp_stateful { 'webserver':\n  trusted_nets =\u003e ['any'],\n  dports =\u003e [ 443 , 8443 ]\n}\n\n#open UDP port 53 (DNS) from two specific IP addresses\n\niptables::listen::udp {'DNS':\n  trusted_nets =\u003e ['192.168.56.55','192.168.56.147'],\n  dports      =\u003e [ 53 ]\n}\n\n#Allow a specific machine full access to this node\n\niptables::listen::all { 'Central Management':\n  trusted_nets =\u003e ['10.10.35.100'],\n}\n\n#Allow a range of ports to be accessible from a specific IP\niptables::listen::tcp_stateful { 'myapp':\n  trusted_nets =\u003e ['10.10.45.100'],\n  dports =\u003e ['1024:60000']\n}\n\n```\n\n#### This module doesn't cover my specific iptables rule\n\nIn the case you need a rule not covered properly by the module, you can use the\n``iptables::add_rules`` type to place the exact rule into ``/etc/sysconfig/iptables``.\n\n```puppet\n# Inserts a custom rule into IPtables\n\niptables::rule { 'example':\n  content =\u003e '-A LOCAL-INPUT -m state --state NEW -m tcp -p tcp\\\n  -s 1.2.3.4 --dport 1024:65535 -j ACCEPT'\n}\n```\n\n### Firewalld Mode\n\nThis module has preliminary support for acting as a pass-through to various\n``firewalld`` capabilities using the ``simp/simp_firewalld`` module.\n\nUsing any of the ``iptables::listen::*`` defined types will work seamlessly in\n``firewalld`` mode but direct calls to ``iptables::rule`` will emit a warning\nletting the user know that they must switch over to ``simp_firewalld::rule``.\n\nAdditionally, calls to any of the native types included in this module will\nresult in undefined behavior and is not advised.\n\n#### Enabling Firewalld Mode\n\nTo enable ``firewalld`` mode on supported operating systems, simply set\n``iptables::use_firewalld`` to ``true`` via Hiera.\n\n**NOTE: EL 8 systems enable ``firewalld`` mode by default.**\n\n## Reference\n\nSee [REFERENCE.md](./REFERENCE.md)\n\n## Limitations\n* IPv6 support has not been fully tested, use with caution\n* ``firewalld`` must be disabled if using ``iptables``. The module will disable\n  ``firewalld`` if it is present and the module is not in ``firewalld``\n  compatibility mode.\n* This module is intended to be used on a Red Hat Enterprise Linux-compatible\n  distribution such as EL6 and EL7. However, any distribution that uses the\n  ``/etc/sysconfig/iptables`` configuration should function properly (let us\n  know!).\n\n## Development\n\nPlease read our [Contribution Guide](https://simp.readthedocs.io/en/stable/contributors_guide/index.html).\n\n### Acceptance tests\n\nTo run the system tests, you need [Vagrant](https://www.vagrantup.com/)\ninstalled. Then, run:\n\n```shell\nbundle exec rake beaker:suites\n```\n\nSome environment variables may be useful:\n\n```shell\nBEAKER_debug=true\nBEAKER_provision=no\nBEAKER_destroy=no\nBEAKER_use_fixtures_dir_for_modules=yes\n```\n\n* `BEAKER_debug`: show the commands being run on the STU and their output.\n* `BEAKER_destroy=no`: prevent the machine destruction after the tests finish\n  so you can inspect the state.\n* `BEAKER_provision=no`: prevent the machine from being recreated. This can\n  save a lot of time while you're writing the tests.\n* `BEAKER_use_fixtures_dir_for_modules=yes`: cause all module dependencies to\n  be loaded from the `spec/fixtures/modules` directory, based on the contents\n  of `.fixtures.yml`.  The contents of this directory are usually populated by\n  `bundle exec rake spec_prep`.  This can be used to run acceptance tests to\n  run on isolated networks.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsimp%2Fpupmod-simp-iptables","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsimp%2Fpupmod-simp-iptables","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsimp%2Fpupmod-simp-iptables/lists"}