Managing iptables using puppet


The PuppetLabs firewall is awesome. I implemented it in one of our vCloud Director environments, however I also implemented in a previous company but I totally messed up the implementation until I did it again in the vCloud Director environment. Now I completely see how you should do it, and you should.

The basic crux of it is you should install the PuppetLabs module and have a pre and post firewall module; pre should look like this…

class fw::pre {
  Firewall {
    require => undef,

  # Default firewall rules
  firewall { '000 accept all icmp':
    proto   => 'icmp',
    action  => 'accept',
  firewall { '001 accept all to lo interface':
    proto   => 'all',
    iniface => 'lo',
    action  => 'accept',
  firewall { '002 accept related established rules':
    proto   => 'all',
    state   => ['RELATED', 'ESTABLISHED'],
    action  => 'accept',
  firewall { '003 ssh 22':
    port    => '22',
    proto   => 'tcp',
    action  => 'accept',

…. and post should look like this

class fw::post {
  firewall { '999 drop all':
    proto   => 'all',
    action  => 'drop',
    before  => undef,

What this does is set your default rules so that you can apply the pre and post fw modules in your site.pp, or other manifest file, as follows:

class { ['server_fw::pre', 'server_fw::post']: }

Now here is the clever bit. When you create say an apache module, within the module, you then assign the applicable iptables firewall rules required when the apache module gets installed. For example:

class apache (
  firewall { '100 allow http and https access':
    port   => [80, 443],
    proto  => tcp,
    action => accept,

What this does is applies by default all the rules in fw::pre and fw::post and any specific rules which are contained within the module. Notice I have used rule number 100 for the apache firewall config. This means the iptables rules for apache get applied in between the pre (000 – 003) and the post (999) rules. Perfect! Never have to administer the firewall again 🙂

For further info, read up on the PuppetLabs firewall module – – that’s what I should have done in the first place.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s