3

I have a puppet master virtual machine that manages almost 20 nodes. I have Nagios installed on one of these nodes and in order for the Nagios GUI to work I would need to stop the iptables on that nagios box. The problem is that whenever Puppet runs it will start the iptables service back on. I've tried adding a service in nagios modules server.pp file like this which didn't work. It says that the iptables service is already defined and cannot have duplicate:

service
   {
     iptables:
     ensure => stopped,

 }

Also, I've tried using an exec command 

exec { "open-port-80":
         command  => "sudo iptables -I INPUT 14 -m state --state NEW -p tcp --dport 80 -j ACCEPT",
        path     => "${os_path}",
        unless   => "sudo iptables-save | grep 80 | grep INPUT | grep ACCEPT | grep NEW | wc -l | xargs test 1 -eq",
        notify   => Exec["ip-tables-save"]
}

exec { "ip-tables-save":
         command     => "sudo service iptables save",
#        refreshonly => true,
#        path        => "${os_path}",
}

Also tried the code below but had no luck:

if defined("iptables") and defined(Class['iptables'])
  {
    iptables::add_tcp_stateful_listen
    {
      ‘nagios-core':
      client_nets => '[nagios node IP address here]/32',
        dports => ‘80',
    }
  }

Can someone please help me with that?

Thanks in advance

EEAA
  • 109,363
  • 18
  • 175
  • 245
Irina
  • 39
  • 2
  • 4
    "service already defined" means that iptables service is defined somewhere else in the configuration. I suggest to try to find it in the existing puppet conf files and then edit it there. :) – Fiisch Mar 27 '15 at 15:21
  • Thanks EEAA, I'm new to Puppet and this is my first project! I have puppet installed inside /etc/puppet directory and not sure which file needs to be modified and how. Could you please help me? – Irina Mar 27 '15 at 15:34
  • well, for searching lots of configuration, use something like `grep -ri iptables /etc/puppet/` :) – Fiisch Mar 27 '15 at 15:47
  • 1) There are bunch of files under /etc/puppet/modules/iptables/manifests directory: -rw-r-----. 1 root puppet 2409 Mar 22 2013 add_all_listen.pp -rw-r-----. 1 root puppet 2650 Mar 22 2013 add_icmp_listen.pp -rw-r-----. 1 root puppet 2674 Mar 22 2013 add_rules.pp -rw-r-----. 1 root puppet 2902 Mar 22 2013 add_tcp_stateful_listen.pp -rw-r-----. 1 root puppet 2776 Mar 22 2013 add_udp_listen.pp -rw-r-----. 1 root puppet 5849 Mar 22 2013 init.pp I’m guessing we can add a rule in there so that it lets Nagios GUI to open that port for Nagios – Irina Mar 27 '15 at 16:40
  • Or we might be able to add something like this: This is a format I found, might be able to use this, customized it and it didn't work: iptables::add_tcp_stateful_listen { 'open_ports': client_nets => "0.0.0.0/0", dports => ["$conf_port"], } And this is the default_all file: /etc/puppet/manifests/nodes/default_all.pp if defined (Class['iptables']) { iptables::add_rules { 'default_mcast' : header => 'true', content => '-d 224.0.0.1 -j ACCEPT', order => "11", } – Irina Mar 27 '15 at 16:41
  • When I run iptables –L on the nagios server I get an output that has these lines: ACCEPT udp -- 192.35.0.0/16 anywhere state NEW multiport dports 8649 ACCEPT tcp -- 192.35.0.0/16 anywhere state NEW tcp multiport dports 8649 I think the info comes from a csv file here: vi /etc/puppet/manifests/extdata/simp_def.csv In which there is a line that reads: # The client networks that you will be managing. client_nets,"192.35.0.0/16" And the Nagios server IP is 192.35.31.55 – Irina Mar 27 '15 at 16:41
  • I would probably edit add_tcp_statefull_listen.pp and add: `iptables::add_tcp_stateful_listen { 'open_ports': client_nets => "0.0.0.0/0", dports => ["80"], }`. I dont have a puppet installed to try it but that should do the trick. – Fiisch Mar 28 '15 at 07:09

1 Answers1

1

Instead of turning off iptables completely, I'd recommend using the Puppetlabs Firewall module to manage firewalls/iptables:

$ puppet module install puppetlabs-firewall

Then you can write some Puppet such as this:

firewall { '100 Allow http and https access':
  port   => [80, 443],
  proto  => tcp,
  action => accept,
}
Peter Souter
  • 651
  • 1
  • 4
  • 13