How to configure a firewall on Centos using Vagrant and Chef
One way to set the firewall rules in CentOS is to replace the /etc/sysconfig/iptables entirely by using a template in the recipe.
Say you want to adjust the routing because you are setting up an Apache web server ("apache2") cookbook. Create the file cookbooks/apache2/templates/default/iptables.erb with following content:
# Firewall configuration created and managed by Chef
# Do not edit manually
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Be sure and have a line return after the COMMIT.
Then call the template in your recipe, and afterward restart the iptables service.
#
# Load firewall rules we know works
#
template "/etc/sysconfig/iptables" do
# path "/etc/sysconfig/iptables"
source "iptables.erb"
owner "root"
group "root"
mode 00600
# notifies :restart, resources(:service => "iptables")
end
execute "service iptables restart" do
user "root"
command "service iptables restart"
end
When you run vagrant up, you will see the following output (excerpt).
...
INFO: Processing template[/etc/sysconfig/iptables] action create (bpif_apache2::default line 40)
INFO: template[/etc/sysconfig/iptables] backed up to /var/chef/backup/etc/sysconfig/iptables.chef-20130312055953
INFO: template[/etc/sysconfig/iptables] updated content
INFO: template[/etc/sysconfig/iptables] owner changed to 0
INFO: template[/etc/sysconfig/iptables] group changed to 0
INFO: template[/etc/sysconfig/iptables] mode changed to 600
INFO: Processing execute[service iptables restart] action run (bpif_apache2::default line 49)
INFO: execute[service iptables restart] ran successfully
...
The following links helped me grok and finally solve this problem.
- https://github.com/pdaether/LAMP-CentOS-with-Vagrant/blob/master/files/iptables.txt
- http://infrastructure.fedoraproject.org/csi/security-policy/en-US/html/HostIptables-Standard-Introduction-Prerequisites.html
FWIW, Opscode seems to be to find the firewalls in CentOS a bit of a challenge, too, as per their apache2 cookbook README (Feb 23, 2013):
The easiest but certainly not ideal way to deal with IPtables is to flush all rules. Opscode does provide an iptables cookbook but is migrating from the approach used there to a more robust solution utilizing a general "firewall" LWRP that would have an "iptables" provider. Alternately, you can use ufw, with Opscode's ufw and firewall cookbooks to set up rules. See those cookbooks' READMEs for documentation.
Related videos on Youtube
01 : 48 : 57
15 : 41
23 : 59
02 : 18
07 : 07
Demetrius
Updated on September 18, 2022Comments
-
Demetrius over 1 year
Is there a way to find the date anywhere in a timestamp? For example,
2017-01-31 01:33:30 random text log message x
where the data is in the beginning of the string or:
01:33:30 2017-01-31 random text log message x
where the date is in the middle. How could you parse every string to get the date in java?
-
Chris over 5 years
/[\d]{4}-[\d]{2}-[\d]{2}/g -
BackSlash over 5 years@Chris Java, not javascript. Also, square brackets are not necessary here.
-
-
kumesana over 5 yearsFYI, you could just use group(0) for the whole regex, thus making the parens unnecessary.
-
Demetrius over 5 yearsAwesome, can anyone explain what find does?
-
Jonathan Gagne over 5 yearsHere is a good explanation: stackoverflow.com/questions/4450045/…
-
Chris over 5 yearsRight yeah, was just throwing in a point in the right direction. Hence comment not answer. Appreciate the feedback here, though
