Tuesday, July 16, 2013

Puppet module to manage iptables?

I am looking for feedback on creating a module to manage iptables files on various Linux distributions with puppet.

I have a base design setup and working at: https://github.com/duxklr/iptables

The basics of the system so far is to:
  1. Use file templates to create a base iptables configuration that automatically gets pushed to all systems.   This will be contain the most basic rules that all servers should have.   
  2. Use an array to store additional host specific rules that will get processed by the template file.
    1. I selected a template/array style because our systems are all very one-off specific.   There is no good "grouping", service, module, etc way to categorize them.   

In the GIT repository above: 

You will find the .../templates/iptables-common-v4.erb which is the base file that all the iptables rules are built off of.  

In the .../manifests directory you will find a init.pp which is the heavy lifter in this case.   You will also find a file servers.pp.   This is the file that contains the host specific rules.   

The question I propose....  Is there a better way to manage the host specific rules?

I have looked into concat, but I don't see a elegant way to manage the very host specific rules that we have using this module.    If we have large amounts of servers that all preformed a similar function I can see this working very nicely.  

I have looked at all the other iptables modules in Puppet Forge, and none of them meet my individual needs.    


1 comment: