Class shib2idp::iptables
In: /etc/puppet/modules/shib2idp/manifests/classes/iptables.pp
Parent:

Class: shib2idp::iptables

This class permits to configure a software firewall on the Puppet agent machine using iptables. This class ensures that the iptables package is installed on the system and then configures some rules to filter traffic.

The configuration pushed on each Puppet agent is a configuration which closes all ports except for ICMP traffic, port 80, 443, 8080 and 8443 (used by Tomcat and so the IdP to work properly) and port 22 for ssh. Port 22, in particular, can be configured to be open only on certain networks, specified with the $iptables_enable_network param to this class.

Parameters:

iptables_enable_network:The network on which ssh should be accessible. If set to ‘192.168.0.0/24’, for example, the ssh port will be accessible only by hosts with IP ranging from 192.168.0.1 to 192.168.0.254. If not set (or set to ’’) ssh port will be accessible by every network and every host.

Actions:

Requires:

Sample Usage: To use this class to force iptables rules on a client machine, specify:

  include shib2idp

  class { 'shib2idp::iptables':
    iptables_enable_network => '192.168.56.0/24',
  }

Resources

Resources

Iptables["rule 0: iptables_icmp"]
   proto => "icmp"
   jump => "ACCEPT"
Iptables["rule 1: iptables_established"]
   state => ["ESTABLISHED", "RELATED"]
   jump => "ACCEPT"
Iptables["rule 2: iptables_lo"]
   iniface => "lo"
   jump => "ACCEPT"
Iptables["rule 3: iptables_tomcat"]
   proto => "tcp"
   dport => ["80", "443", "8080", "8443"]
   jump => "ACCEPT"
Iptables["rule 5: iptables_reject_input"]
   chain => "INPUT"
   jump => "REJECT"
   reject => "icmp-host-prohibited"

Reject all other traffic

Iptables["rule 6: iptables_reject_forward"]
   chain => "FORWARD"
   jump => "REJECT"
   reject => "icmp-host-prohibited"

Reject all other traffic

Package["iptables"]
   ensure => installed

Verify iptables packet is installed

[Validate]