cdist-type__iptables_rule(7)

1CDIST-TYPE__IPTABLES_RULE(7)         cdist        CDIST-TYPE__IPTABLES_RULE(7)
2
3
4

NAME

6       cdist-type__iptables_rule - Deploy iptable rulesets
7

DESCRIPTION

9       This  cdist  type  allows you to manage iptable rules in a distribution
10       independent manner.
11
12       See cdist-type__iptables_apply(7) for  the  execution  order  of  these
13       rules. It will be executed automaticly to apply all rules non-volaite.
14

REQUIRED PARAMETERS

16       rule   The  rule to apply. Essentially an iptables command line without
17              iptables in front of it.
18

OPTIONAL PARAMETERS

20       state  'present' or 'absent', defaults to 'present'
21

BOOLEAN PARAMETERS

23       All rules without any of these parameters will be treated like --v4 be‐
24       cause of backward compatibility.
25
26       v4     Explicitly set it as rule for IPv4. If IPv6 is set, too, it will
27              be threaten like --all. Will be the default if nothing  else  is
28              set.
29
30       v6     Explicitly set it as rule for IPv6. If IPv4 is set, too, it will
31              be threaten like --all.
32
33       all    Set the rule for both IPv4 and IPv6. It will be saved separately
34              from the other rules.
35

EXAMPLES

37          # Deploy some policies
38          __iptables_rule policy-in  --rule "-P INPUT DROP"
39          __iptables_rule policy-out  --rule "-P OUTPUT ACCEPT"
40          __iptables_rule policy-fwd  --rule "-P FORWARD DROP"
41
42          # The usual established rule
43          __iptables_rule established  --rule "-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT"
44
45          # Some service rules
46          __iptables_rule http  --rule "-A INPUT -p tcp --dport 80 -j ACCEPT"
47          __iptables_rule ssh   --rule "-A INPUT -p tcp --dport 22 -j ACCEPT"
48          __iptables_rule https --rule "-A INPUT -p tcp --dport 443 -j ACCEPT"
49
50          # Ensure some rules are not present anymore
51          __iptables_rule munin --rule "-A INPUT -p tcp --dport 4949 -j ACCEPT" \
52              --state absent
53
54
55          # IPv4-only rule for ICMPv4
56          __iptables_rule icmp-v4 --v4 --rule "-A INPUT -p icmp -j ACCEPT"
57          # IPv6-only rule for ICMPv6
58          __iptables_rule icmp-v6 --v6 --rule "-A INPUT -p icmpv6 -j ACCEPT"
59
60          # doing something for the dual stack
61          __iptables_rule fwd-eth0-eth1 --v4 --v6 --rule "-A INPUT -i eth0 -o eth1 -j ACCEPT"
62          __iptables_rule fwd-eth1-eth0 --all --rule "-A -o eth1 -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT"
63

AUTHORS

68       Nico  Schottelius  <nico-cdist--@--schottelius.org> Matthias Stecher <‐
69       matthiasstecher--@--gmx.de>
70

COPYING

72       Copyright (C) 2013  Nico  Schottelius.   Copyright  (C)  2020  Matthias
73       Stecher.   You  can redistribute it and/or modify it under the terms of
74       the GNU General Public License as published by the Free Software  Foun‐
75       dation,  either version 3 of the License, or (at your option) any later
76       version.
77

COPYRIGHT

79       ungleich GmbH 2021
80
81
82
83
847.0.0                            Jul 31, 2022     CDIST-TYPE__IPTABLES_RULE(7)