Foreman Automatic IPTables

Foreman Automatic IPTables»

Just as an extra layer of security, Foreman and our Puppetmaster are behind IPTables. We restrict access to them to only known hosts. Up until today, I’ve been maintaining the list of known hosts manually. That’s been a pretty silly process, as we already have a list of all the hosts that would ever be trying to access it. I setup some pretty simple IPTables rules, and a quick PHP script to process them. These details assume you’re using CentOS as the server host, but it should be possible in any OS.

1) In /etc/sysconfig/iptables, create two new chains by adding these two lines after the :OUTPUT line:


:HOSTS - [0:0]
:BUILDHOSTS - [0:0]

2) Modify your existing foreman/puppet firewall rules:

# foreman (only used during initial build)
-A INPUT -m tcp -p tcp --dport 3000 -j BUILDHOSTS -m comment --comment "foreman"
# puppet
-A INPUT -m tcp -p tcp --dport 8140 -j HOSTS -m comment --comment "puppet"

This causes IPTables to jump to the BUILDHOSTS/HOSTS chains when packets for either port are encountered. This simplifies the management of those chains, as we can just flush them and rebuild. We don’t have to worry about finding and removing hosts.

3) Create the script to populate it:

<?php
    $db = mysql_connect();

    exec('/sbin/iptables -F HOSTS');
    exec('/sbin/iptables -F BUILDHOSTS');
    $res = mysql_query('select id, name, ip, build from hosts');
    while ($cur = mysql_fetch_assoc($res))
    {
        exec('/sbin/iptables -A HOSTS -s '.$cur['ip'].' -j ACCEPT -m comment --comment '.escapeshellarg($cur['name']));
        if ($cur['build'] == 1)
        {
            exec('/sbin/iptables -A BUILDHOSTS -s '.$cur['ip'].' -j ACCEPT -m comment --comment '.escapeshellarg($cur['name']));
        }
    }
    exec('/sbin/iptables -A HOSTS -j DROP');
    exec('/sbin/iptables -A BUILDHOSTS -j DROP');
?>

This script needs to run as root (or you can modify it to use sudo). Each time it runs it flushes the two existing tables then regenerates them from the database.

Once this is running as a cron, you don’t have to worry about modifying IPTables anymore. It’s pretty handy, as it removes one extra step that was previously needed to setup new hosts.

About Me
Brian "devicenull" Rak
Sysadmin. Developer.
dn@devicenull.org
Work History

Other Posts:

26 Aug 2015 » RTNETLINK Invalid argument
26 Aug 2015 » BIRD and TCP_MD5SIG Cannot allocate memory
06 Jun 2014 » X8SIL-F IPMI Serial (debug) port
03 Jun 2014 » Reattaching IPMI Memory to a X8SIL-F
28 May 2014 » Removing IPMI Flash Memory from a X8SIL-F
17 Mar 2014 » ASpeed IPMI Firmware
18 Feb 2014 » Fixing SuperMicro IPMI NTP Vulnerability
09 Feb 2014 » SuperMicro IPMI Rebuild Successful
09 Feb 2014 » SuperMicro IPMI Overall Footer
07 Feb 2014 » SuperMicro IPMI Firmware Checksum
05 Feb 2014 » Extracting SuperMicro IPMI Firmware
02 Feb 2014 » SuperMicro IPMI Firmware (X8SIL-F) Analysis
02 Feb 2014 » Running IPMI ARM Binaries on an x86 system
22 Jan 2014 » Programming X9SCL+-F BIOS
29 Dec 2013 » Supermicro VNC IPMI Protocol
25 Nov 2013 » Edgemax and iPXE
14 Nov 2013 » iPXE, wimboot and Windows Server 2012R2
05 Nov 2013 » Writing an abuse response system, some tips
05 Nov 2013 » Lessons learned from a very large server deployment
04 Sep 2013 » Python Netflow v5 Parser
04 Sep 2013 » Network booting with SR-IOV
09 Aug 2013 » The evolution of our Windows installation methods
20 Jun 2013 » Fixing terrible network performance with Virtualbox and VirtIO
09 Jun 2013 » Properly using ARIN's API
09 Jun 2013 » CentOS super-basic IPv6 config
04 Jun 2013 » Configuration Management is wonderful
02 Jun 2013 » Configuring Chromium Autostart (Raspbian)
24 Apr 2013 » RTLSDR SmartNet
17 Mar 2013 » Changing Windows hostnames via the command line
05 Mar 2013 » IPv6 6to4 iptables rules
04 Mar 2013 » iPXE and Dell R210 II
04 Mar 2013 » Foreman Automatic IPTables
27 Feb 2013 » Foreman boot menu
20 Feb 2013 » System Error 1231 Network Location Cannot Be Reached
15 Feb 2013 » glibc 2.7, HLDS, and CentOS 5
13 Feb 2013 » Virtualization
08 Feb 2013 » MySQL server has gone away weirdness
06 Feb 2013 » Increasing NTP Accuracy
04 Feb 2013 » Failure handling in resolv.conf
28 Jan 2013 » Overriding NS records with Unbound
28 Jan 2013 » Matching on relay IP with ISC DHCPD
10 Nov 2012 » PING Transmit Failed. General Failure.
10 Nov 2012 » Fixing Could not open device at /dev/ipmi0 or /dev/ipmi/0 or /dev/ipmidev/0
10 Nov 2012 » Dell c6220 IPMI controller odditites
20 Oct 2012 » Filtering IPMI clients with DHCP
10 Oct 2012 » Expanding ISC DHCPD Options
05 May 2012 » NVidia EDID Issues
22 Jan 2012 » NFS Booting using only the kernel
04 Jan 2012 » PogoPlug Wardriving (Part 3)
03 Jan 2012 » Pogoplug Wardriving (Part 2)
02 Jan 2012 » Pogoplug Wardriving
21 Oct 2011 » Diskless booting in CentOS 6
05 Oct 2011 » Diskless CentOS booting
01 Sep 2011 » The poor state of FPS game servers
27 Jul 2011 » Know your architecture
26 Jul 2011 » Developing with Jekyll
25 Jul 2011 » Adventures in PXE booting part 3
22 Jul 2011 » iPXE scripting for fun and profit
21 Jul 2011 » Adventures in PXE booting part 2
20 Jul 2011 » Adventures in PXE booting