On 02/10/2012 12:24 PM, John Mitchell wrote:
> Hiya,
>
> Sorry still learning cfEngine here, and its being a slow process but
> think I'm finally getting the hang of it, but am a little stumped by one
> problem.
>
> I'm trying to set firewall rules based on a certain set of
> circumstances, ie if a machine is defined as a webserver then port 80
> should be allowed, and if not a member of the webserver groups, then
> port 80 denied.
>
> webserver::
> "/sbin/iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp
> -p tcp --dport 80 -j ACCEPT"
>
> !webserver::
> "/sbin/iptables -D RH-Firewall-1-INPUT -m state --state NEW -m tcp
> -p tcp --dport 80 -j ACCEPT"
>
>
> However what I also need to do is reload the iptables process
> (iptables-save; iptables-reload) if a new entry is added to the list,
> also I'd prefer not to attempt to add duplicate listings to the
> firewall. I can do a iptables --list to get a list, but I'm not quite
> sure how to set a value on a match for a process. Ideally I'd like to do
> something along the lines of
>
> classes:
> "https_port_allowed" => if_line_in_program_output("/sbin/iptables
> --list","^ACCEPT.*state NEW tcp dpt:www")
>
> But I have no clue on how to do this, could someone point me in the
> right direction. I've tried reading all the examples and tutorials and
> documents I can get my hands on, but the learning curve is pretty high
> so theres a good chance I've missed it :|
>
> Thanks in advance for any help or direction anyone can give!
What if instead of inserting the rule on the fly you edit the saved
config and then reload iptables? I think the rules are stored in
/etc/sysconfig/iptables. You could do line edits there, then restart
iptables and it should pick up the new rules.
--
Nick Anderson <n...@cmdln.org>
_______________________________________________
Help-cfengine mailing list
Help-cfengine@cfengine.org
https://cfengine.org/mailman/listinfo/help-cfengine
