Managing firewalls with iptables
As experienced system administrators know, security comes from defense in depth. It's not enough to stick a single firewall in front of your network and hope for the best. Every machine needs to be securely configured so that only the required network ports are accessible, and this means that every machine needs to have its own firewall.
Linux comes with its own industrial-strength, kernel-based packet filtering firewall, iptables. However, it's not particularly user-friendly, as a typical iptables rule looks something as follows:
iptables -A INPUT -d 10.0.2.15/32 -p tcp -m tcp --dport 80 -j ACCEPT
It would be nice to be able to express firewall rules in a more symbolic and readable way. Puppet can help, because we can use it to abstract away some of the implementation detail of iptables, and create roles based on the services the machine provides:
firewall::role { 'webserver': }
firewall::role { 'dbserver': }Getting ready…
You will need the append_if_no_such_line...
