Rule Order - am I missing something?

Question

Rule Order - am I missing something?

supergicko opened this issue 7 years ago · comments

Christoph Kappel commented 7 years ago

Cookbook version

4.2.0

Chef-client version

13.0.118

Platform Details

CentOS 6.8, 7.3

Scenario:

I do not fully understand how the cookbook assembles the final order of the iptables configuration of rules applied with iptables_rule. Background: I want to define the order, f.e when talking about performance. So if i miss something in the explanation or my expectation please let me know.

I´m defining rules in templates, f.e i have templates for

drop_default
http
https
keep_established
drop_invalid
ssh
icmp
loopback

So far so good, then have a attribute where users can select which rules they want to apply, lets call it

default['firewall']['rules'] = %(drop_default loopback drop_invalid keep_established icmp ssh)

in the cookbook, i iterate over the rules and enable each of them

Expected Result:

The iptables -S command shows the rules in the defined order of the attributes

-P INPUT DROP # drop_default template
-P FORWARD DROP # drop_default template
-P OUTPUT ACCEPT # drop_default template
-A INPUT -i lo -j ACCEPT # loopback template
-A INPUT -m conntrack --ctstate INVALID -j DROP # drop_invalid template
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # keep_established template
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT # icmp template
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT # ssh template

Actual Result:

iptables -S does not show the rules in the defined order

-P INPUT DROP  # drop_default template
-P FORWARD DROP  # drop_default template
-P OUTPUT ACCEPT  # drop_default template
-A INPUT -m conntrack --ctstate INVALID -j DROP drop_invalid template
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT # icmp template
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT  # keep_established 
-A INPUT -i lo -j ACCEPT # loopback template
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT # ssh_template

Scott Lillibridge · Answer 1 · Sat Jul 29 2017 01:01:51 GMT+0800 (China Standard Time)

The order of loading of the rules is actually determined by iptables. The rules are loaded alphabetically by filename, so regardless of the order of default['firewall']['rules'], the final result by iptables when loading would be (in this case)

drop_default
drop_invalid
http
https
icmp
keep_established
loopback
ssh

A work around in your specific case would be to number your rules (i.e. prefix them with 01_, 02_, etc) but this obviously breaks down if multiple cookbooks are adding rules.

Christoph Kappel · Answer 2 · Mon Aug 28 2017 20:25:38 GMT+0800 (China Standard Time)

thanks @slillibri for clarification. Closing issue