Resource Type: iptables_rule

Defined in:

lib/puppet/type/iptables_rule.rb

Providers:

manage

Overview

Authoritatively manage iptables rules. This type is atomic, either all rules work, or the old rules are preserved.

Properties

• content

  The content of the rule that should be added

  Supported values:

  • /\w+/

Parameters

• absolute (defaults to: false)

  Set to ‘true’ if you want the rule to be the absolute first or last. This is relative and places items in alphabetical order if multiple absolute first/lasts are specified.

  Supported values:

  • true
  • false
• apply_to (defaults to: auto)

  What version(s) of iptables to which to apply this rule. If set to ‘auto’ (the default) then we’ll try to guess what you want and default to [‘ipv4’,‘ipv6’].

  If ‘auto’ is set then each line will be evaluated as an independent rule.

  • Any rules that have IPv4 addresses will be applied to iptables.

  • Any rules that have IPv6 addresses will be applied to ip6tables.

  • All other rules will be applied to both utilities.

  • If in doubt, split your rules and specify your tables!

  Supported values:

  • ipv4
  • ipv6
  • all
  • auto
• comment (defaults to: '')

  A comment to add to the rule.

  The value of $comment_header will be prepended.

  Empty comments (no content and no header) will be discarded.

  Content will be truncated at 255 characters, including the header.

• comment_header (defaults to: SIMP:)

  A header to prepend to all comments for easy visual rule tracking

• first (defaults to: false)

  Set to ‘true’ if you want to prepend your rule.

  Supported values:

  • true
  • false
• header (defaults to: true)

  Whether or not to auto-include the table LOCAL-INPUT in the rule.

  Supported values:

  • true
  • false
• include_comment (defaults to: true)

  Whether or not to include the value in the $comment paramter

  Supported values:

  • true
  • false
  • yes
  • no
• name (namevar)

  The name of the rule. Simply used for creating the unique fragments.

• order (defaults to: 11)

  The order in which the rule should appear. 1 is the minimum and 999 is the max.

  Supported values:

  • /\d+/
• provider

  The specific backend to use for this ‘iptables_rule` resource. You will seldom need to specify this — Puppet will usually discover the appropriate provider for your platform.

• resolve (defaults to: true)

  Whether or not to use DNS resolution to identify hostnames in IPTables statements.

  This should probably be left at :true since it is a rare scenario and, should you use this, you will want the rule to go into either iptables or ip6tables correctly.

  With this enabled, the IP address that is resolved will be added to IPTables and not the hostname itself.

  Supported values:

  • true
  • false
• table (defaults to: filter)

  The name of the table that you are adding to.