iptables #0

Supports: bionic xenial trusty
Add to new model

Description

This charm is designed to manage iptables rules


Overview

The charm is used to manage iptables ruleset on a server.

Usage

This charm is a subordinate charm. This means it must be attached to a another application.

juju deploy iptables
juju juju add-relation iptables <yourapp>

Scale out Usage

Scale the application which this charm is subordinate to.

Configuration

Make sure you allow access from your control nodes if you need ssh access for debug purposes. By default, the charm autodetects control node IP addresses and allows SSH from all of them.

The 'enforce' setting can be set to set INPUT chain policy to either ACCEPT or DENY

The 'log-unmatched' setting can be set to set LOG action in the end of a rule chain created by the charm. This settings allows the iptables log packets unmatched by the rules into the syslog with prefix matching JUJU unit name. Logging requires access to kernel log infrastructure, which is not available in Linux containers.

Example ruleset:

     ssh:
       allow-peers: True
       allow-hosts: 
         - 10.31.148.1 
         - 10.226.148.17
       allow-networks:
         - 10.32.148.0/24 
         - 10.228.148.0/24
       protocol: tcp
       port: 22

Options:
- ssh: in example above is a rule name
- allow-peers: should peer units be able in ACCEPT rule
- allow-hosts: list of hosts in ACCEPT rule
- allow-networks: list of networks in ACCEPT rule
- deny-hosts: list of hosts in DENY rule
- deny-networks: list of networks in DENY rule
- protocol: which protocol the rule aplies to. By default tcp
- port: which port the rule applies to, by default taken from the rule name
- portrange: which port range (in format start:end, eg 1:1024) the rule applies to. Takes precedence over port setting.

Troubleshooting

If you lock yourself out from accessing machines via ssh set enforce to false and enable logging.

juju config iptables enforce=false
juju config iptables log-unmatched=true

Configuration

enforce
(boolean) Enable or disable enforcement of firewall rules. (For debugging and trouble shooting). When disabled the FW policy is set to accept.
filter-peers-by-networks
(string) If this option is set, only peer addresses in those subnets will be used. (space seperated list of CIDR network addresses)
log-unmatched
(boolean) Enable or disable logging of unmatched packets. (For debugging and trouble shooting). When enabled unmatched packets are logged into syslog before policy enforcement. Logging requires access to kernel log infrastructure, which is not available within Linux containers.
ruleset
(string) The ruleset in yaml format
use-private-addresses
(boolean) By default all peers are determined by their private-address as it is known by juju. Sometimes you may need just all addresses of the hosts.
True