Module: ipset

ipset

Manage IP sets in the Linux kernel. Support in Red Hat Enterprise Linux has been introduced in the RHEL 6.2 kernel (run "modinfo ip_set" to check).

`ipset` : Main definition to create and manage IP sets.
`ipset::iptables` : Definition to manage IP set related iptables rules.
`ipset::base` : Base class for the common parts.
`ipset::params` : Base class for distribution specific parameters.

Once you have your IP sets in place, you‘ll want to manage iptables rules which make use of those IP sets.

Defines

ipset iptables

Classes and Modules

Class ipset::base
Class ipset::params

Defines

ipset( $ipset_add_options => '', $ipset_create_options => '', $from_file => 'false', $ipset_type => 'hash:ip', $ensure => 'undef' )

Define: ipset

Create and manage ipsets. You must pass one of $from_file, … TODO, unless you are passing "ensure => absent" to remove the ipset.

Parameters:

 $from_file:
   Create and manage the ipset from the content of a file. Default: none
 $ipset_type:
   The type of the ipset. Default: hash:ip
 $ipset_create_options:
   The create options of the ipset. Default: empty
 $ipset_add_options:
   The add options of the ipset elements. Default: empty

Sample Usage:

 file { '/path/to/my_blacklist.txt': content => "10.0.0.1\n10.0.0.2\n" }
 ipset::test { 'my_blacklist':
     from_file => '/path/to/my_blacklist.txt',
 }

iptables( $strictmatch => 'false', $chain, $flags => 'src', $target => 'DROP', $options => '', $table => 'filter', $ipset => 'name' )

Define: ipset::iptables

This shouldn‘t exist. There should be a way to have iptables silently ignore rules for non-existing IP sets… NOTE: No absent support! Just remove then restart iptables. Also make sure you never save iptables rules with IP set rules included, or restore will fail when the IP sets don‘t (yet) exist. That‘s the whole problem we try to solve here.

Parameters:

 $table:
  The table to insert the rule into. Default: 'filter'
 $chain:
  The chain to indert the rule into. Mandatory.
 $ipset:
  The IP set to match against. Default: $name
   Use it if you are creating more than one iptables rule for the same IP set.
 $flags:
  Comma separated list of 'src' and 'dst' specifications. Default: 'src'
 $options:
  The options for the inserted rule. Default: empty
  You will often want to use this.
 $target:
  The target used by inserted rule. Default: 'DROP'
 $strictmatch:
  Strict match when checking for existing rules. Default: false
  Enable if you are sure your $options are set properly and you are having
  problems creating multiple rules for the same IP set.

Sample Usage:

 ipset::iptables { 'mylist':
     chain   => 'INPUT',
     options => '-p tcp',
     target  => 'REJECT',
 }
 ipset::iptables { 'mylist-log':
     table   => 'raw',
     chain   => 'PREROUTING',
     ipset   => 'mylist',
     options => '-p tcp --dport 80',
     target  => 'LOG --log-prefix "MyList: "',
 }