terraform-provider-iptables

command module

v1.2.0 Latest Latest Go to latest Published: Jul 5, 2021 License: MIT Imports: 2 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/soupdiver/terraform-provider-iptables

Links

Open Source Insights

README ¶

terraform-provider-iptables

GitHub release (latest by date)

This provider is compatible with this API : https://github.com/jeremmfr/iptables-api

Compile:

export GO111MODULE=on
go build -o terraform-provider-iptables && mv terraform-provider-iptables /usr/bin/

Config:

The provider adds DROP lines and a router_chain automatically, to disable this:

export CONFIG_IPTABLES_TERRAFORM_NODEFAULT=1

Setup information for contact server :

provider "iptables" {
	firewall_ip = "192.168.0.1"
	port		= 8080
	allowed_cidr_blocks = [ "10.0.0.0/24" ]
	https		= true
	insecure	= true
	vault_enable = true
}

firewall_ip : (Required) IP for firewall API (iptables-api)
port : (Optional) [Def: 8080] Port for firewal API (iptables-api)
allowed_cidr_blocks : (Required) list of CIDR allowed to contact API (add iptables rules on start) no rules removed if remove cidr
https : (Optional) [Def: false] Use HTTPS for firewall API
insecure : (Optional) [Def: false] Don't check certificate for HTTPS
login : (Optional) [Def: ""] User for http basic authentication
password : (Optional) [Def: ""] Password for http basic authentication
vault_enable : (Optional) [Def: false] Read login/password in secret/$vault_path/$firewall_ip or secret/$vault_path/$vault_key (For server and token, read environnement variables "VAULT_ADDR", "VAULT_TOKEN") ConflictWith login/password
vault_path : (Optional) [Def: "lvs"] Path where the key are
vault_key : (Optional) [Def: ""] Name of key in vault path
ipv6_enable : (Optional) [Def: false] Add default ipv6 rules (router_chain + DROP)
no_add_default_drop : (Optional) [Def: false] Don't add drop rules in (INPUT,FORWARD,OUTPUT)

Resource:

project (or project_ipv6)

Create chain in table filter for specific CIDR ranges (project) and route trafic of CIDR ranges for chain INPUT,FORWARD,OUTPUT in this chain :

	resource iptables_project theproject {
		name        = "theproject"
		cidr_blocks = [ "10.10.0.0/22" ]
	}
	resource iptables_project_ipv6 theproject {
		name = "theproject"
		cidr_blocks = [
				"2001:db8::/64",
			]
	}

name : (Required)(ForceNew) name of chain
cidr_blocks : (Required) list of cidr for route in this chain
position : (Optional) position in router_chain (create a specific router_chain for the position and add cidr_blocks in this chain)

rules (or rules_ipv6)

Create iptables rules in chain (project)

	resource iptables_rules rules-front {
		name			= "rules-front"
		project			= iptables_project.theproject.name
		on_cidr_blocks	= [ "10.10.0.1", "10.10.0.2", "10.10.0.16/28" ]
		ingress {
			protocol	= "tcp"
			to_port		= "80,443"
		}
	}
	resource iptables_rules_ipv6 http_ipv6 {
		name = "http_ipv6"
		project = iptables_project_ipv6.theproject.name
		on_cidr_blocks = [
				"2001:db8::a",
				"2001:db8::b",
				"2001:db8::ab",
              ]
		ingress {
			protocol = "tcp"
			to_port = "80"
		}
	}

name : (Required) name of rules
project : (Required) apply on chain project
on_cidr_blocks : (Required) apply rule on CIDR or IP Range list
ingress : (Optional) Can be specified multiple times for each ingress rule
egress : (Optional) Can be specified multiple times for each egress rule

ingress and egress block supports :

position : (Optional) [Def: "?"] position of rule in chain
from_port : (Optional) [Def: "0"] source port(s) (Use comma for list and colon for range)
to_port : (Optional) [Def: "0"] destination port(s) (Use comma for list and colon for range)
protocol : (Optional) [Def: "all"] protocol
cidr_blocks : (Optional) [Def: ["0.0.0.0/0"] (["::/0"] for v6)] Source CIDR or IP Range list for ingress / Destination CIDR or IP Range list for egress
iface_out : (Optional) [Def: "*"] interface output
iface_in : (Optional) [Def: "*"] interface input
state : (Optional) [Def: ""] Connection tracking state
icmptype : (Optional) [Def: ""] Icmptype (with protocol=icmp or ipv6-icmp)
fragment : (Optional) [Def: false] Fragmented packets false/true
action : (Optional) [Def: "ACCEPT"] Action (ACCEPT, DROP, LOG --log-prefix=...)

nat (or nat_ipv6)

Create iptables rules in nat table for snat or dnat

	resource iptables_nat dnat-front_http {
		name	= "dnat-front_http"
		on_cidr_blocks = [ "203.0.113.1" ]
		dnat {
			iface		= "bond0"
			protocol	= "tcp"
			to_port		= 80
			nat_ip		= "10.10.0.1"
		}
	}
	resource iptables_nat dnat-front {
		name	= "dnat-front"
		on_cidr_blocks = [ "203.0.113.1" ]
		dnat {
			iface		= "bond0"
			protocol	= "tcp"
			to_port		= 8080
			nat_ip		= "10.10.0.1:80"
		}
	}
	resource iptables_nat_ipv6 http_v6_8080 {
		name = "http_v6_8080"
        	on_cidr_blocks = [
			"2001:db8::ab",
		]
		dnat {
			iface = "bond0"
			protocol = "tcp"
			to_port = "8080"
			nat_ip = "[2001:db8::a]:80"
		}
	}
	resource iptables_nat_ipv6 http_v6_bis {
		name = "http_v6_bis"
		on_cidr_blocks = [
			"2001:db8::aa",
			]
		dnat {
			iface = "bond0"
			protocol = "tcp"
			to_port = "80"
			nat_ip = "2001:db8::a"
		}
	}

name : (Required) name of rules
on_cidr_blocks : (Required) apply rule on CIDR list
snat (Optional) Can be specified multiple times for each snat rule
dnat (Optional) Can be specified multiple times for each dnat rule

snat block supports :

iface : (Required) interface output
position : (Optional) [Def: "?"] position of rule in chain
protocol : (Optional) [Def: "all"] protocol
to_port : (Optional) [Def: "0"] Destination port
filter_cidr_blocks : (Optional) [Def: ["0.0.0.0/0"] (["::/0"] for v6)] nat only with this destination CIDR list
except_cidr_blocks : (Optional) [Def: "" ] nat without this destination CIDR block (ConflictWith filter_cidr_blocks)
nat_ip : (Required) New IP source (NAT)

dnat block supports :

iface : (Required) interface input
position : (Optional) [Def: "?"] position of rule in chain
protocol : (Optional) [Def: "all"] protocol (Warning: necessary for to_port
to_port : (Optional) [Def: "0"] Destination port
filter_cidr_blocks : (Optional) [Def: ["0.0.0.0/0"] (["::/0"] for v6)] nat only with this source CIDR list
except_cidr_blocks : (Optional) [Def: "" ] nat without source this CIDR block (ConflictWith filter_cidr_blocks)
nat_ip : (Required) New IP destination (NAT). You can specify new destination port if necessary with :port

raw (or raw_ipv6)

Create iptables rules in raw table

resource "iptables_raw" "notrack" {
	name = "notrack"
	rule {
		protocol		= "tcp"
		iface_in		= "bond0"
		tcpflags_comp	= "SYN"
		notrack			= "true"
		to_port			= "80,443"
		action			= "CT"
	}
}

name : (Required) name of rules
rule : (Optional) rule detail

rule block supports :

position : (Optional) [Def: "?"] position of rule in chain
chain : (Optional) [Def: "PREROUTING"] add on chain (PREROUTING, OUTPUT)
protocol : (Optional) [Def: "all"] protocol
from_port : (Optional) [Def: "0"] source port(s) (Use comma for list and colon for range)
to_port : (Optional) [Def: "0"] destination port(s) (Use comma for list and colon for range)
src_cidr_blocks : (Optional) [Def: "0.0.0.0/0"] source CIDR
dst_cidr_blocks : (Optional) [Def: "0.0.0.0/0"] destination CIDR
iface_out : (Optional) [Def: "*"] interface output
iface_in : (Optional) [Def: "*"] interface input
action : (Optional) [Def: "ACCEPT"] Action (ACCEPT, DROP, RETURN, LOG --log-prefix=...)
tcpflags_mask : (Optional) [Def: "SYN,RST,ACK,FIN"] Mask for --tcpflags
tcpflags_comp : (Optional) [Def: ""] Comp for --tcpflags
notrack : (Optional) [Def: false] set true for add --notrack