Forge Home


manage iptables allow and deny rules


11,877 latest version

3.5 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Version information

  • 0.4.0 (latest)
  • 0.3.1
  • 0.3.0
  • 0.2.0
released Nov 13th 2012

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'erwbgy-iptables', '0.4.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add erwbgy-iptables
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install erwbgy-iptables --version 0.4.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



erwbgy/iptables — version 0.4.0 Nov 13th 2012


Manage iptables incoming rules

The recommended usage is to place the configuration under an iptables hash in hiera and just include the iptables module in your puppet configuration:

include iptables

Example hiera config:

iptables::allow_icmp: 'yes'
iptables::allow_localhost: 'yes'
iptables::log_failures: 'yes'
    tcp: 'allow'
    tcp: 'allow'
    tcp: 'drop'
    udp: 'drop'

This example configures iptables to allow incoming TCP connections to ports 22 (ssh) and 80 (http), and silently drop all connections to port 23 (telnet). All ICMP and localhost connections will be allowed and failed connections to other ports will be logged to syslog.


  • The default policy is to deny all connections and log failures to syslog (usually /var/log/messages).

  • To allow connections to a particular port add an allow rule like that for port 80 above.

  • To avoid denied connections to a particular port being logged add a drop rule like that for port 23 above.

  • To avoid any failed connections being logged set the log_failures parameter to 'no'.

  • By default all ICMP traffic is allowed. Set allow_icmp to 'no' to change this.

  • By default all localhost traffic is allowed. Set allow_localhost to 'no' to change this.

  • If no iptables configuration is found then an allow rule is added for tcp/22 (ssh) like the default iptables configuration.

  • If there is both an allow rule and a drop rule for a port and protocol then access is allowed.


  • logfailures: whether or not to log failed connections that are not explicitly dropped. Possible values: 'yes' or 'no'. Default: 'yes'

  • allow_icmp: whether or not to allow all ICMP traffic. Possible values: 'yes' or 'no'. Default: 'yes'

  • allow_localhost: whether or not to allow all localhost ( traffic. Possible values: 'yes' or 'no'. Default: 'yes'

  • ports hash:

    • hash: the port number to add a rule for (eg. 22)
      • 'tcp': Possible values are 'allow' or 'drop'.
      • 'udp': Possible values are 'allow' or 'drop'.


The iptables::allow and iptables::drop resources create files under /root/iptables.d with a filename including the action (allow or drop), the protocol (tcp or udp) and the port number. Creating these files triggers an update script that combines all the entries together into a new /etc/sysconfig/iptables file and restarts the iptables service.

The iptables::clean class removes all files under /root/iptables.d.


Allow access to the specified port.

port: the incoming port number. Required.

protocol: either 'tcp' or 'udp'. Required.


iptables::allow { 'tcp/22': port => '22', protocol => 'tcp' }


Deny access to the specified port without logging.

port: the incoming port number. Required.

protocol: either 'tcp' or 'udp'. Required.


iptables::drop { 'tcp/21': port => '21', protocol => 'tcp' }


Remove all files under /root/iptables.d. This has the effect of starting with a clean configuration and is required if you want to remove rules for ports defined previously.

To use just temporarily:

include iptables::clean

in a host configuration.


License: Apache License, Version 2.0

GitHub URL: