rhel

Configure Red Hat Enterprise Linux specific files and services.

Project URL RSS Feed Report issues

Module Stats

27,528 downloads

44 latest version

5.0 quality score

Version information

released Nov 7th 2024

This version is compatible with:

Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x, 2018.1.x, 2017.3.x, 2017.2.x, 2017.1.x, 2016.5.x, 2016.4.x
Puppet >=4.0.0 <9.0.0
,

Start using this module

Installation method

Add this module to your Puppetfile:

mod 'thias-rhel', '1.0.19'

Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add thias-rhel

Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install thias-rhel --version 1.0.19

Tags: iptables, yum, firewall, ip6tables, epel, rpm

Documentation

thias/rhel — version 1.0.19 Nov 7th 2024

puppet-rhel

Overview

Configure Red Hat Enterprise Linux specific files and services.

rhel::firewall : Class to enable and configure iptables/ip6tables.

Features

Facts

rhel_kernelrelease: RHEL kernel release, i.e. '957' for 3.10.0-957.5.1.el7
rhelX_kernelrelease: RHEL version X kernel release, useful for inventorying.

Firewall

See http://forge.puppetlabs.com/puppetlabs/firewall

The firewall classes will provide you with the same configuration as an original RHEL installation, with ICMP and lo traffic allowed, stateful connections allowed, and all the rest rejected (not dropped). Note that ssh is not open by default by this module.

You need this in your site.pp :

resources { 'firewall': purge => true }
Firewall {
  before  => Class['::rhel::firewall::post'],
  require => Class['::rhel::firewall::pre'],
}

Then also this (it includes the main firewall modue and both pre and post firewall classes from this module :

class { '::rhel::firewall': }

Though you can also use hiera to achieve the same :

---
classes:
  - '::rhel::firewall'

Note that even though these rules are initially RHEL specific, because they replicate the original RHEL set of rules, they should work just fine on any other GNU/Linux distribution.

The original REJECT icmp messages of 'prohibited' will be replaced with the more obvious 'unreachable' (to get 'connection refused' on the clients), but you can get back the RHEL defaults with :

rhel::firewall::ipv4_reject_with: 'icmp-host-prohibited'
rhel::firewall::ipv6_reject_with: 'icmp6-adm-prohibited'

Port knocking with 3 ports is available to protect any tcp port(s). Hiera example :

rhel::firewall::portknock:
  SSH:
    port1: '1234'
    port2: '2345'
    port3: '3456'
    dports:
      - '22'

The original firewall module doesn't support passing an array of IP addresses to the $source parameter. To overcome this limitation, the rhel::firewall::proto_dport_source definition can help :

$admin_networks = [ '10.64.32.0/24', '192.168.23.4' ]
$proto_dport_admin_networks = prefix($admin_networks, 'tcp_8091_')
rhel::firewall::proto_dport_source { $proto_dport_admin_networks: }

The above will open up port 8091/tcp from a network and an address. The syntax for the $title is <proto>_<dport>_<address> where <proto> can be all and dport can be empty to also mean all, or multiple ports separated by commas.

Masquerade class, one liner to enable masquerading of all 3 RFC1918 networks :

class { '::rhel::firewall::masquerade': outiface => 'br0' }

Set `$return_local` to `true` to exclude RFC1918 destinations from masquarading,
required with IPSec LAN to LAN for instance.

NOTRACK definition, to disable connection tracking for certain ports :

rhel::firewall::notrack { '100 notrack http': iface => 'eth0', port => '80' }
rhel::firewall::notrack { '110 notrack lo': iface => 'lo' }

Proxy network, in addition of accept rules, will require an extra setup, e.g.

rhel::firewall::notrack { '100 notrack http':
  iface   => 'eth0',
  port    => '80'
}
rhel::firewall::notrack { '110 notrack http':
  iface   => 'eth1',
  port    => '80',
  outbound => true,
}

For rules source matching private IP address space, the rhel::firewall::privatesrc definition will automatically create the 3 required IPv4 rules and the required IPv6 rule (if not disabled) :

rhel::firewall::privatesrc { '100 rsync':
  rules => {
    action => 'accept',
    proto  => 'tcp',
    dport  => [ '873' ],
  },
}

Virtual

This is a class which can be safely included on all nodes, and will tweak only virtual nodes based on the is_virtual fact.

class { '::rhel::virtual': }

Features include :

Making sure acpid is installed and running for virsh shutdown to work from the hypervisor.

Yum Update from Cron

Simple shell script and cron job to automatically run yum update at 10:05 on weekdays (+ a 3-10min wait time to avoid mass parallel downloads) :

include '::rhel::yum_cron'

Many parameters can be changed. Example to have a weekly run on Monday at 6AM completely silent (no cron output email sent out) :

class { '::rhel::yum_cron':
  cron_command => '/usr/local/sbin/yum-cron &>/dev/null',
  cron_hour    => '06',
  cron_minute  => '00',
  cron_weekday => '1',
}

Network IP Address Alias

Manage network interfaces IP address aliases :

rhel::net::ifalias { 'eth0:0':
  ipaddr => '10.0.0.1', prefix => '32',
}

rhel::net::ifalias { 'eth0:1':
  ensure => absent,
}

EPEL

Enable or disable the EPEL repository for Red Hat Enterprise Linux :

include '::rhel::epel'

To remove it :

class { '::rhel::epel': ensure => absent }

Systemd

Manage systemd resources (initially services). The common rhel::systemd class is automatically included and will execute systemctl daemon-reload when required. Example :

rhel::systemd::service { 'mydaemon':
  source => "puppet:///modules/${module_name}/mydaemon.service",
}

AIDE

Monitor file structure and content changes using AIDE. Use the rhel::aide definition with a descriptive title and an array of valid aide.conf lines for the $lines parameter. Example :

rhel::aide { 'www':
  cron_mailto => 'webmaster@example.com',
  cron_minute => '*/10',
  lines       => [
    # LSPP same as normal, but excluding one extra hash (smaller db)
    '/var/www/htpasswd        LSPP',
    '/var/www/www.example.com LSPP',
    # These are not relevant
    '!/var/www/www.example.com/shared',
    '!/var/www/www.example.com/tmp',
  ],
}

The default cron job is run hourly, but most cron parameters may be overridden. See the aide.conf(5) manual page and the example /etc/aide.conf file for help on the lines syntax.

Umask

RHEL9 removed the less strict umask for users with a default private group. Including this class restore the previous behavior, keeping ACLs working thanks to the g+w mode.

2024-11-07 - 1.0.19

Add umask class to restore pre-RHEL9 default umask behavior.

2023-09-14 - 1.0.18

Add new rhel::net::ipaddress to replace rhel::net::ifalias on RHEL9+
Exclude containers from what 'virtual' applies (acpid not relevant there).

2019-11-11 - 1.0.17

Add outbound option to notrack (#6, @edupr91).

2019-06-27 - 1.0.16

Add proper yum-cron support for dnf, using dnf-automatic.

2019-02-28 - 1.0.15

Add rhel*_kernelrelease facts.

2018-05-31 - 1.0.14

Fix IPv6 service conflict, the firewall module has been fixed long ago.

2018-05-31 - 1.0.13

Allow masquerading multiple interfaces (#3, @forgodssake).

2017-01-26 - 1.0.12

Use previously defined $cron_ensure parameter (#3 @lisuml).
Fix unknown variable warning for final_dport.

2016-02-08 - 1.0.11

Add chmod exec to remove +x from ebtables.service to avoid noise in logs.

2015-10-15 - 1.0.10

Add rhel::firewall::masquerade::return_local for IPSec.
Split $seconds into $seconds_knock and $seconds_open for portknock.
Add rhel::aide definition to monitor and report filesystem changes.

2015-07-15 - 1.0.9

Force expire-cache in yum-cron and add dnf support.

2015-05-20 - 1.0.8

Compatibility fixes for Puppet 4.

2015-04-28 - 1.0.7

Add rhel::firewall::privatesrc definition.
Make forge score happy.

2015-03-31 - 1.0.5

Fix firewall::masquerade by adding FORWARD rules.
Add systemd class and systemd::service definition.

2015-01-09 - 1.0.4

Fixes for RHEL7 iptables and unquoted hash key.

2014-12-16 - 1.0.3

Rename yum-cron class to yum_cron to avoid forbidden character.
Add support for RHEL7 in rhel::epel class.
Clean up to make puppet lint happy.

2014-11-11 - 1.0.2

Add useful rhel::firewall::notrack definition.

2014-09-15 - 1.0.1

Manage ip6tables service until the puppetlabs firewall module does.

2014-09-09 - 1.0.0

Fix in firewall::pre class for when ipv6 is false for rhel::firewall.

2014-04-28 - 0.2.3

Add rhel::firewall::masquerade class.

2014-02-03 - 0.2.2

icmp_limit may now be either false or an integer for the reqs/s to allow.
Support multiport with comma separated dports in proto_dport_source.

2013-11-21 - 0.2.1

Add virtual class.
Add firewall::proto_dport_source hack for array sources.
Support empty port meaning all ports in proto_dport_source.

2013-10-15 - 0.2.0

Fix defaults for IPv4/IPv6 INPUT chains.
Add very useful 3-port port knocking feature.
Add yum-cron class.
Add net::ifalias definition.
Add epel class.

2013-10-03 - 0.1.0

Initial module release.

Copyright (C) 2013-2016 Matthias Saou

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

Modules

Discover

Contribute

Puppet

Premium features

Downloads

Resources

About Forge

Getting Started