[CentOS] Keeping iptables in sync across multiple machines

Fri Oct 30 17:42:22 UTC 2009
Karanbir Singh <mail-lists at karan.org>

hi,

Just wondering what people use / recommend to keep multiple machines in 
sync with their iptables policy.

What I use at the moment:

1) Puppet, to setup and manage a fairly complex per service type ruleset 
that is then maintained on the remote machines by puppet ( in that it 
brings together all the various bits of iptables snippets based on what 
manifests and roles are deployed to a machine, then builds a firewall 
locally on the mchine ). We also use something similar, but at a much 
simpler level within the .centos.org infrastructure. Problem with this 
is that unless one is familliar with the whole stack of machine 
state/policy management, its quite intimidating. Which then means that 
there is plenty of breakage, which in turn then means I need to maintain 
and run a complete set of VM's that emulate the production environment ( 
including their IP's ) and run cross VM tests before stuff gets rolled 
out. So yes, large hole and lots of potential for non-related issues to 
impact release. Some people even argue that having a release based 
workflow for firewall's is not good, I'd like to disagree :)

2) In another setup, I use puppet to basically just manage static 
/etc/sysconfig/iptables files. Pretty low tech, and very easy to cause 
damage since testing-rollout-deploy is impossible. But the other guy who 
also needs to manage these seems to find it easy.

3) Yet another setup I've used in the past was with a svn repo and using 
a post-commit hook, run some tests followed by clusterssh! to deploy the 
iptables files and restart services. Finally replaced that with a slack 
based deployment, since that allowed me to atleast run some santity 
tesing and rollback if I ended up locking 'core' host. The problem 
ofcourse was that its not easy to test remote inbound connections this 
way ( without using a proxy, but then the proxy creates another layer of 
problems and flakyness ).

4) Physically logging into machines to make policy changes(!) I do this 
for my laptop's :)

5) Using a 'git pull' from cron on a bunch of machines, and using a 
central git repository. Each machine would then do a iptables reload, 
the only advantage of this over (3) is that I can use metainfo like 
TAG's and ROLE's in the commit log's, and have only specific machines 
react to specific changes. Flip side: needing to track and build a 
knowledgebase around these TAG's meant that I almost never ever use 
this, and prefer to just have firewall policy that mostly works for the 
whole set of machines I run this on.

So, what I am looking for really is feedback on what people are using in 
the wild on multiple machines, and bonus points for people who only use 
tools and mechanisms already built into the CentOS [base] repo.

- KB