5.1.3.2.1. Iptables checks
In this section we can find automated checks that allow us to know the state of the iptables of an environment and to be able to identify the errors related to them.
These automated checks can be find in the all_checks.yml file of the following path:
cd /usr/share/opennac/ansible/
The following points detail the different checks that ansible performs in an automated way as well as the tags available when executing them.
Note
The connections that are checked in the ansible are the ones in the table in section Network Connectivity.
5.1.3.2.1.1. Checks
Check missing iptables for every port required depending on the role
Alert from the extra iptables that are not necessary for OpenNAC usage
Check if forward reject iptable is set “ok”
Check if input reject iptable is set “ok”
Check connection between all the hosts in the farm that need to arrive to the host ports
5.1.3.2.1.3. Data Structure
"iptables": {
"rules": {
"{{ node_id }}": {
"{{ node_port }}": {
"error": {
"{{ node_id }}": "{{ node_ips }}"
},
"ok": {
"{{ node_id }}": "{{ node_ips }}"
},
"protocol": "{{ port_protocol }}"
},
"extra_iptables": [
"{{ extra_iptables }}"
],
"forwardReject": true,
"hostname": "{{ node_hostname }}",
"inputReject": true,
"ip": "{{ node_ip }}"
}
},
"connections": {
"{{ node_id }}": {
"{{ node_port }}": {
"error": {
"{{ node_id }}": "{{ node_ips }}"
},
"ok": {
"{{ node_id }}": "{{ node_ips }}"
},
"protocol": "{{ port_protocol }}"
},
"hostname": "{{ node_hostname }}",
"ip": "{{ node_ip }}"
}
}
}
The data structure shown is explained below:
rules: contains a list of nodes.
node_id: corresponds to the hostname of the node and contains a list of all the ports you should have configured.
node_port: refers to the port that the node should have configured. The ok corresponds to the ones it has open and the error corresponds to the ones it has closed together with the corresponding protocol.
forwardReject:
hostname: node hostname.
ip: node IP address.
connections: shows the same as rules, but indicates whether or not you have access.
5.1.3.2.1.4. Example
Command:
ansible-playbook -i inventory all_checks.yml --tags "iptables_sensor"
Output:
"iptables": {
"rules": {
"02-sensor-08": {
"161": {
"error": {},
"ok": {
"02-principal-01": "10.10.39.101",
"02-worker-03": "10.10.39.103"
},
"protocol": "tcp"
},
"22": {
"error": {},
"ok": {
"all": "0.0.0.0"
},
"protocol": "tcp"
},
"67": {
"error": {},
"ok": {
"all": "0.0.0.0"
},
"protocol": "tcp"
},
"extra_iptables": [],
"forwardReject": true,
"hostname": "02-sensor-08",
"inputReject": true,
"ip": "10.10.39.17"
}
},
"connections": {
"02-sensor-08": {
"161": {
"error": {},
"ok": {
"02-principal-01": "10.10.39.101",
"02-worker-03": "10.10.39.103"
},
"protocol": "udp"
},
"22": {
"error": {},
"ok": {
"02-aggregator-07": "10.10.39.107",
"02-analytics-04": "10.10.39.104",
"02-analytics-05": "10.10.39.105",
"02-analytics-06": "10.10.39.106",
"02-captive-12": "10.10.39.112",
"02-principal-01": "10.10.39.101",
"02-proxy-02": "10.10.39.102",
"02-sensor-08": "10.10.39.17",
"02-vpngw-09": "10.10.39.109",
"02-worker-03": "10.10.39.103"
},
"protocol": "tcp"
},
"67": {
"error": {
"02-aggregator-07": "10.10.39.107",
"02-analytics-04": "10.10.39.104",
"02-analytics-05": "10.10.39.105",
"02-analytics-06": "10.10.39.106",
"02-captive-12": "10.10.39.112",
"02-principal-01": "10.10.39.101",
"02-proxy-02": "10.10.39.102",
"02-sensor-08": "10.10.39.17",
"02-vpngw-09": "10.10.39.109",
"02-worker-03": "10.10.39.103"
},
"ok": {},
"protocol": "udp"
},
"hostname": "02-sensor-08",
"ip": "10.10.39.17"
}
}
}