0

When our collection of virtual servers got to a certain size, we moved from hosts files to a DNS server. However, we still have to update the firewall rules on every machine each time a new server is added. (Since all virtual machines at the provider can see each other, including other customers machines, we need to a list of trusted addresses in the iptables rules)

What techniques do people use to centralise administration of IPTables configuration? At the moment the best we've got is uploading a new ip list to each machine and restarting the firewall. Is there a better way?

[It would be wonderful if we could somehow tie IPTables trusted addesses to our DNS - eg. anything defined in our DNS is classed as a trusted address - but I assuming that nothing like this is possible]

UpTheCreek
  • 1,598
  • 10
  • 31
  • 45

1 Answers1

1

Look into puppet collected resources, and the firewall module. It uses the ruby spaceship operator.

You can create a rule entry on each client manifest and then collect them together to apply on each other client

This means you can install puppet on a node, and it's ip is automatically added to all other nodes.

I believe the examples online do similar for the ssh known hosts file

Sirex
  • 5,447
  • 2
  • 32
  • 54