Last active
August 25, 2020 13:53
-
-
Save anlutro/644fc588e228f0df14b9 to your computer and use it in GitHub Desktop.
IPtables salt state+pillar
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{# allow outgoing traffic #} | |
{% macro outgoing(name, protocol, port, family, enable=true) %} | |
{{ name }}-{{ family }}-{{ protocol }}-{{ port }}-outgoing: | |
family: {{ family }} | |
chain: OUTPUT | |
jump: ACCEPT | |
protocol: {{ protocol }} | |
dport: {{ port }} | |
state: 'NEW,ESTABLISHED' | |
enable: {{ enable }} | |
{{ name }}-{{ family }}-{{ protocol }}-{{ port }}-incoming: | |
family: {{ family }} | |
chain: INPUT | |
jump: ACCEPT | |
protocol: {{ protocol }} | |
sport: {{ port }} | |
state: 'ESTABLISHED' | |
enable: {{ enable }} | |
{% endmacro %} | |
{# allow incoming traffic - for servers #} | |
{% macro incoming(name, protocol, port, family, enable=true) %} | |
{{ name }}-{{ family }}-{{ protocol }}-{{ port }}-outgoing: | |
chain: OUTPUT | |
jump: ACCEPT | |
protocol: {{ protocol }} | |
sport: {{ port }} | |
state: 'ESTABLISHED' | |
enable: {{ enable }} | |
{{ name }}-{{ family }}-{{ protocol }}-{{ port }}-incoming: | |
family: {{ family }} | |
chain: INPUT | |
jump: ACCEPT | |
protocol: {{ protocol }} | |
dport: {{ port }} | |
state: 'NEW,ESTABLISHED' | |
enable: {{ enable }} | |
{% endmacro %} | |
iptables: | |
input_policy: ACCEPT | |
forward_policy: ACCEPT | |
output_policy: ACCEPT | |
iptables_rules: | |
allow_localhost_ipv4: | |
family: ipv4 | |
chain: INPUT | |
jump: ACCEPT | |
source: '127.0.0.1' | |
allow_localhost_ipv6: | |
family: ipv6 | |
chain: INPUT | |
jump: ACCEPT | |
source: '::1' | |
{{ outgoing('ntp', 'udp', 'ntp', 'ipv4') }} | |
{{ outgoing('ntp', 'udp', 'ntp', 'ipv6') }} | |
{{ outgoing('dns', 'tcp', 'domain', 'ipv4') }} | |
{{ outgoing('dns', 'udp', 'domain', 'ipv4') }} | |
{{ outgoing('dhclient', 'udp', 'bootpc', 'ipv4') }} | |
{{ outgoing('dhclient', 'udp', 26715, 'ipv4') }} | |
{{ outgoing('dhclient', 'udp', 8370, 'ipv4') }} | |
{{ outgoing('http_client', 'tcp', 'http', 'ipv4') }} | |
{{ outgoing('http_client', 'tcp', 'http', 'ipv6') }} | |
{{ outgoing('https_client', 'tcp', 'https', 'ipv4') }} | |
{{ outgoing('https_client', 'tcp', 'https', 'ipv6') }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
iptables-pkg: | |
pkg.installed: | |
- pkgs: ['iptables', 'iptables-persistent'] | |
# salt doesn't manage rules in a reliable way. this state flushes all iptables | |
# rules, but is only executed when there are any changes in the rules | |
iptables-flush: | |
iptables.flush: | |
- chain: INPUT | |
- prereq: | |
- iptables: iptables-rule-* | |
{% for name, rule in pillar.get('iptables_rules', {}).iteritems() %} | |
{% if 'enable' not in rule %} | |
{% set enable = true %} | |
{% elif rule.enable is string %} | |
{% set enable = salt.pillar.get(rule.enable) %} | |
{% else %} | |
{% set enable = rule.enable %} | |
{% endif %} | |
iptables-rule-{{ name }}: | |
iptables.{{ 'append' if enable else 'delete' }}: | |
- name: {{ name }} | |
- save: true | |
- table: {{ rule.get('table', 'filter') }} | |
- chain: {{ rule.chain }} | |
- jump: {{ rule.jump }} | |
{% if rule.get('protocol') or rule.get('dport') or rule.get('sport') %} | |
- proto: {{ rule.protocol }} | |
{% endif %} | |
{% if rule.get('state') %} | |
- connstate: '{{ rule.state }}' | |
{% endif %} | |
{% if rule.get('source') %} | |
- source: '{{ rule.source }}' | |
{% endif %} | |
{% if rule.get('dport') %} | |
- dport: '{{ rule.dport }}' | |
{% endif %} | |
{% if rule.get('sport') %} | |
- sport: '{{ rule.sport }}' | |
{% endif %} | |
{% if rule.get('family') %} | |
- family: {{ rule.family }} | |
{% endif %} | |
{% endfor %} | |
iptables-policy-input: | |
iptables.set_policy: | |
- table: filter | |
- chain: INPUT | |
- policy: {{ pillar.iptables.input_policy }} | |
- save: true | |
iptables-policy-forward: | |
iptables.set_policy: | |
- table: filter | |
- chain: FORWARD | |
- policy: {{ pillar.iptables.forward_policy }} | |
- save: true | |
iptables-policy-output: | |
iptables.set_policy: | |
- table: filter | |
- chain: OUTPUT | |
- policy: {{ pillar.iptables.output_policy }} | |
- save: true |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment