Skip to content

Instantly share code, notes, and snippets.

@anlutro

anlutro/pillar.sls

Last active August 25, 2020 13:53
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save anlutro/644fc588e228f0df14b9 to your computer and use it in GitHub Desktop.
Save anlutro/644fc588e228f0df14b9 to your computer and use it in GitHub Desktop.
Download ZIP
IPtables salt state+pillar
Raw
pillar.sls
{# allow outgoing traffic #}
{% macro outgoing(name, protocol, port, family, enable=true) %}
{{ name }}-{{ family }}-{{ protocol }}-{{ port }}-outgoing:
family: {{ family }}
chain: OUTPUT
jump: ACCEPT
protocol: {{ protocol }}
dport: {{ port }}
state: 'NEW,ESTABLISHED'
enable: {{ enable }}
{{ name }}-{{ family }}-{{ protocol }}-{{ port }}-incoming:
family: {{ family }}
chain: INPUT
jump: ACCEPT
protocol: {{ protocol }}
sport: {{ port }}
state: 'ESTABLISHED'
enable: {{ enable }}
{% endmacro %}
{# allow incoming traffic - for servers #}
{% macro incoming(name, protocol, port, family, enable=true) %}
{{ name }}-{{ family }}-{{ protocol }}-{{ port }}-outgoing:
chain: OUTPUT
jump: ACCEPT
protocol: {{ protocol }}
sport: {{ port }}
state: 'ESTABLISHED'
enable: {{ enable }}
{{ name }}-{{ family }}-{{ protocol }}-{{ port }}-incoming:
family: {{ family }}
chain: INPUT
jump: ACCEPT
protocol: {{ protocol }}
dport: {{ port }}
state: 'NEW,ESTABLISHED'
enable: {{ enable }}
{% endmacro %}
iptables:
input_policy: ACCEPT
forward_policy: ACCEPT
output_policy: ACCEPT
iptables_rules:
allow_localhost_ipv4:
family: ipv4
chain: INPUT
jump: ACCEPT
source: '127.0.0.1'
allow_localhost_ipv6:
family: ipv6
chain: INPUT
jump: ACCEPT
source: '::1'
{{ outgoing('ntp', 'udp', 'ntp', 'ipv4') }}
{{ outgoing('ntp', 'udp', 'ntp', 'ipv6') }}
{{ outgoing('dns', 'tcp', 'domain', 'ipv4') }}
{{ outgoing('dns', 'udp', 'domain', 'ipv4') }}
{{ outgoing('dhclient', 'udp', 'bootpc', 'ipv4') }}
{{ outgoing('dhclient', 'udp', 26715, 'ipv4') }}
{{ outgoing('dhclient', 'udp', 8370, 'ipv4') }}
{{ outgoing('http_client', 'tcp', 'http', 'ipv4') }}
{{ outgoing('http_client', 'tcp', 'http', 'ipv6') }}
{{ outgoing('https_client', 'tcp', 'https', 'ipv4') }}
{{ outgoing('https_client', 'tcp', 'https', 'ipv6') }}
Raw
state.sls
iptables-pkg:
pkg.installed:
- pkgs: ['iptables', 'iptables-persistent']
# salt doesn't manage rules in a reliable way. this state flushes all iptables
# rules, but is only executed when there are any changes in the rules
iptables-flush:
iptables.flush:
- chain: INPUT
- prereq:
- iptables: iptables-rule-*
{% for name, rule in pillar.get('iptables_rules', {}).iteritems() %}
{% if 'enable' not in rule %}
{% set enable = true %}
{% elif rule.enable is string %}
{% set enable = salt.pillar.get(rule.enable) %}
{% else %}
{% set enable = rule.enable %}
{% endif %}
iptables-rule-{{ name }}:
iptables.{{ 'append' if enable else 'delete' }}:
- name: {{ name }}
- save: true
- table: {{ rule.get('table', 'filter') }}
- chain: {{ rule.chain }}
- jump: {{ rule.jump }}
{% if rule.get('protocol') or rule.get('dport') or rule.get('sport') %}
- proto: {{ rule.protocol }}
{% endif %}
{% if rule.get('state') %}
- connstate: '{{ rule.state }}'
{% endif %}
{% if rule.get('source') %}
- source: '{{ rule.source }}'
{% endif %}
{% if rule.get('dport') %}
- dport: '{{ rule.dport }}'
{% endif %}
{% if rule.get('sport') %}
- sport: '{{ rule.sport }}'
{% endif %}
{% if rule.get('family') %}
- family: {{ rule.family }}
{% endif %}
{% endfor %}
iptables-policy-input:
iptables.set_policy:
- table: filter
- chain: INPUT
- policy: {{ pillar.iptables.input_policy }}
- save: true
iptables-policy-forward:
iptables.set_policy:
- table: filter
- chain: FORWARD
- policy: {{ pillar.iptables.forward_policy }}
- save: true
iptables-policy-output:
iptables.set_policy:
- table: filter
- chain: OUTPUT
- policy: {{ pillar.iptables.output_policy }}
- save: true
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment