setkeh/iptables.sls Secret

## iptables.sls
iptables:
  ssh: True
  tcp_ports:
    - 4505
    - 4506
  nat:
    - eth0
    - ppp+
  forward:
    - interface: ppp+
    - protocol: 47

## pillar.err
----------
          ID: iptables
    Function: file.managed
        Name: /etc/iptables.rules
      Result: False
     Comment: Unable to manage file: Jinja variable 'list object' has no attribute 'interface'
     Started: 09:18:32.852190
    Duration: 39.086 ms
     Changes:
----------
          ID: iptables
    Function: cmd.wait
        Name: iptables-restore < /etc/iptables.rules
      Result: False
     Comment: One or more requisite failed: pptpd.init.iptables
     Changes:

## rules.jinja
*filter

# Flush
-F

# Policies
-P INPUT DROP
-P FORWARD ACCEPT

# Allow all loopback (lo0) traffic
-A INPUT -i lo -j ACCEPT

# Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Drop all traffic to 127/8 that doesn't use lo0
-A INPUT ! -i lo -d 127.0.0.0/8 -j DROP

# Allow all outbound traffic
-A OUTPUT -j ACCEPT

# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

{% if not 'ssh' in pillar['iptables'] or pillar['iptables']['ssh'] == True %}
# Allow SSH traffic
-A INPUT -p tcp --dport 22 --syn -m limit --limit 1/m --limit-burst 3 -j ACCEPT
{% endif %}

{% for port in pillar['iptables']['tcp_ports'] %}
-A INPUT -p tcp --dport {{ port }} -j ACCEPT
{% endfor %}

{% if pillar['iptables']['forward'] %}
-A INPUT -i {{ pillar['iptables']['forward']['interface'] }} -j ACCEPT
-A INPUT -p {{ pillar['iptables']['forward']['protocol'] }} -j ACCEPT
{% endif %}

# Everything else is forbidden
-A INPUT -j DROP

COMMIT

{% if pillar['iptables']['nat'] %}
*nat
{% for interface in pillar['iptables']['nat'] %}
-A POSTROUTING -o {{ interface }} -j MASQUERADE
{% endfor %}
COMMIT
{% endif %}
	iptables:
	ssh: True
	tcp_ports:
	- 4505
	- 4506
	nat:
	- eth0
	- ppp+
	forward:
	- interface: ppp+
	- protocol: 47
	----------
	ID: iptables
	Function: file.managed
	Name: /etc/iptables.rules
	Result: False
	Comment: Unable to manage file: Jinja variable 'list object' has no attribute 'interface'
	Started: 09:18:32.852190
	Duration: 39.086 ms
	Changes:
	----------
	ID: iptables
	Function: cmd.wait
	Name: iptables-restore < /etc/iptables.rules
	Result: False
	Comment: One or more requisite failed: pptpd.init.iptables
	Changes:
	*filter

	# Flush
	-F

	# Policies
	-P INPUT DROP
	-P FORWARD ACCEPT

	# Allow all loopback (lo0) traffic
	-A INPUT -i lo -j ACCEPT

	# Accept all established inbound connections
	-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

	# Drop all traffic to 127/8 that doesn't use lo0
	-A INPUT ! -i lo -d 127.0.0.0/8 -j DROP

	# Allow all outbound traffic
	-A OUTPUT -j ACCEPT

	# Allow ping
	-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

	{% if not 'ssh' in pillar['iptables'] or pillar['iptables']['ssh'] == True %}
	# Allow SSH traffic
	-A INPUT -p tcp --dport 22 --syn -m limit --limit 1/m --limit-burst 3 -j ACCEPT
	{% endif %}

	{% for port in pillar['iptables']['tcp_ports'] %}
	-A INPUT -p tcp --dport {{ port }} -j ACCEPT
	{% endfor %}

	{% if pillar['iptables']['forward'] %}
	-A INPUT -i {{ pillar['iptables']['forward']['interface'] }} -j ACCEPT
	-A INPUT -p {{ pillar['iptables']['forward']['protocol'] }} -j ACCEPT
	{% endif %}

	# Everything else is forbidden
	-A INPUT -j DROP

	COMMIT

	{% if pillar['iptables']['nat'] %}
	*nat
	{% for interface in pillar['iptables']['nat'] %}
	-A POSTROUTING -o {{ interface }} -j MASQUERADE
	{% endfor %}
	COMMIT
	{% endif %}