-
-
Save setkeh/9c126f8a4abb31c1b516a56098cc916e to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
iptables: | |
ssh: True | |
tcp_ports: | |
- 4505 | |
- 4506 | |
nat: | |
- eth0 | |
- ppp+ | |
forward: | |
- interface: ppp+ | |
- protocol: 47 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
---------- | |
ID: iptables | |
Function: file.managed | |
Name: /etc/iptables.rules | |
Result: False | |
Comment: Unable to manage file: Jinja variable 'list object' has no attribute 'interface' | |
Started: 09:18:32.852190 | |
Duration: 39.086 ms | |
Changes: | |
---------- | |
ID: iptables | |
Function: cmd.wait | |
Name: iptables-restore < /etc/iptables.rules | |
Result: False | |
Comment: One or more requisite failed: pptpd.init.iptables | |
Changes: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
*filter | |
# Flush | |
-F | |
# Policies | |
-P INPUT DROP | |
-P FORWARD ACCEPT | |
# Allow all loopback (lo0) traffic | |
-A INPUT -i lo -j ACCEPT | |
# Accept all established inbound connections | |
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
# Drop all traffic to 127/8 that doesn't use lo0 | |
-A INPUT ! -i lo -d 127.0.0.0/8 -j DROP | |
# Allow all outbound traffic | |
-A OUTPUT -j ACCEPT | |
# Allow ping | |
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT | |
{% if not 'ssh' in pillar['iptables'] or pillar['iptables']['ssh'] == True %} | |
# Allow SSH traffic | |
-A INPUT -p tcp --dport 22 --syn -m limit --limit 1/m --limit-burst 3 -j ACCEPT | |
{% endif %} | |
{% for port in pillar['iptables']['tcp_ports'] %} | |
-A INPUT -p tcp --dport {{ port }} -j ACCEPT | |
{% endfor %} | |
{% if pillar['iptables']['forward'] %} | |
-A INPUT -i {{ pillar['iptables']['forward']['interface'] }} -j ACCEPT | |
-A INPUT -p {{ pillar['iptables']['forward']['protocol'] }} -j ACCEPT | |
{% endif %} | |
# Everything else is forbidden | |
-A INPUT -j DROP | |
COMMIT | |
{% if pillar['iptables']['nat'] %} | |
*nat | |
{% for interface in pillar['iptables']['nat'] %} | |
-A POSTROUTING -o {{ interface }} -j MASQUERADE | |
{% endfor %} | |
COMMIT | |
{% endif %} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment