From 896e005a984335ec45e2955ec0e5a62e5634a4c5 Mon Sep 17 00:00:00 2001 From: Terry Derks Date: Mon, 5 May 2025 01:05:14 -0400 Subject: [PATCH] firewall managed with iptables state module --- firewall/defaults.yaml | 2 - firewall/files/iptables.jinja | 22 -------- firewall/init.sls | 102 +++++++++++++++++++++++++++++----- 3 files changed, 88 insertions(+), 38 deletions(-) delete mode 100644 firewall/defaults.yaml delete mode 100644 firewall/files/iptables.jinja diff --git a/firewall/defaults.yaml b/firewall/defaults.yaml deleted file mode 100644 index 39f6614..0000000 --- a/firewall/defaults.yaml +++ /dev/null @@ -1,2 +0,0 @@ -ig_tcp: - 22: 'ssh' diff --git a/firewall/files/iptables.jinja b/firewall/files/iptables.jinja deleted file mode 100644 index 4574fe9..0000000 --- a/firewall/files/iptables.jinja +++ /dev/null @@ -1,22 +0,0 @@ -{% import_yaml 'firewall/defaults.yaml' as defaults -%} -*filter -:INPUT ACCEPT [0:0] -:FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [0:0] --A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT --A INPUT -p icmp -j ACCEPT --A INPUT -i lo -j ACCEPT -{% for tcp_port, comment in salt.pillar.get('firewall:ig_tcp', defaults['ig_tcp']).items() -%} --A INPUT -p tcp -m state --state NEW -m tcp --dport {{ tcp_port }} -m comment --comment "{{ comment }}" -j ACCEPT -{% endfor -%} -{% set ig_tcp_hosts = salt.pillar.get('firewall:ig_tcp_hosts', {}) -%} -{% for tcp_port in ig_tcp_hosts.keys() -%} -{% for host, comment in ig_tcp_hosts[tcp_port].items() -%} --A INPUT -p tcp -m state --state NEW -s "{{ host }}" -m tcp --dport {{ tcp_port }} -m comment --comment "{{ comment }}" -j ACCEPT -{% endfor -%} -{% endfor -%} --A INPUT -j REJECT --reject-with icmp-host-prohibited --A FORWARD -j REJECT --reject-with icmp-host-prohibited --A INPUT -j DROP --A FORWARD -j DROP -COMMIT diff --git a/firewall/init.sls b/firewall/init.sls index 20321f9..b4d2c01 100644 --- a/firewall/init.sls +++ b/firewall/init.sls @@ -1,20 +1,94 @@ {% from "firewall/map.jinja" import firewall with context %} -iptables: - pkg.installed: - - pkgs: - - {{ firewall['pkg'] }} - file.managed: - - name: {{ firewall['cfg'] }} - - source: 'salt://firewall/files/iptables.jinja' - - template: jinja - service.running: - - name: {{ firewall['svc'] }} - - enable: True - - watch: - - file: iptables - {% if firewall['remove'] is not none %} {{ firewall['remove'] }}: pkg.removed: [] {% endif %} + +firewall: + pkg.installed: + - name: {{ firewall['pkg'] }} + service.running: + - name: {{ firewall['svc'] }} + - require: + - pkg: firewall + +iptables accept established conns: + iptables.insert: + - table: filter + - position: 1 + - chain: INPUT + - jump: ACCEPT + - match: state + - connstate: RELATED,ESTABLISHED + - save: True + +iptables accept ssh: + iptables.append: + - table: filter + - chain: INPUT + - jump: ACCEPT + - match: state + - connstate: NEW + - dport: 22 + - protocol: tcp + - save: True + +iptables accept ICMP: + iptables.append: + - table: filter + - chain: INPUT + - protocol: icmp + - jump: ACCEPT + - save: True + +iptables accept local: + iptables.append: + - table: filter + - chain: INPUT + - in-interface: lo + - jump: ACCEPT + - save: True + +{% for tcp_port, comment in salt.pillar.get('firewall:ig_tcp', {}).items() %} +iptables accept TCP {{ tcp_port }}: + iptables.append: + - table: filter + - chain: INPUT + - protocol: tcp + - match: state + - connstate: NEW + - dport: {{ tcp_port }} + - jump: ACCEPT + - comment: {{ comment | yaml_encode }} + - save: True +{% endfor %} + +{% set ig_tcp_hosts = salt.pillar.get('firewall:ig_tcp_hosts', {}) %} + +{% for tcp_port in ig_tcp_hosts.keys() %} +{% for host, comment in ig_tcp_hosts[tcp_port].items() %} +iptables accept TCP {{ tcp_port }} from {{ host }}: + iptables.append: + - table: filter + - chain: INPUT + - protocol: tcp + - match: state + - connstate: NEW + - dport: {{ tcp_port }} + - source: {{ host }} + - comment: {{ comment | yaml_encode }} + - jump: ACCEPT + - save: True +{% endfor %} +{% endfor %} + +{% for chain in ('INPUT', 'FORWARD') %} +iptables {{ chain }} default DROP: + iptables.set_policy: + - table: filter + - chain: {{ chain }} + - save: True + - policy: DROP +{% endfor %} +