config-mgmt/salt-states
0
0
Fork 0
Code Releases Activity

firewall managed with iptables state module

Browse Source
This commit is contained in:
Keiran Snowden
2025-05-05 01:05:14 -04:00
parent 4faaf42b2d
commit 896e005a98
3 changed files with 88 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
firewall/defaults.yaml
View File

@@ -1,2 +0,0 @@
ig_tcp:
22: 'ssh'

22
firewall/files/iptables.jinja
View File

@@ -1,22 +0,0 @@
{% import_yaml 'firewall/defaults.yaml' as defaults -%}
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
{% for tcp_port, comment in salt.pillar.get('firewall:ig_tcp', defaults['ig_tcp']).items() -%}
-A INPUT -p tcp -m state --state NEW -m tcp --dport {{ tcp_port }} -m comment --comment "{{ comment }}" -j ACCEPT
{% endfor -%}
{% set ig_tcp_hosts = salt.pillar.get('firewall:ig_tcp_hosts', {}) -%}
{% for tcp_port in ig_tcp_hosts.keys() -%}
{% for host, comment in ig_tcp_hosts[tcp_port].items() -%}
-A INPUT -p tcp -m state --state NEW -s "{{ host }}" -m tcp --dport {{ tcp_port }} -m comment --comment "{{ comment }}" -j ACCEPT
{% endfor -%}
{% endfor -%}
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT

102
firewall/init.sls
View File

@@ -1,20 +1,94 @@
{% from "firewall/map.jinja" import firewall with context %} {% from "firewall/map.jinja" import firewall with context %}
iptables:
pkg.installed:
- pkgs:
- {{ firewall['pkg'] }}
file.managed:
- name: {{ firewall['cfg'] }}
- source: 'salt://firewall/files/iptables.jinja'
- template: jinja
service.running:
- name: {{ firewall['svc'] }}
- enable: True
- watch:
- file: iptables
{% if firewall['remove'] is not none %} {% if firewall['remove'] is not none %}
{{ firewall['remove'] }}: {{ firewall['remove'] }}:
pkg.removed: [] pkg.removed: []
{% endif %} {% endif %}
firewall:
pkg.installed:
- name: {{ firewall['pkg'] }}
service.running:
- name: {{ firewall['svc'] }}
- require:
- pkg: firewall
iptables accept established conns:
iptables.insert:
- table: filter
- position: 1
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: RELATED,ESTABLISHED
- save: True
iptables accept ssh:
iptables.append:
- table: filter
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 22
- protocol: tcp
- save: True
iptables accept ICMP:
iptables.append:
- table: filter
- chain: INPUT
- protocol: icmp
- jump: ACCEPT
- save: True
iptables accept local:
iptables.append:
- table: filter
- chain: INPUT
- in-interface: lo
- jump: ACCEPT
- save: True
{% for tcp_port, comment in salt.pillar.get('firewall:ig_tcp', {}).items() %}
iptables accept TCP {{ tcp_port }}:
iptables.append:
- table: filter
- chain: INPUT
- protocol: tcp
- match: state
- connstate: NEW
- dport: {{ tcp_port }}
- jump: ACCEPT
- comment: {{ comment | yaml_encode }}
- save: True
{% endfor %}
{% set ig_tcp_hosts = salt.pillar.get('firewall:ig_tcp_hosts', {}) %}
{% for tcp_port in ig_tcp_hosts.keys() %}
{% for host, comment in ig_tcp_hosts[tcp_port].items() %}
iptables accept TCP {{ tcp_port }} from {{ host }}:
iptables.append:
- table: filter
- chain: INPUT
- protocol: tcp
- match: state
- connstate: NEW
- dport: {{ tcp_port }}
- source: {{ host }}
- comment: {{ comment | yaml_encode }}
- jump: ACCEPT
- save: True
{% endfor %}
{% endfor %}
{% for chain in ('INPUT', 'FORWARD') %}
iptables {{ chain }} default DROP:
iptables.set_policy:
- table: filter
- chain: {{ chain }}
- save: True
- policy: DROP
{% endfor %}