firewall managed with iptables state module

firewall/defaults.yaml

@@ -1,2 +0,0 @@
-ig_tcp:
-  22: 'ssh'

firewall/files/iptables.jinja

@@ -1,22 +0,0 @@
-{% import_yaml 'firewall/defaults.yaml' as defaults -%}
-*filter
-:INPUT ACCEPT [0:0]
-:FORWARD ACCEPT [0:0]
-:OUTPUT ACCEPT [0:0]
--A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
--A INPUT -p icmp -j ACCEPT
--A INPUT -i lo -j ACCEPT
-{% for tcp_port, comment in salt.pillar.get('firewall:ig_tcp', defaults['ig_tcp']).items() -%}
--A INPUT -p tcp -m state --state NEW -m tcp --dport {{ tcp_port }} -m comment --comment "{{ comment }}" -j ACCEPT
-{% endfor -%}
-{% set ig_tcp_hosts = salt.pillar.get('firewall:ig_tcp_hosts', {}) -%}
-{% for tcp_port in ig_tcp_hosts.keys() -%}
-{%   for host, comment in ig_tcp_hosts[tcp_port].items() -%}
--A INPUT -p tcp -m state --state NEW -s "{{ host }}" -m tcp --dport {{ tcp_port }} -m comment --comment "{{ comment }}" -j ACCEPT
-{%   endfor -%}
-{% endfor -%}
--A INPUT -j REJECT --reject-with icmp-host-prohibited
--A FORWARD -j REJECT --reject-with icmp-host-prohibited
--A INPUT -j DROP
--A FORWARD -j DROP
-COMMIT

firewall/init.sls

@@ -1,20 +1,94 @@
 {% from "firewall/map.jinja" import firewall with context %}
 
-iptables:
-  pkg.installed:
-    - pkgs:
-      - {{ firewall['pkg'] }}
-  file.managed:
-    - name: {{ firewall['cfg'] }}
-    - source: 'salt://firewall/files/iptables.jinja'
-    - template: jinja
-  service.running:
-    - name: {{ firewall['svc'] }}
-    - enable: True
-    - watch:
-      - file: iptables
-
 {% if firewall['remove'] is not none %}
 {{ firewall['remove'] }}:
   pkg.removed: []
 {% endif %}
+
+firewall:
+  pkg.installed:
+    - name: {{ firewall['pkg'] }}
+  service.running:
+    - name: {{ firewall['svc'] }}
+    - require:
+      - pkg: firewall
+
+iptables accept established conns:
+  iptables.insert:
+    - table: filter
+    - position: 1
+    - chain: INPUT
+    - jump: ACCEPT
+    - match: state
+    - connstate: RELATED,ESTABLISHED
+    - save: True
+
+iptables accept ssh:
+  iptables.append:
+    - table: filter
+    - chain: INPUT
+    - jump: ACCEPT
+    - match: state
+    - connstate: NEW
+    - dport: 22
+    - protocol: tcp
+    - save: True
+
+iptables accept ICMP:
+  iptables.append:
+    - table: filter
+    - chain: INPUT
+    - protocol: icmp
+    - jump: ACCEPT
+    - save: True
+
+iptables accept local:
+  iptables.append:
+    - table: filter
+    - chain: INPUT
+    - in-interface: lo
+    - jump: ACCEPT
+    - save: True
+
+{% for tcp_port, comment in salt.pillar.get('firewall:ig_tcp', {}).items() %}
+iptables accept TCP {{ tcp_port }}:
+  iptables.append:
+    - table: filter
+    - chain: INPUT
+    - protocol: tcp
+    - match: state
+    - connstate: NEW
+    - dport: {{ tcp_port }}
+    - jump: ACCEPT
+    - comment: {{ comment | yaml_encode }}
+    - save: True
+{% endfor %}
+
+{% set ig_tcp_hosts = salt.pillar.get('firewall:ig_tcp_hosts', {}) %}
+
+{% for tcp_port in ig_tcp_hosts.keys() %}
+{%   for host, comment in ig_tcp_hosts[tcp_port].items() %}
+iptables accept TCP {{ tcp_port }} from {{ host }}:
+  iptables.append:
+    - table: filter
+    - chain: INPUT
+    - protocol: tcp
+    - match: state
+    - connstate: NEW
+    - dport: {{ tcp_port }}
+    - source: {{ host }}
+    - comment: {{ comment | yaml_encode }}
+    - jump: ACCEPT
+    - save: True
+{%   endfor %}
+{% endfor %}
+
+{% for chain in ('INPUT', 'FORWARD') %}
+iptables {{ chain }} default DROP:
+  iptables.set_policy:
+    - table: filter
+    - chain: {{ chain }}
+    - save: True
+    - policy: DROP
+{% endfor %}
+