{% from "firewall/map.jinja" import firewall with context %}

{% if firewall['remove'] is not none %}
{{ firewall['remove'] }}:
  pkg.removed: []
{% endif %}

firewall:
  pkg.installed:
    - name: {{ firewall['pkg'] }}
  service.running:
    - name: {{ firewall['svc'] }}
    - require:
      - pkg: firewall

iptables accept established conns:
  iptables.insert:
    - table: filter
    - position: 1
    - chain: INPUT
    - jump: ACCEPT
    - match: state
    - connstate: RELATED,ESTABLISHED
    - save: True

iptables accept ssh:
  iptables.append:
    - table: filter
    - chain: INPUT
    - jump: ACCEPT
    - match: state
    - connstate: NEW
    - dport: 22
    - protocol: tcp
    - save: True

iptables accept ICMP:
  iptables.append:
    - table: filter
    - chain: INPUT
    - protocol: icmp
    - jump: ACCEPT
    - save: True

iptables accept local:
  iptables.append:
    - table: filter
    - chain: INPUT
    - in-interface: lo
    - jump: ACCEPT
    - save: True

{% for tcp_port, comment in salt.pillar.get('firewall:ig_tcp', {}).items() %}
iptables accept TCP {{ tcp_port }}:
  iptables.append:
    - table: filter
    - chain: INPUT
    - protocol: tcp
    - match: state
    - connstate: NEW
    - dport: {{ tcp_port }}
    - jump: ACCEPT
    - comment: {{ comment | yaml_encode }}
    - save: True
{% endfor %}

{% set ig_tcp_hosts = salt.pillar.get('firewall:ig_tcp_hosts', {}) %}

{% for tcp_port in ig_tcp_hosts.keys() %}
{%   for host, comment in ig_tcp_hosts[tcp_port].items() %}
iptables accept TCP {{ tcp_port }} from {{ host }}:
  iptables.append:
    - table: filter
    - chain: INPUT
    - protocol: tcp
    - match: state
    - connstate: NEW
    - dport: {{ tcp_port }}
    - source: {{ host }}
    - comment: {{ comment | yaml_encode }}
    - jump: ACCEPT
    - save: True
{%   endfor %}
{% endfor %}

{% for chain in ('INPUT', 'FORWARD') %}
iptables {{ chain }} default DROP:
  iptables.set_policy:
    - table: filter
    - chain: {{ chain }}
    - save: True
    - policy: DROP
{% endfor %}