config-mgmt/salt-states
0
0
Fork 0
Code Releases Activity
Files
master
salt-states/firewall/init.sls

95 lines
2.0 KiB
Plaintext
Raw Permalink Blame History

{% from "firewall/map.jinja" import firewall with context %}
{% if firewall['remove'] is not none %}
{{ firewall['remove'] }}:
pkg.removed: []
{% endif %}
firewall:
pkg.installed:
- name: {{ firewall['pkg'] }}
service.running:
- name: {{ firewall['svc'] }}
- require:
- pkg: firewall
iptables accept established conns:
iptables.insert:
- table: filter
- position: 1
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: RELATED,ESTABLISHED
- save: True
iptables accept ssh:
iptables.append:
- table: filter
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 22
- protocol: tcp
- save: True
iptables accept ICMP:
iptables.append:
- table: filter
- chain: INPUT
- protocol: icmp
- jump: ACCEPT
- save: True
iptables accept local:
iptables.append:
- table: filter
- chain: INPUT
- in-interface: lo
- jump: ACCEPT
- save: True
{% for tcp_port, comment in salt.pillar.get('firewall:ig_tcp', {}).items() %}
iptables accept TCP {{ tcp_port }}:
iptables.append:
- table: filter
- chain: INPUT
- protocol: tcp
- match: state
- connstate: NEW
- dport: {{ tcp_port }}
- jump: ACCEPT
- comment: {{ comment | yaml_encode }}
- save: True
{% endfor %}
{% set ig_tcp_hosts = salt.pillar.get('firewall:ig_tcp_hosts', {}) %}
{% for tcp_port in ig_tcp_hosts.keys() %}
{% for host, comment in ig_tcp_hosts[tcp_port].items() %}
iptables accept TCP {{ tcp_port }} from {{ host }}:
iptables.append:
- table: filter
- chain: INPUT
- protocol: tcp
- match: state
- connstate: NEW
- dport: {{ tcp_port }}
- source: {{ host }}
- comment: {{ comment | yaml_encode }}
- jump: ACCEPT
- save: True
{% endfor %}
{% endfor %}
{% for chain in ('INPUT', 'FORWARD') %}
iptables {{ chain }} default DROP:
iptables.set_policy:
- table: filter
- chain: {{ chain }}
- save: True
- policy: DROP
{% endfor %}
View Git Blame Copy Permalink