ExternalMirrors
/
iptables-formula
mirror of https://github.com/salt-formulas/salt-formula-iptables
Watch 1
Star 0
Fork 1
Code Issues 0 Releases 6 Wiki Activity
Saltstack Official IPTables Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
69 Commits
2 Branches
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
iptables-formula/README.rst

README.rst 3.1KB
Raw Permalink Normal View History

Refactor from the scratch Customer-Found Prod-Related: CEEMCP-19 Prod-Related: PROD-22620 Change-Id: Ib14838becc409c2f735d93b5fa8a8ead6ea1a5ec
6 years ago
Initial commit
9 years ago
Fix documentation, remove obsolete
8 years ago
Initial commit
9 years ago
Refactor from the scratch Customer-Found Prod-Related: CEEMCP-19 Prod-Related: PROD-22620 Change-Id: Ib14838becc409c2f735d93b5fa8a8ead6ea1a5ec
6 years ago
Fix documentation, remove obsolete
8 years ago
Refactor from the scratch Customer-Found Prod-Related: CEEMCP-19 Prod-Related: PROD-22620 Change-Id: Ib14838becc409c2f735d93b5fa8a8ead6ea1a5ec
6 years ago
added README example
7 years ago
Refactor from the scratch Customer-Found Prod-Related: CEEMCP-19 Prod-Related: PROD-22620 Change-Id: Ib14838becc409c2f735d93b5fa8a8ead6ea1a5ec
6 years ago
Unhardcode tables for chains. There is a way to manage tables in rules, but there is no way to manage tables for chains when setting policy. Looks like pillar structure is bad from the beginning and to not break backward compatibility, as same chain names may occur in different tables, so it is proposed to check if 'chain.policy' is map. And if it is, specific policies would be ensured for specific tables, otherwise table 'filter' would be used as a fallback. To ensure chains in specific tables we iterate over all rules in each chain. This hash is valid: parameters: iptables: service: enabled: true chain: OUTPUT: policy: ACCEPT FORWARD: policy: - table: mangle policy: DROP INPUT: policy: - table: nat policy: ACCEPT rules: - jump: ACCEPT protocol: icmp POSTROUTING: rules: - jump: MASQUERADE protocol: icmp out_interface: ens3 table: nat Prod-Related: CEEMCP-12 Prod-Related: EME-313 Change-Id: Ib5ba97dad165d3ef2dec7e053b391ea36a996103
6 years ago
Refactor from the scratch Customer-Found Prod-Related: CEEMCP-19 Prod-Related: PROD-22620 Change-Id: Ib14838becc409c2f735d93b5fa8a8ead6ea1a5ec
6 years ago
Unhardcode tables for chains. There is a way to manage tables in rules, but there is no way to manage tables for chains when setting policy. Looks like pillar structure is bad from the beginning and to not break backward compatibility, as same chain names may occur in different tables, so it is proposed to check if 'chain.policy' is map. And if it is, specific policies would be ensured for specific tables, otherwise table 'filter' would be used as a fallback. To ensure chains in specific tables we iterate over all rules in each chain. This hash is valid: parameters: iptables: service: enabled: true chain: OUTPUT: policy: ACCEPT FORWARD: policy: - table: mangle policy: DROP INPUT: policy: - table: nat policy: ACCEPT rules: - jump: ACCEPT protocol: icmp POSTROUTING: rules: - jump: MASQUERADE protocol: icmp out_interface: ens3 table: nat Prod-Related: CEEMCP-12 Prod-Related: EME-313 Change-Id: Ib5ba97dad165d3ef2dec7e053b391ea36a996103
6 years ago
Refactor from the scratch Customer-Found Prod-Related: CEEMCP-19 Prod-Related: PROD-22620 Change-Id: Ib14838becc409c2f735d93b5fa8a8ead6ea1a5ec
6 years ago
Setting up openstack tests for iptables formula Change-Id: Ib924de131cca35052b50555c280484ef0161ebaa
6 years ago
Refactor from the scratch Customer-Found Prod-Related: CEEMCP-19 Prod-Related: PROD-22620 Change-Id: Ib14838becc409c2f735d93b5fa8a8ead6ea1a5ec
6 years ago
Setting up openstack tests for iptables formula Change-Id: Ib924de131cca35052b50555c280484ef0161ebaa
6 years ago
Refactor from the scratch Customer-Found Prod-Related: CEEMCP-19 Prod-Related: PROD-22620 Change-Id: Ib14838becc409c2f735d93b5fa8a8ead6ea1a5ec
6 years ago
Setting up openstack tests for iptables formula Change-Id: Ib924de131cca35052b50555c280484ef0161ebaa
6 years ago
Refactor from the scratch Customer-Found Prod-Related: CEEMCP-19 Prod-Related: PROD-22620 Change-Id: Ib14838becc409c2f735d93b5fa8a8ead6ea1a5ec
6 years ago
Unhardcode tables for chains. There is a way to manage tables in rules, but there is no way to manage tables for chains when setting policy. Looks like pillar structure is bad from the beginning and to not break backward compatibility, as same chain names may occur in different tables, so it is proposed to check if 'chain.policy' is map. And if it is, specific policies would be ensured for specific tables, otherwise table 'filter' would be used as a fallback. To ensure chains in specific tables we iterate over all rules in each chain. This hash is valid: parameters: iptables: service: enabled: true chain: OUTPUT: policy: ACCEPT FORWARD: policy: - table: mangle policy: DROP INPUT: policy: - table: nat policy: ACCEPT rules: - jump: ACCEPT protocol: icmp POSTROUTING: rules: - jump: MASQUERADE protocol: icmp out_interface: ens3 table: nat Prod-Related: CEEMCP-12 Prod-Related: EME-313 Change-Id: Ib5ba97dad165d3ef2dec7e053b391ea36a996103
6 years ago
Initial commit
9 years ago
Unify Makefile, .gitignore and update readme
7 years ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110 
  1. =====================

  2. iptables salt formula

  3. =====================

  4. 

  5. Iptables is used to set up, maintain, and inspect the tables of IPv4 packet

  6. filter rules in the Linux kernel. Several different tables may be defined.

  7. Each table contains a number of built-in chains and may also contain

  8. user-defined chains.  Each chain is a list of rules which can match a set of

  9. packets. Each rule specifies what to do with a packet that matches. This is

  10. called a `target`, which may be a jump to a user-defined chain in the same

  11. table.

  12. 

  13. This version of a formula guarantees that manually added rules or rules which

  14. has been added in runtime would be removed.

  15. 

  16. In order to ensure architecture, proper epoch value should be specified.

  17. Refer to an example.

  18. 

  19. Sample pillars

  20. ==============

  21. 

  22. .. code-block:: yaml

  23. 

  24.     parameters:

  25.       iptables:

  26.         schema:

  27.           epoch: 1

  28.         service:

  29.           v4:

  30.             enabled: true

  31.             persistent_config: /etc/iptables/rules.v4

  32.             modules:

  33.             - nf_conntrack_ftp

  34.             - nf_conntrack_pptp

  35.           v6:

  36.             enabled: false

  37.             persistent_config: /etc/iptables/rules.v6

  38.             modules:

  39.             - nf_conntrack_ipv6

  40.         defaults:

  41.           v4:

  42.             metadata_rules: false

  43.             policy: ACCEPT

  44.             ruleset:

  45.               action: ACCEPT

  46.               params: ""

  47.               rule: ""

  48.           v6:

  49.             metadata_rules: false

  50.             policy: DROP

  51.             ruleset:

  52.               action: ACCEPT

  53.               params: ""

  54.               rule: ""

  55.         tables:

  56.           v4:

  57.             filter:

  58.               chains:

  59.                 INPUT:

  60.                   ruleset:

  61.                     5:

  62.                       action: log_drop

  63.                     10:

  64.                       rule: -s 192.168.0.0/24 -p tcp

  65.                 log_drop:

  66.                   policy: DROP

  67.                   ruleset:

  68.                     10:

  69.                       action: LOG

  70.                       comment: "Log my packets"

  71.             nat:

  72.               chains:

  73.                 OUTPUT: {}

  74.                 PREROUTING: {}

  75.                 POSTROUTING:

  76.                   policy: ACCEPT

  77.                   ruleset:

  78.                     10:

  79.                       rule: -s 192.168.0.0/24 -p tcp -o lo

  80.                       action: SNAT

  81.                       params: --to-source=127.0.0.1

  82. 

  83. 

  84. Read more

  85. =========

  86. 

  87. * http://docs.saltstack.com/en/latest/ref/states/all/salt.states.iptables.html

  88. * https://help.ubuntu.com/community/IptablesHowTo

  89. * http://wiki.centos.org/HowTos/Network/IPTables

  90. 

  91. Documentation and Bugs

  92. ======================

  93. 

  94. To learn how to install and update salt-formulas, consult the documentation

  95. available online at:

  96. 

  97.     http://salt-formulas.readthedocs.io/

  98. 

  99. In the unfortunate event that bugs are discovered, they should be reported to

  100. the appropriate issue tracker. Use Github issue tracker for specific salt

  101. formula:

  102. 

  103.     https://github.com/salt-formulas/salt-formula-iptables/issues

  104. 

  105. 

  106. Developers wishing to work on the salt-formulas projects should always base

  107. their work on master branch and submit pull request against specific formula.

  108. 

  109.     https://github.com/salt-formulas/salt-formula-iptables

  110.