Saltstack Official IPTables Formula

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586
  1. iptables_{{ chain_name }}_{{ rule_name }}:
  2. {%- if rule.position is defined %}
  3. iptables.insert:
  4. - position: {{ rule.position }}
  5. {%- else %}
  6. iptables.append:
  7. - require:
  8. {%- if loop.index != 1 %}
  9. - iptables: iptables_{{ chain_name }}_{% if service_name is defined %}{{ service_name }}_{% endif %}{{ loop.index - 1 }}
  10. {%- else %}
  11. {%- for chain in chains %}
  12. - iptables: iptables_{{ chain }}
  13. {%- endfor %}
  14. {%- endif %}
  15. {%- endif %}
  16. - table: {{ rule.get('table', 'filter') }}
  17. - chain: {{ chain_name }}
  18. {%- if rule.family is defined %}
  19. - family: {{ rule.family }}
  20. {%- endif %}
  21. {%- if rule.jump is defined %}
  22. - jump: {{ rule.jump }}
  23. {%- endif %}
  24. {%- if rule.match is defined %}
  25. - match: {{ rule.match }}
  26. {%- endif %}
  27. {%- if rule.comment is defined %}
  28. - comment: {{ rule.comment }}
  29. {%- endif %}
  30. {%- if rule.connection_state is defined %}
  31. - connstate: {{ rule.connection_state }}
  32. {%- endif %}
  33. {%- if rule.protocol is defined %}
  34. - proto: {{ rule.protocol }}
  35. {%- endif %}
  36. {%- if rule.destination_port is defined %}
  37. - dport: {{ rule.destination_port }}
  38. {%- endif %}
  39. {%- if rule.destination_ports is defined %}
  40. - dports:
  41. {%- for port in rule.destination_ports %}
  42. - {{ port }}
  43. {% endfor %}
  44. {%- endif %}
  45. {%- if rule.source_port is defined %}
  46. - sport: {{ rule.source_port }}
  47. {%- endif %}
  48. {%- if rule.in_interface is defined %}
  49. - in-interface: {{ rule.in_interface }}
  50. {%- endif %}
  51. {%- if rule.out_interface is defined %}
  52. - out-interface: {{ rule.out_interface }}
  53. {%- endif %}
  54. {%- if rule.to_destination is defined %}
  55. - to-destination: {{ rule.to_destination }}
  56. {%- endif %}
  57. {%- if rule.to_port is defined %}
  58. - to-port: {{ rule.to_port }}
  59. {%- endif %}
  60. {%- if rule.to_source is defined %}
  61. - to-source: {{ rule.to_source }}
  62. {%- endif %}
  63. {%- if rule.source_network is defined %}
  64. - source: {{ rule.source_network }}
  65. {%- endif %}
  66. {%- if rule.destination_network is defined %}
  67. - destination: {{ rule.destination_network }}
  68. {%- endif %}
  69. {%- if rule.log_prefix is defined %}
  70. - log-prefix: '{{ rule.log_prefix }}'
  71. {%- endif %}
  72. {%- if rule.log_level is defined %}
  73. - log-level: {{ rule.log_level }}
  74. {%- endif %}
  75. {%- if rule.limit is defined %}
  76. - limit: '{{ rule.limit }}'
  77. {%- endif %}
  78. {%- if chain.policy is defined %}
  79. - require_in:
  80. - iptables: iptables_{{ chain_name }}_policy
  81. {%- endif %}
  82. {%- if grains.get('virtual_subtype', None) not in ['Docker', 'LXC'] %}
  83. - require:
  84. - iptables: iptables_{{ chain_name }}{% if rule.family is defined %}_{{ rule.family }}{% endif %}
  85. {%- endif %}
  86. - save: True