ExternalMirrors
/
iptables-formula
mirror of https://github.com/salt-formulas/salt-formula-iptables
Watch 1
Star 0
Fork 1
Code Issues 0 Releases 6 Wiki Activity
Saltstack Official IPTables Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1 Commit
2 Branches
Tree: ab43e7b3a6
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'ab43e7b3a6'
${ noResults }
iptables-formula/README.rst

README.rst 9.1KB
Raw Normal View History

Initial commit
9 years ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308 
  1. 

  2. ================

  3. iptables formula

  4. ================

  5. 

  6. iptables is a user-space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall and the chains and rules it stores.

  7. 

  8. Sample pillars

  9. ==============

  10. 

  11. Simple INPUT chain httpd ACCEPT rule on position 1

  12. 

  13. .. code-block:: yaml

  14. 

  15.     iptables:

  16.       service:

  17.         enabled: false

  18.           chain:

  19.             INPUT:

  20.               enabled: true

  21.               rule:

  22.                 httpd:

  23.                   position: 1

  24.                   table: filter

  25.                   jump: ACCEPT

  26.                   family: ipv6

  27.                   match: state

  28.                   connection_state: NEW

  29.                   protocol: tcp

  30.                   source_port: 1025:65535

  31.                   destination_port: 80

  32. 

  33. Read more

  34. =========

  35. 

  36. * http://docs.saltstack.com/en/latest/ref/states/all/salt.states.iptables.html

  37. * https://help.ubuntu.com/community/IptablesHowTo

  38. * http://wiki.centos.org/HowTos/Network/IPTables

  39. 

  40. .. code-block:: yaml

  41. 

  42.   chain:

  43.     PREROUTING:

  44.       enabled: true

  45.       rule:

  46.         dnat_ssh_185:

  47.           table: filter

  48.           jump: DNAT

  49.           match: tcp

  50.           protocol: tcp

  51.           destination_network: 185.22.97.132/32

  52.           destination_port: 20022

  53.           to_destination:

  54.             host: 10.0.110.38

  55.             port: 22

  56.           comment: Premapovani ssh zvenku na standardni port

  57.         dnat_ssh_10:

  58.           table: filter

  59.           jump: DNAT

  60.           match: tcp

  61.           protocol: tcp

  62.           destination_network: 10.0.110.38/32

  63.           destination_port: 20022

  64.           to_destination:

  65.             host: 10.0.110.38

  66.             port: 22

  67.           comment: Premapovani ssh 20022-22

  68.         redirect_vpn_185:

  69.           table: filter

  70.           jump: REDIRECT

  71.           match: udp

  72.           protocol: udp

  73.           destination_network: 185.22.97.132/32

  74.           destination_port: 3690

  75.           to_port:

  76.             port: 1194

  77.           comment: Presmerovani VPN portu 3690 > 1194

  78.     POSTROUTING:

  79.       enabled: true

  80.       rule:

  81.         snat_vpn_185:

  82.           table: filter

  83.           jump: SNAT

  84.           match: udp

  85.           protocol: udp

  86.           source_network: 10.8.0.0/24

  87.           out_interface: eth1

  88.           to_source:

  89.             host: 185.22.97.132

  90.           comment: NAT pro klienty administratorske VPNky

  91.     INPUT:

  92.       enabled: true

  93.       rule:

  94.         allow_conn_established:

  95.           table: filter

  96.           jump: ACCEPT

  97.           match: state

  98.           connection_state: RELATED,ESTABLISHED

  99.           comment: Vsechen provoz souvisejici s povolenymi pravidly pustit

  100.         allow_proto_icmp:

  101.           table: filter

  102.           jump: ACCEPT

  103.           protocol: icmp

  104.           comment: ICMP nechceme filtrovat

  105.         allow_iface_lo:

  106.           table: filter

  107.           jump: ACCEPT

  108.           in_interface: lo

  109.           comment: Lokalni smycka muze vsechno

  110.         allow_ssh_10.0.110.38:

  111.           table: filter

  112.           jump: ACCEPT

  113.           match: tcp

  114.           protocol: tcp

  115.           destination_network: 10.0.110.38/32

  116.           destination_port: 22

  117.           comment: SSH z lokalni site

  118.         allow_ssh_10.8.0.1:

  119.           table: filter

  120.           jump: ACCEPT

  121.           match: tcp

  122.           protocol: tcp

  123.           destination_network: 10.8.0.1/32

  124.           destination_port: 22

  125.           comment: SSH z VPN site

  126.         allow_ssh_private_10:

  127.           table: filter

  128.           jump: ACCEPT

  129.           match: state

  130.           connection_state: NEW

  131.           source_network: 10.0.0.0/8

  132.           destination_network: 185.22.97.132/32

  133.           destination_port: 22

  134.           comment: ssh z vnitrni site 10.0.0.0/8 povolit na obvykly protokol

  135.         allow_ssh_private_192:

  136.           table: filter

  137.           jump: ACCEPT

  138.           match: state

  139.           connection_state: NEW

  140.           source_network: 192.0.0.0/8

  141.           destination_network: 185.22.97.132/32

  142.           destination_port: 22

  143.           comment: ssh z vnitrni site 192.0.0.0/8 povolit na obvykly protokol

  144.         allow_ssh_private_172:

  145.           table: filter

  146.           jump: ACCEPT

  147.           match: state

  148.           connection_state: NEW

  149.           source_network: 172.16.162.0/24

  150.           destination_network: 185.22.97.132/32

  151.           destination_port: 22

  152.           comment: ssh z vnitrni site 10.0.0.0/8 povolit na obvykly protokol

  153.         allow_ssh_private_185:

  154.           table: filter

  155.           jump: ACCEPT

  156.           match: state

  157.           connection_state: NEW

  158.           source_network: 185.22.97.0/24

  159.           destination_network: 185.22.97.132/32

  160.           destination_port: 22

  161.           comment: ssh z vnitrni site 192.0.0.0/8 povolit na obvykly protokol

  162.         deny_ssh_public:

  163.           table: filter

  164.           jump: DROP

  165.           match: tpc

  166.           protocol: tcp

  167.           destination_network: 185.22.97.132/32

  168.           destination_port: 22

  169.           comment: ssh z vnejsi site na obvykly port ZAKAZAT, budeme ho presmerovavat

  170.         allow_ssh_public_redirect:

  171.           table: filter

  172.           jump: ACCEPT

  173.           match: tpc

  174.           protocol: tcp

  175.           destination_port: 22022

  176.           comment: nahradni ssh port bude presmerovan na 22 pokud se prijde z vnejsi site

  177.         allow_zabbix_server:

  178.           table: filter

  179.           jump: ACCEPT

  180.           match: tpc

  181.           protocol: tcp

  182.           source_network: 10.0.110.36/32

  183.           destination_port: 10050

  184.           comment: zabbix monitoring

  185.         allow_tsmc_web_10:

  186.           table: filter

  187.           jump: ACCEPT

  188.           match: tpc

  189.           protocol: tcp

  190.           source_network: 10.0.0.0/8

  191.           destination_port: 1581

  192.           comment: tsm client web gui

  193.         allow_tsmc_37010_10:

  194.           table: filter

  195.           jump: ACCEPT

  196.           match: state

  197.           protocol: tcp

  198.           source_network: 10.0.0.0/8

  199.           destination_port: 37010

  200.           comment: tsmc web

  201.         allow_tsmc_39876_10:

  202.           table: filter

  203.           jump: ACCEPT

  204.           match: state

  205.           protocol: tcp

  206.           source_network: 10.0.0.0/8

  207.           destination_port: 39876

  208.           comment: tsmc web

  209.         allow_tsm_web_172:

  210.           table: filter

  211.           jump: ACCEPT

  212.           match: tpc

  213.           protocol: tcp

  214.           source_network: 172.16.162.0/24

  215.           destination_port: 1581

  216.           comment: tsm client web gui

  217.         allow_tsmc_37010_172:

  218.           table: filter

  219.           jump: ACCEPT

  220.           match: state

  221.           protocol: tcp

  222.           source_network: 172.16.162.0/24

  223.           destination_port: 37010

  224.           comment: tsmc web

  225.         allow_tsmc_39876_172:

  226.           table: filter

  227.           jump: ACCEPT

  228.           match: state

  229.           protocol: tcp

  230.           source_network: 172.16.162.0/24

  231.           destination_port: 39876

  232.           comment: tsmc web

  233.         allow_vpn_public:

  234.           table: filter

  235.           jump: ACCEPT

  236.           match: state

  237.           connection_state: NEW

  238.           destination_port: 1194

  239.           comment: Povolime VPN odkudkoli

  240.         reject_rest:

  241.           table: filter

  242.           jump: REJECT

  243.           comment: Zdvorile odmitame ostatni komunikaci; --reject-with icmp-host-prohibited neni

  244.     FORWARD:

  245.       enabled: true

  246.       rule:

  247.         allow_conn_established:

  248.           table: filter

  249.           jump: ACCEPT

  250.           match: state

  251.           connection_state: RELATED,ESTABLISHED

  252.           comment: Vsechen provoz souvisejici s povolenymi pravidly pustit

  253.         snat_vpn_185:

  254.           table: filter

  255.           jump: SNAT

  256.           match: udp

  257.           protocol: udp

  258.           source_network: 10.8.0.0/24

  259.           out_interface: eth1

  260.           to_source:

  261.             host: 185.22.97.132

  262.           comment: NAT pro klienty administratorske VPNky

  263.         accept_net_10.0.110.0_vpn:

  264.           table: filter

  265.           jump: ACCEPT

  266.           source_network: 10.0.110.0/24

  267.           destionation_network: 10.8.0.0/24

  268.           comment: vnitrni komunikace management

  269.         accept_net_10.10.0.0_vpn:

  270.           table: filter

  271.           jump: ACCEPT

  272.           source_network: 10.10.0.0/16

  273.           destionation_network: 10.8.0.0/24

  274.           comment: vnitrni komunikace management

  275.         accept_net_10.0.101.0_vpn:

  276.           table: filter

  277.           jump: ACCEPT

  278.           source_network: 10.0.101.0/24

  279.           destionation_network: 10.8.0.0/24

  280.           comment: vnitrni komunikace VLAN1501

  281.         accept_net_10.0.102.0_vpn:

  282.           table: filter

  283.           jump: ACCEPT

  284.           source_network: 10.0.102.0/24

  285.           destionation_network: 10.8.0.0/24

  286.           comment: vnitrni komunikace VLAN1502

  287.         accept_net_10.0.103.0_vpn:

  288.           table: filter

  289.           jump: ACCEPT

  290.           source_network: 10.0.103.0/24

  291.           destionation_network: 10.8.0.0/24

  292.           comment: vnitrni komunikace VLAN1503

  293.         accept_net_10.0.106.0_vpn:

  294.           table: filter

  295.           jump: ACCEPT

  296.           source_network: 10.0.106.0/24

  297.           destionation_network: 10.8.0.0/24

  298.           comment: vnitrni komunikace VLAN1506

  299.         accept_net_10.0.110.0:

  300.           table: filter

  301.           jump: ACCEPT

  302.           source_network: 10.0.110.0/24

  303.           comment: Vse ze site 10.0.110.0

  304.         accept_net_10.8.0.0:

  305.           table: filter

  306.           jump: ACCEPT

  307.           source_network: 10.8.0.0/24

  308.           comment: Z teto VPN se smi skoro vsechno