ExternalMirrors
/
iptables-formula
mirror of https://github.com/salt-formulas/salt-formula-iptables
Watch 1
Star 0
Fork 1
Code Issues 0 Releases 6 Wiki Activity
Saltstack Official IPTables Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5 Commits
2 Branches
Tree: cf977c62f0
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'cf977c62f0'
${ noResults }
iptables-formula/README.rst

README.rst 9.2KB
Raw Normal View History

Initial commit
9 years ago
Allow setting iptables chain policy
9 years ago
Initial commit
9 years ago
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309 
  1. 

  2. ================

  3. iptables formula

  4. ================

  5. 

  6. iptables is a user-space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall and the chains and rules it stores.

  7. 

  8. Sample pillars

  9. ==============

  10. 

  11. Simple INPUT chain httpd ACCEPT rule on position 1

  12. 

  13. .. code-block:: yaml

  14. 

  15.     iptables:

  16.       service:

  17.         enabled: false

  18.           chain:

  19.             INPUT:

  20.               enabled: true

  21.               policy: DROP

  22.               rule:

  23.                 httpd:

  24.                   position: 1

  25.                   table: filter

  26.                   jump: ACCEPT

  27.                   family: ipv6

  28.                   match: state

  29.                   connection_state: NEW

  30.                   protocol: tcp

  31.                   source_port: 1025:65535

  32.                   destination_port: 80

  33. 

  34. Read more

  35. =========

  36. 

  37. * http://docs.saltstack.com/en/latest/ref/states/all/salt.states.iptables.html

  38. * https://help.ubuntu.com/community/IptablesHowTo

  39. * http://wiki.centos.org/HowTos/Network/IPTables

  40. 

  41. .. code-block:: yaml

  42. 

  43.   chain:

  44.     PREROUTING:

  45.       enabled: true

  46.       rule:

  47.         dnat_ssh_185:

  48.           table: filter

  49.           jump: DNAT

  50.           match: tcp

  51.           protocol: tcp

  52.           destination_network: 185.22.97.132/32

  53.           destination_port: 20022

  54.           to_destination:

  55.             host: 10.0.110.38

  56.             port: 22

  57.           comment: Premapovani ssh zvenku na standardni port

  58.         dnat_ssh_10:

  59.           table: filter

  60.           jump: DNAT

  61.           match: tcp

  62.           protocol: tcp

  63.           destination_network: 10.0.110.38/32

  64.           destination_port: 20022

  65.           to_destination:

  66.             host: 10.0.110.38

  67.             port: 22

  68.           comment: Premapovani ssh 20022-22

  69.         redirect_vpn_185:

  70.           table: filter

  71.           jump: REDIRECT

  72.           match: udp

  73.           protocol: udp

  74.           destination_network: 185.22.97.132/32

  75.           destination_port: 3690

  76.           to_port:

  77.             port: 1194

  78.           comment: Presmerovani VPN portu 3690 > 1194

  79.     POSTROUTING:

  80.       enabled: true

  81.       rule:

  82.         snat_vpn_185:

  83.           table: filter

  84.           jump: SNAT

  85.           match: udp

  86.           protocol: udp

  87.           source_network: 10.8.0.0/24

  88.           out_interface: eth1

  89.           to_source:

  90.             host: 185.22.97.132

  91.           comment: NAT pro klienty administratorske VPNky

  92.     INPUT:

  93.       enabled: true

  94.       rule:

  95.         allow_conn_established:

  96.           table: filter

  97.           jump: ACCEPT

  98.           match: state

  99.           connection_state: RELATED,ESTABLISHED

  100.           comment: Vsechen provoz souvisejici s povolenymi pravidly pustit

  101.         allow_proto_icmp:

  102.           table: filter

  103.           jump: ACCEPT

  104.           protocol: icmp

  105.           comment: ICMP nechceme filtrovat

  106.         allow_iface_lo:

  107.           table: filter

  108.           jump: ACCEPT

  109.           in_interface: lo

  110.           comment: Lokalni smycka muze vsechno

  111.         allow_ssh_10.0.110.38:

  112.           table: filter

  113.           jump: ACCEPT

  114.           match: tcp

  115.           protocol: tcp

  116.           destination_network: 10.0.110.38/32

  117.           destination_port: 22

  118.           comment: SSH z lokalni site

  119.         allow_ssh_10.8.0.1:

  120.           table: filter

  121.           jump: ACCEPT

  122.           match: tcp

  123.           protocol: tcp

  124.           destination_network: 10.8.0.1/32

  125.           destination_port: 22

  126.           comment: SSH z VPN site

  127.         allow_ssh_private_10:

  128.           table: filter

  129.           jump: ACCEPT

  130.           match: state

  131.           connection_state: NEW

  132.           source_network: 10.0.0.0/8

  133.           destination_network: 185.22.97.132/32

  134.           destination_port: 22

  135.           comment: ssh z vnitrni site 10.0.0.0/8 povolit na obvykly protokol

  136.         allow_ssh_private_192:

  137.           table: filter

  138.           jump: ACCEPT

  139.           match: state

  140.           connection_state: NEW

  141.           source_network: 192.0.0.0/8

  142.           destination_network: 185.22.97.132/32

  143.           destination_port: 22

  144.           comment: ssh z vnitrni site 192.0.0.0/8 povolit na obvykly protokol

  145.         allow_ssh_private_172:

  146.           table: filter

  147.           jump: ACCEPT

  148.           match: state

  149.           connection_state: NEW

  150.           source_network: 172.16.162.0/24

  151.           destination_network: 185.22.97.132/32

  152.           destination_port: 22

  153.           comment: ssh z vnitrni site 10.0.0.0/8 povolit na obvykly protokol

  154.         allow_ssh_private_185:

  155.           table: filter

  156.           jump: ACCEPT

  157.           match: state

  158.           connection_state: NEW

  159.           source_network: 185.22.97.0/24

  160.           destination_network: 185.22.97.132/32

  161.           destination_port: 22

  162.           comment: ssh z vnitrni site 192.0.0.0/8 povolit na obvykly protokol

  163.         deny_ssh_public:

  164.           table: filter

  165.           jump: DROP

  166.           match: tpc

  167.           protocol: tcp

  168.           destination_network: 185.22.97.132/32

  169.           destination_port: 22

  170.           comment: ssh z vnejsi site na obvykly port ZAKAZAT, budeme ho presmerovavat

  171.         allow_ssh_public_redirect:

  172.           table: filter

  173.           jump: ACCEPT

  174.           match: tpc

  175.           protocol: tcp

  176.           destination_port: 22022

  177.           comment: nahradni ssh port bude presmerovan na 22 pokud se prijde z vnejsi site

  178.         allow_zabbix_server:

  179.           table: filter

  180.           jump: ACCEPT

  181.           match: tpc

  182.           protocol: tcp

  183.           source_network: 10.0.110.36/32

  184.           destination_port: 10050

  185.           comment: zabbix monitoring

  186.         allow_tsmc_web_10:

  187.           table: filter

  188.           jump: ACCEPT

  189.           match: tpc

  190.           protocol: tcp

  191.           source_network: 10.0.0.0/8

  192.           destination_port: 1581

  193.           comment: tsm client web gui

  194.         allow_tsmc_37010_10:

  195.           table: filter

  196.           jump: ACCEPT

  197.           match: state

  198.           protocol: tcp

  199.           source_network: 10.0.0.0/8

  200.           destination_port: 37010

  201.           comment: tsmc web

  202.         allow_tsmc_39876_10:

  203.           table: filter

  204.           jump: ACCEPT

  205.           match: state

  206.           protocol: tcp

  207.           source_network: 10.0.0.0/8

  208.           destination_port: 39876

  209.           comment: tsmc web

  210.         allow_tsm_web_172:

  211.           table: filter

  212.           jump: ACCEPT

  213.           match: tpc

  214.           protocol: tcp

  215.           source_network: 172.16.162.0/24

  216.           destination_port: 1581

  217.           comment: tsm client web gui

  218.         allow_tsmc_37010_172:

  219.           table: filter

  220.           jump: ACCEPT

  221.           match: state

  222.           protocol: tcp

  223.           source_network: 172.16.162.0/24

  224.           destination_port: 37010

  225.           comment: tsmc web

  226.         allow_tsmc_39876_172:

  227.           table: filter

  228.           jump: ACCEPT

  229.           match: state

  230.           protocol: tcp

  231.           source_network: 172.16.162.0/24

  232.           destination_port: 39876

  233.           comment: tsmc web

  234.         allow_vpn_public:

  235.           table: filter

  236.           jump: ACCEPT

  237.           match: state

  238.           connection_state: NEW

  239.           destination_port: 1194

  240.           comment: Povolime VPN odkudkoli

  241.         reject_rest:

  242.           table: filter

  243.           jump: REJECT

  244.           comment: Zdvorile odmitame ostatni komunikaci; --reject-with icmp-host-prohibited neni

  245.     FORWARD:

  246.       enabled: true

  247.       rule:

  248.         allow_conn_established:

  249.           table: filter

  250.           jump: ACCEPT

  251.           match: state

  252.           connection_state: RELATED,ESTABLISHED

  253.           comment: Vsechen provoz souvisejici s povolenymi pravidly pustit

  254.         snat_vpn_185:

  255.           table: filter

  256.           jump: SNAT

  257.           match: udp

  258.           protocol: udp

  259.           source_network: 10.8.0.0/24

  260.           out_interface: eth1

  261.           to_source:

  262.             host: 185.22.97.132

  263.           comment: NAT pro klienty administratorske VPNky

  264.         accept_net_10.0.110.0_vpn:

  265.           table: filter

  266.           jump: ACCEPT

  267.           source_network: 10.0.110.0/24

  268.           destionation_network: 10.8.0.0/24

  269.           comment: vnitrni komunikace management

  270.         accept_net_10.10.0.0_vpn:

  271.           table: filter

  272.           jump: ACCEPT

  273.           source_network: 10.10.0.0/16

  274.           destionation_network: 10.8.0.0/24

  275.           comment: vnitrni komunikace management

  276.         accept_net_10.0.101.0_vpn:

  277.           table: filter

  278.           jump: ACCEPT

  279.           source_network: 10.0.101.0/24

  280.           destionation_network: 10.8.0.0/24

  281.           comment: vnitrni komunikace VLAN1501

  282.         accept_net_10.0.102.0_vpn:

  283.           table: filter

  284.           jump: ACCEPT

  285.           source_network: 10.0.102.0/24

  286.           destionation_network: 10.8.0.0/24

  287.           comment: vnitrni komunikace VLAN1502

  288.         accept_net_10.0.103.0_vpn:

  289.           table: filter

  290.           jump: ACCEPT

  291.           source_network: 10.0.103.0/24

  292.           destionation_network: 10.8.0.0/24

  293.           comment: vnitrni komunikace VLAN1503

  294.         accept_net_10.0.106.0_vpn:

  295.           table: filter

  296.           jump: ACCEPT

  297.           source_network: 10.0.106.0/24

  298.           destionation_network: 10.8.0.0/24

  299.           comment: vnitrni komunikace VLAN1506

  300.         accept_net_10.0.110.0:

  301.           table: filter

  302.           jump: ACCEPT

  303.           source_network: 10.0.110.0/24

  304.           comment: Vse ze site 10.0.110.0

  305.         accept_net_10.8.0.0:

  306.           table: filter

  307.           jump: ACCEPT

  308.           source_network: 10.8.0.0/24

  309.           comment: Z teto VPN se smi skoro vsechno