|
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309 |
-
- ================
- iptables formula
- ================
-
- iptables is a user-space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall and the chains and rules it stores.
-
- Sample pillars
- ==============
-
- Simple INPUT chain httpd ACCEPT rule on position 1
-
- .. code-block:: yaml
-
- iptables:
- service:
- enabled: false
- chain:
- INPUT:
- enabled: true
- policy: DROP
- rule:
- httpd:
- position: 1
- table: filter
- jump: ACCEPT
- family: ipv6
- match: state
- connection_state: NEW
- protocol: tcp
- source_port: 1025:65535
- destination_port: 80
-
- Read more
- =========
-
- * http://docs.saltstack.com/en/latest/ref/states/all/salt.states.iptables.html
- * https://help.ubuntu.com/community/IptablesHowTo
- * http://wiki.centos.org/HowTos/Network/IPTables
-
- .. code-block:: yaml
-
- chain:
- PREROUTING:
- enabled: true
- rule:
- dnat_ssh_185:
- table: filter
- jump: DNAT
- match: tcp
- protocol: tcp
- destination_network: 185.22.97.132/32
- destination_port: 20022
- to_destination:
- host: 10.0.110.38
- port: 22
- comment: Premapovani ssh zvenku na standardni port
- dnat_ssh_10:
- table: filter
- jump: DNAT
- match: tcp
- protocol: tcp
- destination_network: 10.0.110.38/32
- destination_port: 20022
- to_destination:
- host: 10.0.110.38
- port: 22
- comment: Premapovani ssh 20022-22
- redirect_vpn_185:
- table: filter
- jump: REDIRECT
- match: udp
- protocol: udp
- destination_network: 185.22.97.132/32
- destination_port: 3690
- to_port:
- port: 1194
- comment: Presmerovani VPN portu 3690 > 1194
- POSTROUTING:
- enabled: true
- rule:
- snat_vpn_185:
- table: filter
- jump: SNAT
- match: udp
- protocol: udp
- source_network: 10.8.0.0/24
- out_interface: eth1
- to_source:
- host: 185.22.97.132
- comment: NAT pro klienty administratorske VPNky
- INPUT:
- enabled: true
- rule:
- allow_conn_established:
- table: filter
- jump: ACCEPT
- match: state
- connection_state: RELATED,ESTABLISHED
- comment: Vsechen provoz souvisejici s povolenymi pravidly pustit
- allow_proto_icmp:
- table: filter
- jump: ACCEPT
- protocol: icmp
- comment: ICMP nechceme filtrovat
- allow_iface_lo:
- table: filter
- jump: ACCEPT
- in_interface: lo
- comment: Lokalni smycka muze vsechno
- allow_ssh_10.0.110.38:
- table: filter
- jump: ACCEPT
- match: tcp
- protocol: tcp
- destination_network: 10.0.110.38/32
- destination_port: 22
- comment: SSH z lokalni site
- allow_ssh_10.8.0.1:
- table: filter
- jump: ACCEPT
- match: tcp
- protocol: tcp
- destination_network: 10.8.0.1/32
- destination_port: 22
- comment: SSH z VPN site
- allow_ssh_private_10:
- table: filter
- jump: ACCEPT
- match: state
- connection_state: NEW
- source_network: 10.0.0.0/8
- destination_network: 185.22.97.132/32
- destination_port: 22
- comment: ssh z vnitrni site 10.0.0.0/8 povolit na obvykly protokol
- allow_ssh_private_192:
- table: filter
- jump: ACCEPT
- match: state
- connection_state: NEW
- source_network: 192.0.0.0/8
- destination_network: 185.22.97.132/32
- destination_port: 22
- comment: ssh z vnitrni site 192.0.0.0/8 povolit na obvykly protokol
- allow_ssh_private_172:
- table: filter
- jump: ACCEPT
- match: state
- connection_state: NEW
- source_network: 172.16.162.0/24
- destination_network: 185.22.97.132/32
- destination_port: 22
- comment: ssh z vnitrni site 10.0.0.0/8 povolit na obvykly protokol
- allow_ssh_private_185:
- table: filter
- jump: ACCEPT
- match: state
- connection_state: NEW
- source_network: 185.22.97.0/24
- destination_network: 185.22.97.132/32
- destination_port: 22
- comment: ssh z vnitrni site 192.0.0.0/8 povolit na obvykly protokol
- deny_ssh_public:
- table: filter
- jump: DROP
- match: tpc
- protocol: tcp
- destination_network: 185.22.97.132/32
- destination_port: 22
- comment: ssh z vnejsi site na obvykly port ZAKAZAT, budeme ho presmerovavat
- allow_ssh_public_redirect:
- table: filter
- jump: ACCEPT
- match: tpc
- protocol: tcp
- destination_port: 22022
- comment: nahradni ssh port bude presmerovan na 22 pokud se prijde z vnejsi site
- allow_zabbix_server:
- table: filter
- jump: ACCEPT
- match: tpc
- protocol: tcp
- source_network: 10.0.110.36/32
- destination_port: 10050
- comment: zabbix monitoring
- allow_tsmc_web_10:
- table: filter
- jump: ACCEPT
- match: tpc
- protocol: tcp
- source_network: 10.0.0.0/8
- destination_port: 1581
- comment: tsm client web gui
- allow_tsmc_37010_10:
- table: filter
- jump: ACCEPT
- match: state
- protocol: tcp
- source_network: 10.0.0.0/8
- destination_port: 37010
- comment: tsmc web
- allow_tsmc_39876_10:
- table: filter
- jump: ACCEPT
- match: state
- protocol: tcp
- source_network: 10.0.0.0/8
- destination_port: 39876
- comment: tsmc web
- allow_tsm_web_172:
- table: filter
- jump: ACCEPT
- match: tpc
- protocol: tcp
- source_network: 172.16.162.0/24
- destination_port: 1581
- comment: tsm client web gui
- allow_tsmc_37010_172:
- table: filter
- jump: ACCEPT
- match: state
- protocol: tcp
- source_network: 172.16.162.0/24
- destination_port: 37010
- comment: tsmc web
- allow_tsmc_39876_172:
- table: filter
- jump: ACCEPT
- match: state
- protocol: tcp
- source_network: 172.16.162.0/24
- destination_port: 39876
- comment: tsmc web
- allow_vpn_public:
- table: filter
- jump: ACCEPT
- match: state
- connection_state: NEW
- destination_port: 1194
- comment: Povolime VPN odkudkoli
- reject_rest:
- table: filter
- jump: REJECT
- comment: Zdvorile odmitame ostatni komunikaci; --reject-with icmp-host-prohibited neni
- FORWARD:
- enabled: true
- rule:
- allow_conn_established:
- table: filter
- jump: ACCEPT
- match: state
- connection_state: RELATED,ESTABLISHED
- comment: Vsechen provoz souvisejici s povolenymi pravidly pustit
- snat_vpn_185:
- table: filter
- jump: SNAT
- match: udp
- protocol: udp
- source_network: 10.8.0.0/24
- out_interface: eth1
- to_source:
- host: 185.22.97.132
- comment: NAT pro klienty administratorske VPNky
- accept_net_10.0.110.0_vpn:
- table: filter
- jump: ACCEPT
- source_network: 10.0.110.0/24
- destionation_network: 10.8.0.0/24
- comment: vnitrni komunikace management
- accept_net_10.10.0.0_vpn:
- table: filter
- jump: ACCEPT
- source_network: 10.10.0.0/16
- destionation_network: 10.8.0.0/24
- comment: vnitrni komunikace management
- accept_net_10.0.101.0_vpn:
- table: filter
- jump: ACCEPT
- source_network: 10.0.101.0/24
- destionation_network: 10.8.0.0/24
- comment: vnitrni komunikace VLAN1501
- accept_net_10.0.102.0_vpn:
- table: filter
- jump: ACCEPT
- source_network: 10.0.102.0/24
- destionation_network: 10.8.0.0/24
- comment: vnitrni komunikace VLAN1502
- accept_net_10.0.103.0_vpn:
- table: filter
- jump: ACCEPT
- source_network: 10.0.103.0/24
- destionation_network: 10.8.0.0/24
- comment: vnitrni komunikace VLAN1503
- accept_net_10.0.106.0_vpn:
- table: filter
- jump: ACCEPT
- source_network: 10.0.106.0/24
- destionation_network: 10.8.0.0/24
- comment: vnitrni komunikace VLAN1506
- accept_net_10.0.110.0:
- table: filter
- jump: ACCEPT
- source_network: 10.0.110.0/24
- comment: Vse ze site 10.0.110.0
- accept_net_10.8.0.0:
- table: filter
- jump: ACCEPT
- source_network: 10.8.0.0/24
- comment: Z teto VPN se smi skoro vsechno
|
