選択できるのは25トピックまでです。
トピックは、先頭が英数字で、英数字とダッシュ('-')を使用した35文字以内のものにしてください。
Adam Tengler
27878576c0
SPM packaging metadata
|
8年前 | |
|---|---|---|
| debian | 8年前 | |
| iptables | 8年前 | |
| metadata/service | 9年前 | |
| tests | 8年前 | |
| .gitignore | 8年前 | |
| CHANGELOG.rst | 9年前 | |
| FORMULA | 8年前 | |
| LICENSE | 9年前 | |
| Makefile | 8年前 | |
| README.rst | 9年前 | |
| VERSION | 9年前 | |
| metadata.yml | 8年前 | |
README.rst
================
iptables formula
================
iptables is a user-space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall and the chains and rules it stores.
Sample pillars
==============
Simple INPUT chain httpd ACCEPT rule on position 1
.. code-block:: yaml
iptables:
service:
enabled: false
chain:
INPUT:
enabled: true
policy: DROP
rule:
httpd:
position: 1
table: filter
jump: ACCEPT
family: ipv6
match: state
connection_state: NEW
protocol: tcp
source_port: 1025:65535
destination_port: 80
Read more
=========
* http://docs.saltstack.com/en/latest/ref/states/all/salt.states.iptables.html
* https://help.ubuntu.com/community/IptablesHowTo
* http://wiki.centos.org/HowTos/Network/IPTables
.. code-block:: yaml
chain:
PREROUTING:
enabled: true
rule:
dnat_ssh_185:
table: filter
jump: DNAT
match: tcp
protocol: tcp
destination_network: 185.22.97.132/32
destination_port: 20022
to_destination:
host: 10.0.110.38
port: 22
comment: Premapovani ssh zvenku na standardni port
dnat_ssh_10:
table: filter
jump: DNAT
match: tcp
protocol: tcp
destination_network: 10.0.110.38/32
destination_port: 20022
to_destination:
host: 10.0.110.38
port: 22
comment: Premapovani ssh 20022-22
redirect_vpn_185:
table: filter
jump: REDIRECT
match: udp
protocol: udp
destination_network: 185.22.97.132/32
destination_port: 3690
to_port:
port: 1194
comment: Presmerovani VPN portu 3690 > 1194
POSTROUTING:
enabled: true
rule:
snat_vpn_185:
table: filter
jump: SNAT
match: udp
protocol: udp
source_network: 10.8.0.0/24
out_interface: eth1
to_source:
host: 185.22.97.132
comment: NAT pro klienty administratorske VPNky
INPUT:
enabled: true
rule:
allow_conn_established:
table: filter
jump: ACCEPT
match: state
connection_state: RELATED,ESTABLISHED
comment: Vsechen provoz souvisejici s povolenymi pravidly pustit
allow_proto_icmp:
table: filter
jump: ACCEPT
protocol: icmp
comment: ICMP nechceme filtrovat
allow_iface_lo:
table: filter
jump: ACCEPT
in_interface: lo
comment: Lokalni smycka muze vsechno
allow_ssh_10.0.110.38:
table: filter
jump: ACCEPT
match: tcp
protocol: tcp
destination_network: 10.0.110.38/32
destination_port: 22
comment: SSH z lokalni site
allow_ssh_10.8.0.1:
table: filter
jump: ACCEPT
match: tcp
protocol: tcp
destination_network: 10.8.0.1/32
destination_port: 22
comment: SSH z VPN site
allow_ssh_private_10:
table: filter
jump: ACCEPT
match: state
connection_state: NEW
source_network: 10.0.0.0/8
destination_network: 185.22.97.132/32
destination_port: 22
comment: ssh z vnitrni site 10.0.0.0/8 povolit na obvykly protokol
allow_ssh_private_192:
table: filter
jump: ACCEPT
match: state
connection_state: NEW
source_network: 192.0.0.0/8
destination_network: 185.22.97.132/32
destination_port: 22
comment: ssh z vnitrni site 192.0.0.0/8 povolit na obvykly protokol
allow_ssh_private_172:
table: filter
jump: ACCEPT
match: state
connection_state: NEW
source_network: 172.16.162.0/24
destination_network: 185.22.97.132/32
destination_port: 22
comment: ssh z vnitrni site 10.0.0.0/8 povolit na obvykly protokol
allow_ssh_private_185:
table: filter
jump: ACCEPT
match: state
connection_state: NEW
source_network: 185.22.97.0/24
destination_network: 185.22.97.132/32
destination_port: 22
comment: ssh z vnitrni site 192.0.0.0/8 povolit na obvykly protokol
deny_ssh_public:
table: filter
jump: DROP
match: tpc
protocol: tcp
destination_network: 185.22.97.132/32
destination_port: 22
comment: ssh z vnejsi site na obvykly port ZAKAZAT, budeme ho presmerovavat
allow_ssh_public_redirect:
table: filter
jump: ACCEPT
match: tpc
protocol: tcp
destination_port: 22022
comment: nahradni ssh port bude presmerovan na 22 pokud se prijde z vnejsi site
allow_zabbix_server:
table: filter
jump: ACCEPT
match: tpc
protocol: tcp
source_network: 10.0.110.36/32
destination_port: 10050
comment: zabbix monitoring
allow_tsmc_web_10:
table: filter
jump: ACCEPT
match: tpc
protocol: tcp
source_network: 10.0.0.0/8
destination_port: 1581
comment: tsm client web gui
allow_tsmc_37010_10:
table: filter
jump: ACCEPT
match: state
protocol: tcp
source_network: 10.0.0.0/8
destination_port: 37010
comment: tsmc web
allow_tsmc_39876_10:
table: filter
jump: ACCEPT
match: state
protocol: tcp
source_network: 10.0.0.0/8
destination_port: 39876
comment: tsmc web
allow_tsm_web_172:
table: filter
jump: ACCEPT
match: tpc
protocol: tcp
source_network: 172.16.162.0/24
destination_port: 1581
comment: tsm client web gui
allow_tsmc_37010_172:
table: filter
jump: ACCEPT
match: state
protocol: tcp
source_network: 172.16.162.0/24
destination_port: 37010
comment: tsmc web
allow_tsmc_39876_172:
table: filter
jump: ACCEPT
match: state
protocol: tcp
source_network: 172.16.162.0/24
destination_port: 39876
comment: tsmc web
allow_vpn_public:
table: filter
jump: ACCEPT
match: state
connection_state: NEW
destination_port: 1194
comment: Povolime VPN odkudkoli
reject_rest:
table: filter
jump: REJECT
comment: Zdvorile odmitame ostatni komunikaci; --reject-with icmp-host-prohibited neni
FORWARD:
enabled: true
rule:
allow_conn_established:
table: filter
jump: ACCEPT
match: state
connection_state: RELATED,ESTABLISHED
comment: Vsechen provoz souvisejici s povolenymi pravidly pustit
snat_vpn_185:
table: filter
jump: SNAT
match: udp
protocol: udp
source_network: 10.8.0.0/24
out_interface: eth1
to_source:
host: 185.22.97.132
comment: NAT pro klienty administratorske VPNky
accept_net_10.0.110.0_vpn:
table: filter
jump: ACCEPT
source_network: 10.0.110.0/24
destionation_network: 10.8.0.0/24
comment: vnitrni komunikace management
accept_net_10.10.0.0_vpn:
table: filter
jump: ACCEPT
source_network: 10.10.0.0/16
destionation_network: 10.8.0.0/24
comment: vnitrni komunikace management
accept_net_10.0.101.0_vpn:
table: filter
jump: ACCEPT
source_network: 10.0.101.0/24
destionation_network: 10.8.0.0/24
comment: vnitrni komunikace VLAN1501
accept_net_10.0.102.0_vpn:
table: filter
jump: ACCEPT
source_network: 10.0.102.0/24
destionation_network: 10.8.0.0/24
comment: vnitrni komunikace VLAN1502
accept_net_10.0.103.0_vpn:
table: filter
jump: ACCEPT
source_network: 10.0.103.0/24
destionation_network: 10.8.0.0/24
comment: vnitrni komunikace VLAN1503
accept_net_10.0.106.0_vpn:
table: filter
jump: ACCEPT
source_network: 10.0.106.0/24
destionation_network: 10.8.0.0/24
comment: vnitrni komunikace VLAN1506
accept_net_10.0.110.0:
table: filter
jump: ACCEPT
source_network: 10.0.110.0/24
comment: Vse ze site 10.0.110.0
accept_net_10.8.0.0:
table: filter
jump: ACCEPT
source_network: 10.8.0.0/24
comment: Z teto VPN se smi skoro vsechno