Saltstack Official IPTables Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

89 line
1.9KB

  1. {% from "iptables/map.jinja" import service with context %}
  2. {%- if service.enabled %}
  3. include:
  4. - iptables.rules
  5. iptables_packages:
  6. pkg.installed:
  7. - names: {{ service.pkgs }}
  8. {%- if grains.os_family == 'Debian' %}
  9. /usr/share/netfilter-persistent/plugins.d/15-ip4tables:
  10. file.managed:
  11. - source: salt://iptables/files/ip4tables
  12. - mode: 755
  13. - template: jinja
  14. - defaults:
  15. provider: {{ service.get('provider') }}
  16. - require:
  17. - pkg: iptables_packages
  18. - watch_in:
  19. - service: iptables_services
  20. /usr/share/netfilter-persistent/plugins.d/25-ip6tables:
  21. file.managed:
  22. - source: salt://iptables/files/ip6tables
  23. - mode: 755
  24. - template: jinja
  25. - defaults:
  26. provider: {{ service.get('provider') }}
  27. - require:
  28. - pkg: iptables_packages
  29. - watch_in:
  30. - service: iptables_services
  31. {%- endif %}
  32. iptables_services:
  33. {%- if grains.init == 'systemd' %}
  34. service.running:
  35. {%- else %}
  36. service.dead:
  37. {%- endif %}
  38. - enable: true
  39. - name: {{ service.service }}
  40. - sig: test -e /etc/iptables/rules.v4
  41. - require:
  42. - pkg: iptables_packages
  43. {%- else %}
  44. iptables_services:
  45. service.dead:
  46. - enable: false
  47. - name: {{ service.service }}
  48. {%- for chain_name in ['INPUT', 'OUTPUT', 'FORWARD'] %}
  49. iptables_{{ chain_name }}_policy:
  50. iptables.set_policy:
  51. - chain: {{ chain_name }}
  52. - policy: ACCEPT
  53. - table: filter
  54. - require_in:
  55. - iptables: iptables_flush
  56. {%- if grains.ipv6|default(False) and service.ipv6|default(True) %}
  57. iptables_{{ chain_name }}_ipv6_policy:
  58. iptables.set_policy:
  59. - chain: {{ chain_name }}
  60. - family: ipv6
  61. - policy: ACCEPT
  62. - table: filter
  63. - require_in:
  64. - iptables: ip6tables_flush
  65. {%- endif %}
  66. {%- endfor %}
  67. iptables_flush:
  68. iptables.flush
  69. {%- if grains.ipv6|default(False) and service.ipv6|default(True) %}
  70. ip6tables_flush:
  71. iptables.flush:
  72. - family: ipv6
  73. {%- endif %}
  74. {%- endif %}