salt
/
iptables-formula
forked from ExternalMirrors/iptables-formula

{% from "iptables/map.jinja" import service with context %}

{%- if pillar.iptables.service.enabled %}

iptables_packages:
  pkg.installed:
  - names: {{ service.pkgs }}

iptables_services:
  service.dead:
  - enable: true
  - name: {{ service.service }}
  - sig: test -e /etc/iptables/rules.v4
  - require:
    - pkg: iptables_packages

{%- for chain_name, chain in service.get('chain', {}).iteritems() %}

{%- if chain.policy is defined %}
iptables_{{ chain_name }}_policy:
  iptables.set_policy:
    - chain: {{ chain_name }}
    - policy: {{ chain.policy }}
    - table: filter
{%- endif %}

{%- for rule_name, rule in chain.get('rule', {}).iteritems() %}

iptables_{{ chain_name }}_{{ rule_name }}:
  iptables.insert:
  {%- if rule.position is defined %}
  - position: {{ rule.position }}
  {%- endif %}
  {%- if rule.table is defined %}
  - table: {{ rule.table }}
  {%- endif %}
  - chain: {{ chain_name }}
  {%- if rule.jump is defined %}
  - jump: {{ rule.jump }}
  {%- endif %}
  {%- if rule.match is defined %}
  - match: {{ rule.match }}
  {%- endif %}
  {%- if rule.connection_state is defined %}
  - connstate: {{ rule.connection_state }}
  {%- endif %}
  {%- if rule.protocol is defined %}
  - proto: {{ rule.protocol }}
  {%- endif %}
  {%- if rule.destination_port is defined %}
  - dport: {{ rule.destination_port }}
  {%- endif %}
  {%- if rule.source_port is defined %}
  - sport: {{ rule.source_port }}
  {%- endif %}
  {%- if rule.in_interface is defined %}
  - in-interface: {{ rule.in_interface }}
  {%- endif %}
  {%- if rule.out_interface is defined %}
  - out-interface: {{ rule.out_interface }}
  {%- endif %}
  {%- if rule.to_destination is defined %}
  - to-destination: {{ rule.to_destination }}
  {%- endif %}
  {%- if rule.to_source is defined %}
  - to-source: {{ rule.to_source }}
  {%- endif %}
  {%-  if rule.source_network is defined %}
  - source: {{ rule.source_network }}
  {%- endif %}
  {%-  if rule.destination_network is defined %}
  - destination: {{ rule.destination_network }}
  {%- endif %}
  {%- if chain.policy is defined %}
  - require_in: 
    - iptables: iptables_{{ chain_name }}_policy:
  {%- endif %}
  - save: True

{%- endfor %}

{%- endfor %}

{%- else %}

iptables_services:
  service.dead:
  - enable: false
  - name: {{ service.service }}

{%- endif %}