salt
/
iptables-formula
feito fork de ExternalMirrors/iptables-formula
Observar 1
Favorito 0
Fork 0
Código Versões 6 Atividade
Saltstack Official IPTables Formula
Você não pode selecionar mais de 25 tópicos Os tópicos devem começar com uma letra ou um número, podem incluir traços ('-') e podem ter até 35 caracteres.
63 Commits
2 Branches
Tag: 8188337922
Branches Tags
${ item.name }
Criar branch ${ searchTerm }
de 8188337922
${ noResults }
iptables-formula/README.rst

README.rst 4.7KB
Original Visão normal Histórico

Initial commit
9 anos atrás
Fix documentation, remove obsolete
8 anos atrás
Initial commit
9 anos atrás
Fix documentation, remove obsolete
8 anos atrás
Initial commit
9 anos atrás
Correct parameters spelling
7 anos atrás
Fix documentation, remove obsolete
8 anos atrás
add the option to specify the family per rule to support ipv6 (#3) Closes: #2 * add the option to specify the family per rule to support ipv6 * include policy updates for ipv6 * update documentation to mention ipv6 * Make ipv6 optional; remove spurious tabs from the readme. * set ipv6 policies only if ipv6 is enabled on the host and not explicitly turned off for this service
7 anos atrás
Initial commit
9 anos atrás
Fix documentation, remove obsolete
8 anos atrás
Initial commit
9 anos atrás
Fix documentation, remove obsolete
8 anos atrás
Initial commit
9 anos atrás
Fix documentation, remove obsolete
8 anos atrás
Correct parameters spelling
7 anos atrás
Fix documentation, remove obsolete
8 anos atrás
Initial commit
9 anos atrás
Fix documentation, remove obsolete
8 anos atrás
Correct parameters spelling
7 anos atrás
Fix documentation, remove obsolete
8 anos atrás
Adding comment option to iptables rule Change-Id: I9d93052cfc197a364b42240448344d5543e8805f
7 anos atrás
Initial commit
9 anos atrás
added README example
7 anos atrás
add the option to specify the family per rule to support ipv6 (#3) Closes: #2 * add the option to specify the family per rule to support ipv6 * include policy updates for ipv6 * update documentation to mention ipv6 * Make ipv6 optional; remove spurious tabs from the readme. * set ipv6 policies only if ipv6 is enabled on the host and not explicitly turned off for this service
7 anos atrás
Unhardcode tables for chains. There is a way to manage tables in rules, but there is no way to manage tables for chains when setting policy. Looks like pillar structure is bad from the beginning and to not break backward compatibility, as same chain names may occur in different tables, so it is proposed to check if 'chain.policy' is map. And if it is, specific policies would be ensured for specific tables, otherwise table 'filter' would be used as a fallback. To ensure chains in specific tables we iterate over all rules in each chain. This hash is valid: parameters: iptables: service: enabled: true chain: OUTPUT: policy: ACCEPT FORWARD: policy: - table: mangle policy: DROP INPUT: policy: - table: nat policy: ACCEPT rules: - jump: ACCEPT protocol: icmp POSTROUTING: rules: - jump: MASQUERADE protocol: icmp out_interface: ens3 table: nat Prod-Related: CEEMCP-12 Prod-Related: EME-313 Change-Id: Ib5ba97dad165d3ef2dec7e053b391ea36a996103
6 anos atrás
Initial commit
9 anos atrás
Unify Makefile, .gitignore and update readme
7 anos atrás
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201 
  1. 

  2. ================

  3. iptables formula

  4. ================

  5. 

  6. Iptables is used to set up, maintain, and inspect the tables of IPv4 packet

  7. filter rules in the Linux kernel. Several different tables may be defined.

  8. Each table contains a number of built-in chains and may also contain

  9. user-defined chains.  Each chain is a list of rules which can match a set of

  10. packets. Each rule specifies what to do with a packet that matches. This is

  11. called a `target`, which may be a jump to a user-defined chain in the same

  12. table.

  13. 

  14. Sample pillars

  15. ==============

  16. 

  17. Most common rules - allow traffic on localhost, accept related,established and

  18. ping

  19. 

  20. .. code-block:: yaml

  21. 

  22.     parameters:

  23.       iptables:

  24.         service:

  25.           enabled: True

  26.           chain:

  27.             INPUT:

  28.               rules:

  29.                 - in_interface: lo

  30.                   jump: ACCEPT

  31.                 - connection_state: RELATED,ESTABLISHED

  32.                   match: state

  33.                   jump: ACCEPT

  34.                 - protocol: icmp

  35.                   jump: ACCEPT

  36. 

  37. Accept connections on port 22

  38. 

  39. .. code-block:: yaml

  40. 

  41.     parameters:

  42.       iptables:

  43.         service:

  44.           chain:

  45.             INPUT:

  46.               rules:

  47.                 - destination_port: 22

  48.                   protocol: tcp

  49.                   jump: ACCEPT

  50. 

  51. Set drop policy on INPUT chain:

  52. 

  53. .. code-block:: yaml

  54. 

  55.     parameters:

  56.       iptables:

  57.         service:

  58.           chain:

  59.             INPUT:

  60.               policy: DROP

  61. 

  62. Redirect privileged port 443 to 8081

  63. 

  64. .. code-block:: yaml

  65. 

  66.     parameters:

  67.       iptables:

  68.         service:

  69.           chain:

  70.             PREROUTING:

  71.               filter: nat

  72.               destination_port: 443

  73.               to_port: 8081

  74.               protocol: tcp

  75.               jump: REDIRECT

  76. 

  77. Allow access from local network

  78. 

  79. .. code-block:: yaml

  80. 

  81.     parameters:

  82.       iptables:

  83.         service:

  84.           chain:

  85.             INPUT:

  86.               rules:

  87.                 - protocol: tcp

  88.                   destination_port: 22

  89.                   source_network: 192.168.1.0/24

  90.                   jump: ACCEPT

  91.                   comment: Blah

  92. 

  93. Support logging with custom prefix and log level

  94. 

  95. .. code-block:: yaml

  96. 

  97.     parameters:

  98.       iptables:

  99.         service:

  100.           chain:

  101.             POSTROUTING:

  102.               rules:

  103.                 - table: nat

  104.                   protocol: tcp

  105.                   match: multiport

  106.                   destination_ports:

  107.                     - 21

  108.                     - 80

  109.                     - 443

  110.                     - 2220

  111.                   source_network: '10.20.30.0/24'

  112.                   log_level: 7

  113.                   log_prefix: 'iptables-logging: '

  114.                   jump: LOG

  115. 

  116. 

  117. IPv6 is supported as well

  118. 

  119. .. code-block:: yaml

  120. 

  121.     parameters:

  122.       iptables:

  123.         service:

  124.           enabled: True

  125.           ipv6: True

  126.           chain:

  127.             INPUT:

  128.               rules:

  129.                 - protocol: tcp

  130.                   family: ipv6

  131.                   destination_port: 22

  132.                   source_network: 2001:DB8::/32

  133.                   jump: ACCEPT

  134. 

  135. 

  136. You may set policy for chain in specific table

  137. If 'table' key is omitted, 'filter' table is assumed

  138. 

  139. .. code-block:: yaml

  140. 

  141.     parameters:

  142.       iptables:

  143.         service:

  144.           enabled: true

  145.           chain:

  146.             OUTPUT:

  147.               policy: ACCEPT

  148. 

  149. Specify policy directly

  150. 

  151. .. code-block:: yaml

  152. 

  153.     parameters:

  154.       iptables:

  155.         service:

  156.           enabled: true

  157.           chain:

  158.             FORWARD:

  159.               policy:

  160.               - table: mangle

  161.                 policy: DROP

  162. 

  163. Read more

  164. =========

  165. 

  166. * http://docs.saltstack.com/en/latest/ref/states/all/salt.states.iptables.html

  167. * https://help.ubuntu.com/community/IptablesHowTo

  168. * http://wiki.centos.org/HowTos/Network/IPTables

  169. 

  170. Documentation and Bugs

  171. ======================

  172. 

  173. To learn how to install and update salt-formulas, consult the documentation

  174. available online at:

  175. 

  176.     http://salt-formulas.readthedocs.io/

  177. 

  178. In the unfortunate event that bugs are discovered, they should be reported to

  179. the appropriate issue tracker. Use Github issue tracker for specific salt

  180. formula:

  181. 

  182.     https://github.com/salt-formulas/salt-formula-iptables/issues

  183. 

  184. For feature requests, bug reports or blueprints affecting entire ecosystem,

  185. use Launchpad salt-formulas project:

  186. 

  187.     https://launchpad.net/salt-formulas

  188. 

  189. You can also join salt-formulas-users team and subscribe to mailing list:

  190. 

  191.     https://launchpad.net/~salt-formulas-users

  192. 

  193. Developers wishing to work on the salt-formulas projects should always base

  194. their work on master branch and submit pull request against specific formula.

  195. 

  196.     https://github.com/salt-formulas/salt-formula-iptables

  197. 

  198. Any questions or feedback is always welcome so feel free to join our IRC

  199. channel:

  200. 

  201.     #salt-formulas @ irc.freenode.net