Kaynağa Gözat

Merge branch 'master' of ssh://git.natrinicle.com/ExternalMirrors/iptables-formula

Updating from upstream
master
Nate Bohman 5 yıl önce
ebeveyn
işleme
49aecda6f4
26 değiştirilmiş dosya ile 874 ekleme ve 559 silme
  1. +59
    -0
      .kitchen.openstack.yml
  2. +0
    -43
      .kitchen.yml
  3. +8
    -20
      .travis.yml
  4. +4
    -5
      CHANGELOG.rst
  5. +2
    -2
      LICENSE
  6. +64
    -155
      README.rst
  7. +1
    -1
      VERSION
  8. +231
    -0
      _modules/iptables_extra.py
  9. +2
    -8
      debian/changelog
  10. +6
    -6
      debian/control
  11. +3
    -3
      debian/copyright
  12. +0
    -94
      iptables/_rule.sls
  13. +20
    -3
      iptables/init.sls
  14. +79
    -9
      iptables/map.jinja
  15. +0
    -117
      iptables/rules.sls
  16. +0
    -63
      iptables/service.sls
  17. +72
    -0
      iptables/v1/files/v4_rules
  18. +72
    -0
      iptables/v1/files/v6_rules
  19. +6
    -0
      iptables/v1/init.sls
  20. +0
    -0
      iptables/v1/meta/sphinx.yml
  21. +79
    -0
      iptables/v1/v4_service.sls
  22. +79
    -0
      iptables/v1/v6_service.sls
  23. +1
    -2
      metadata.yml
  24. +71
    -0
      tests/pillar/iptables.sls
  25. +0
    -28
      tests/pillar/iptables_server.sls
  26. +15
    -0
      user_data.sh

+ 59
- 0
.kitchen.openstack.yml Dosyayı Görüntüle

@@ -0,0 +1,59 @@
---
driver:
name: openstack
openstack_username: <%= ENV['OS_USERNAME'] %>
openstack_api_key: <%= ENV['OS_PASSWORD'] %>
openstack_auth_url: <%= ENV['OS_AUTH_URL'] %>
openstack_domain_name: <%= ENV['OS_DOMAIN_NAME'] %>
openstack_project_name: <%= ENV['OS_PROJECT_NAME'] %>
openstack_identity_api_version: <%= ENV['OS_IDENTITY_VERSION'] || 3 %>
availability_zone: <%= ENV['OS_AZ'] || 'nova' %>
openstack_network_name: <%= ENV['OS_FLOATING_NETWORK_NAME'] || 'public' %>
security_groups:
- kitchen
network_id: <%= ENV['OS_INTERNAL_NETWORK_ID'] || '21790488-0dc2-4864-9016-ae4f09d8a67f' %>
user_data: user_data.sh
require_chef_omnibus: false
floating_ip_pool: <%= ENV['OS_FLOATING_NETWORK_NAME'] || 'public' %>
image_id: <%= ENV['OS_IMAGE_ID'] || '60878bd4-cb4a-4d71-ae02-2a8ee4476d10' %>
flavor_id: <%= ENV['OS_FLAVOR_ID'] || 'ac2a36af-f9a0-4af7-8220-e85cff4d2bce' %>
read_timeout: 180
write_timeout: 180
connect_timeout: 180

transport:
username: kitchen
password: kitchen
connection_timeout: 10
connection_retries: 5

provisioner:
name: salt_solo
salt_install: bootstrap
salt_bootstrap_url: https://bootstrap.saltstack.com
salt_version: <%= ENV['SALT_VERSION'] || '2018.3.0' %>
require_chef: false
log_level: error
formula: iptables
state_top:
base:
"*":
- iptables
pillars:
top.sls:
base:
"*":
- iptables

verifier:
name: inspec
sudo: true

platforms:
- name: saltstack-ubuntu-<%= ENV['UBUNTU_DISTRO'] || 'xenial' %>-salt-<%= ENV['SALT_VERSION'] || '2018.3.0' %>

suites:
- name: iptables
provisioner:
pillars-from-files:
iptables.sls: tests/pillar/iptables.sls

+ 0
- 43
.kitchen.yml Dosyayı Görüntüle

@@ -1,43 +0,0 @@
---
driver:
name: docker
hostname: iptables.ci.local
use_sudo: false

provisioner:
name: salt_solo
salt_install: bootstrap
salt_bootstrap_url: https://bootstrap.saltstack.com
salt_version: latest
require_chef: false
log_level: error
formula: iptables
grains:
noservices: True
state_top:
base:
"*":
- iptables
pillars:
top.sls:
base:
"*":
- iptables

verifier:
name: inspec
sudo: true

platforms:
- name: <%=ENV['PLATFORM'] || 'saltstack-ubuntu-xenial-salt-stable' %>
driver_config:
image: <%=ENV['PLATFORM'] || 'epcim/salt:saltstack-ubuntu-xenial-salt-stable'%>
platform: ubuntu

suites:

- name: iptables_server
provisioner:
pillars-from-files:
iptables.sls: tests/pillar/iptables_server.sls
# vim: ft=yaml sw=2 ts=2 sts=2 tw=125

+ 8
- 20
.travis.yml Dosyayı Görüntüle

@@ -2,37 +2,25 @@ language: python
python:
- "2.7.13"
sudo: required
services:
- docker

install:
- pip install PyYAML
- pip install virtualenv
- |
test -e Gemfile || cat <<EOF > Gemfile
source 'https://rubygems.org'
gem 'rake'
gem 'test-kitchen'
gem 'kitchen-docker'
gem 'kitchen-inspec'
gem 'inspec'
gem 'kitchen-salt', :git => 'https://github.com/salt-formulas/kitchen-salt.git'
- bundle install
git clone https://gerrit.mcp.mirantis.com/salt-formulas/salt-formulas-scripts
sudo -H bash ./salt-formulas-scripts/bootstrap-openstack-kitchen.sh

env:
- PLATFORM=epcim/salt:saltstack-ubuntu-xenial-salt-2016.3 SUITE=iptables-server
- PLATFORM=epcim/salt:saltstack-ubuntu-xenial-salt-2017.7 SUITE=iptables-server
- PLATFORM=epcim/salt:saltstack-ubuntu-xenial-salt-2018.3 SUITE=iptables-server
# - PLATFORM=epcim/salt:saltstack-ubuntu-bionic-salt-2017.7 SUITE=iptables-server
# - PLATFORM=epcim/salt:saltstack-ubuntu-bionic-salt-2018.3 SUITE=iptables-server
- UBUNTU_DISTRO=xenial SALT_VERSION=2018.3 SUITE=iptables
- UBUNTU_DISTRO=xenial SALT_VERSION=2017.7 SUITE=iptables
- UBUNTU_DISTRO=bionic SALT_VERSION=2018.3 SUITE=iptables
- UBUNTU_DISTRO=bionic SALT_VERSION=2017.7 SUITE=iptables

before_script:
- set -o pipefail
- make test | tail

script:
- test ! -e .kitchen.yml || bundle exec kitchen converge ${SUITE} || true
- test ! -e .kitchen.yml || bundle exec kitchen verify ${SUITE} -t tests/integration
- test ! -e .kitchen.openstack.yml || bundle exec kitchen converge ${SUITE} || true
- test ! -e .kitchen.openstack.yml || bundle exec kitchen verify ${SUITE} -t tests/integration

notifications:
on:

+ 4
- 5
CHANGELOG.rst Dosyayı Görüntüle

@@ -1,7 +1,6 @@
iptables-salt-formula
=====================

iptables-formula
================
1.0.0

0.0.1 (2015-08-03)

- Initial formula setup
- Initial setup

+ 2
- 2
LICENSE Dosyayı Görüntüle

@@ -1,4 +1,4 @@
Copyright (c) 2014-2015 tcp cloud a.s.
Copyright (c) 2018 Mirantis a.s.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -10,4 +10,4 @@ Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
limitations under the License.

+ 64
- 155
README.rst Dosyayı Görüntüle

@@ -1,7 +1,6 @@

================
iptables formula
================
=====================
iptables salt formula
=====================

Iptables is used to set up, maintain, and inspect the tables of IPv4 packet
filter rules in the Linux kernel. Several different tables may be defined.
@@ -11,154 +10,76 @@ packets. Each rule specifies what to do with a packet that matches. This is
called a `target`, which may be a jump to a user-defined chain in the same
table.

Sample pillars
==============

Most common rules - allow traffic on localhost, accept related,established and
ping

.. code-block:: yaml

parameters:
iptables:
service:
enabled: True
chain:
INPUT:
rules:
- in_interface: lo
jump: ACCEPT
- connection_state: RELATED,ESTABLISHED
match: state
jump: ACCEPT
- protocol: icmp
jump: ACCEPT

Accept connections on port 22

.. code-block:: yaml

parameters:
iptables:
service:
chain:
INPUT:
rules:
- destination_port: 22
protocol: tcp
jump: ACCEPT

Set drop policy on INPUT chain:

.. code-block:: yaml

parameters:
iptables:
service:
chain:
INPUT:
policy: DROP

Redirect privileged port 443 to 8081

.. code-block:: yaml

parameters:
iptables:
service:
chain:
PREROUTING:
filter: nat
destination_port: 443
to_port: 8081
protocol: tcp
jump: REDIRECT

Allow access from local network
This version of a formula guarantees that manually added rules or rules which
has been added in runtime would be removed.

.. code-block:: yaml

parameters:
iptables:
service:
chain:
INPUT:
rules:
- protocol: tcp
destination_port: 22
source_network: 192.168.1.0/24
jump: ACCEPT
comment: Blah

Support logging with custom prefix and log level

.. code-block:: yaml
In order to ensure architecture, proper epoch value should be specified.
Refer to an example.

parameters:
iptables:
service:
chain:
POSTROUTING:
rules:
- table: nat
protocol: tcp
match: multiport
destination_ports:
- 21
- 80
- 443
- 2220
source_network: '10.20.30.0/24'
log_level: 7
log_prefix: 'iptables-logging: '
jump: LOG


IPv6 is supported as well

.. code-block:: yaml

parameters:
iptables:
service:
enabled: True
ipv6: True
chain:
INPUT:
rules:
- protocol: tcp
family: ipv6
destination_port: 22
source_network: 2001:DB8::/32
jump: ACCEPT


You may set policy for chain in specific table
If 'table' key is omitted, 'filter' table is assumed
Sample pillars
==============

.. code-block:: yaml

parameters:
iptables:
schema:
epoch: 1
service:
enabled: true
chain:
OUTPUT:
policy: ACCEPT

Specify policy directly
v4:
enabled: true
persistent_config: /etc/iptables/rules.v4
modules:
- nf_conntrack_ftp
- nf_conntrack_pptp
v6:
enabled: false
persistent_config: /etc/iptables/rules.v6
modules:
- nf_conntrack_ipv6
defaults:
v4:
metadata_rules: false
policy: ACCEPT
ruleset:
action: ACCEPT
params: ""
rule: ""
v6:
metadata_rules: false
policy: DROP
ruleset:
action: ACCEPT
params: ""
rule: ""
tables:
v4:
filter:
chains:
INPUT:
ruleset:
5:
action: log_drop
10:
rule: -s 192.168.0.0/24 -p tcp
log_drop:
policy: DROP
ruleset:
10:
action: LOG
comment: "Log my packets"
nat:
chains:
OUTPUT: {}
PREROUTING: {}
POSTROUTING:
policy: ACCEPT
ruleset:
10:
rule: -s 192.168.0.0/24 -p tcp -o lo
action: SNAT
params: --to-source=127.0.0.1

.. code-block:: yaml

parameters:
iptables:
service:
enabled: true
chain:
FORWARD:
policy:
- table: mangle
policy: DROP

Read more
=========
@@ -181,21 +102,9 @@ formula:

https://github.com/salt-formulas/salt-formula-iptables/issues

For feature requests, bug reports or blueprints affecting entire ecosystem,
use Launchpad salt-formulas project:

https://launchpad.net/salt-formulas

You can also join salt-formulas-users team and subscribe to mailing list:

https://launchpad.net/~salt-formulas-users

Developers wishing to work on the salt-formulas projects should always base
their work on master branch and submit pull request against specific formula.

https://github.com/salt-formulas/salt-formula-iptables

Any questions or feedback is always welcome so feel free to join our IRC
channel:

#salt-formulas @ irc.freenode.net

+ 1
- 1
VERSION Dosyayı Görüntüle

@@ -1 +1 @@
0.2
1.0.0

+ 231
- 0
_modules/iptables_extra.py Dosyayı Görüntüle

@@ -0,0 +1,231 @@
# -*- coding: utf-8 -*-
from os import chmod,remove
from time import time
from subprocess import Popen,PIPE

def get_tables(family="ipv4"):

''' List iptables tables

:param family: iptables ip family version. type: str

'''

if family == "ipv4":
cmd = 'iptables-save'
elif family == "ipv6":
cmd = 'ip6tables-save'
else:
return "Invalid ip family specified. Use either ipv4 or ipv6"

tables = []
try:
tables_list = Popen(cmd, shell=True, stdout=PIPE)
while True:
line = tables_list.stdout.readline()
if line != '':
if line[0] == "*":
tables.append(line.rstrip()[1:])
else:
break
except:
return "Error getting list of tables"

return tables

def get_chains(family="ipv4", table="filter"):

''' List iptables chains

:param family: iptables ip family version. type: str
:param table: Lookup chains for this table. type: str

'''

if family == "ipv4":
cmd = 'iptables-save'
elif family == "ipv6":
cmd = 'ip6tables-save'
else:
return "Invalid ip family specified. Use either ipv4 or ipv6"

cmd += ' -t ' + table

chains = []
try:
chains_list = Popen(cmd, shell=True, stdout=PIPE)
while True:
line = chains_list.stdout.readline()
if line != '':
if line[0] == ":":
chains.append(line.rstrip()[1:].split(' ')[0])
else:
break
except:
return "Error getting list of chains"

return chains

def get_structure(family="ipv4"):

''' Get structure of all chains in all tables

:param family: iptables ip family version. type: str

'''

if family == "ipv4":
cmd = 'iptables-save'
elif family == "ipv6":
cmd = 'ip6tables-save'
else:
return "Invalid ip family specified. Use either ipv4 or ipv6"

tables = []
tables_list = Popen(cmd, shell=True, stdout=PIPE)
while True:
line = tables_list.stdout.readline()
if line != '':
line = line.rstrip().lstrip()
if line[0] == "*":
elem = {}
table_name = line[1:].split(' ')[0]
elem[table_name] = []
if line[0] == ":":
elem[table_name].append(line[1:].split(' ')[0])
if line == "COMMIT":
tables.append(elem)
else:
break

return tables

def run_script(script):

''' Execute local script

:param script: script to be executed, storad localy: str

'''

chmod(script, 0o700)
process = Popen([script],stdout=PIPE,stderr=PIPE)
process.wait()
code = process.returncode
remove(script)
return code


def flush_all(family="ipv4"):

''' Flush all chains in all tables

:param family: iptables ip family version. type: str

'''

if family == "ipv4":
cmd = 'iptables'
rmmod = 'iptable_'
elif family == "ipv6":
cmd = 'ip6tables'
rmmod = 'ip6table_'
else:
return "Invalid ip family specified. Use either ipv4 or ipv6"

tables = get_structure(family)

f_name = '/tmp/' + cmd + '-flush-' + str(time()).split('.')[0] + '.sh'

with open(f_name, 'w') as f:
f.write('#!/bin/sh\n')
for table in tables:
for var in enumerate(table):
t_name = var[1]
for chain in table[t_name]:
f.write(cmd + ' -t ' + t_name + " -F " + chain + '\n')
if chain not in ['INPUT','FORWARD','OUTPUT','PREROUTING','POSTROUTING']:
f.write(cmd + ' -t ' + t_name + " -X " + chain + '\n')
f.write('rmmod ' + rmmod + t_name + '\n')

return run_script(f_name)

def set_policy_all(family="ipv4", policy="ACCEPT"):

''' Set policy for all chains in all tables

:param family: iptables ip family version. type: str
:param policy: iptables chain policy. type: str

'''

if family == "ipv4":
cmd = 'iptables'
elif family == "ipv6":
cmd = 'ip6tables'
else:
return "Invalid ip family specified. Use either ipv4 or ipv6"

tables = get_structure(family)

f_name = '/tmp/' + cmd + '-policy-' + str(time()).split('.')[0] + '.sh'

with open(f_name, 'w') as f:
f.write('#!/bin/sh\n')
for table in tables:
for var in enumerate(table):
t_name = var[1]
for chain in table[t_name]:
f.write(cmd + ' -t ' + t_name + " -P " + chain + ' ' + policy + '\n')

return run_script(f_name)

def remove_stale_tables(config_file, family="ipv4"):

''' Remove tables which are not in config file
to prevet flushing all the tables

:param family: iptables ip family version. type: str
:param config_file: iptables rules persistent config file. type: str

'''

if family == "ipv4":
cmd = 'iptables'
rmmod = 'iptable_'
elif family == "ipv6":
cmd = 'ip6tables'
rmmod = 'ip6table_'
else:
return "Invalid ip family specified. Use either ipv4 or ipv6"

runtime_tables = get_tables(family)

config_tables = []
for line in open(config_file, 'r'):
if line != '':
if line[0] == "*":
config_tables.append(line.rstrip()[1:])

runtime_tables.sort()
config_tables.sort()
diff = list(set(runtime_tables) - set(config_tables))

if diff != []:
tables = get_structure(family)
f_name = '/tmp/' + cmd + '-flush-' + str(time()).split('.')[0] + '.sh'
with open(f_name, 'w') as f:
f.write('#!/bin/sh\n')
for table in tables:
for var in enumerate(table):
t_name = var[1]
if t_name in diff:
for chain in table[t_name]:
f.write(cmd + ' -t ' + t_name + " -F " + chain + '\n')
if chain not in ['INPUT','FORWARD','OUTPUT','PREROUTING','POSTROUTING']:
f.write(cmd + ' -t ' + t_name + " -X " + chain + '\n')
f.write('rmmod ' + rmmod + t_name + '\n')

return run_script(f_name)
else:
return

+ 2
- 8
debian/changelog Dosyayı Görüntüle

@@ -1,11 +1,5 @@
salt-formula-iptables (0.2) trusty; urgency=medium

* First public release

-- Filip Pytloun <filip.pytloun@tcpcloud.eu> Tue, 06 Oct 2015 16:38:43 +0200

salt-formula-iptables (0.1) trusty; urgency=medium
salt-formula-iptables (1.0) xenial; urgency=medium

* Initial release

-- Jan Kaufman <jan.kaufman@tcpcloud.eu> Thu, 13 Aug 2015 23:23:41 +0200
-- Dzmitry Stremkouski <dstremkouski@mirantis.com> Thu, 30 Aug 2018 16:20:23 +0100

+ 6
- 6
debian/control Dosyayı Görüntüle

@@ -1,15 +1,15 @@
Source: salt-formula-iptables
Maintainer: Jan Kaufman <jan.kaufman@tcpcloud.eu>
Maintainer: Dzmitry Stremkouski <dstremkouski@mirantis.com>
Section: admin
Priority: optional
Priority: extra
Build-Depends: salt-master, python, python-yaml, debhelper (>= 9)
Standards-Version: 3.9.6
Homepage: http://www.tcpcloud.eu
Vcs-Browser: https://github.com/tcpcloud/salt-formula-iptables
Vcs-Git: https://github.com/tcpcloud/salt-formula-iptables.git
Homepage: https://mirantis.com
Vcs-Browser: https://github.com/Mirantis/salt-formula-iptables
Vcs-Git: https://github.com/Mirantis/salt-formula-iptables.git

Package: salt-formula-iptables
Architecture: all
Depends: ${misc:Depends}
Description: iptables salt formula
Configure iptables rules.
Manages iptables rules.

+ 3
- 3
debian/copyright Dosyayı Görüntüle

@@ -1,10 +1,10 @@
Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: salt-formula-iptables
Upstream-Contact: Ales Komarek <ales.komarek@tcpcloud.eu>
Source: https://github.com/tcpcloud/salt-formula-iptables
Upstream-Contact: Dzmitry Stremkouski <dstremkouski@mirantis.com>
Source: https://github.com/Mirantis/salt-formula-iptables

Files: *
Copyright: 2014-2015 tcp cloud a.s.
Copyright: 2018 Mirantis a.s.
License: Apache-2.0
Copyright (C) 2014-2015 tcp cloud a.s.
.

+ 0
- 94
iptables/_rule.sls Dosyayı Görüntüle

@@ -1,94 +0,0 @@
{%- set table = rule.get('table', 'filter') %}
iptables_{{ table }}_{{ chain_name }}_{{ rule_name }}:
{%- if rule.position is defined %}
iptables.insert:
- position: {{ rule.position }}
{%- else %}
iptables.append:
- require:
{%- if loop.index != 1 %}
- iptables: iptables_{{ table }}_{{ chain_name }}_{% if service_name is defined %}{{ service_name }}_{% endif %}{{ loop.index - 1 }}
{%- else %}
{%- for chain in chains %}
- iptables: iptables_{{ table }}_{{ chain }}
{%- endfor %}
{%- endif %}
{%- endif %}
- table: {{ table }}
- chain: {{ chain_name }}
{%- if rule.family is defined %}
- family: {{ rule.family }}
{%- endif %}
{%- if rule.jump is defined %}
- jump: {{ rule.jump }}
{%- endif %}
{%- if rule.match is defined %}
- match: {{ rule.match }}
{%- endif %}
{%- if rule.comment is defined %}
- comment: {{ rule.comment }}
{%- endif %}
{%- if rule.connection_state is defined %}
- connstate: {{ rule.connection_state }}
{%- endif %}
{%- if rule.protocol is defined %}
- proto: {{ rule.protocol }}
{%- endif %}
{%- if rule.destination_port is defined %}
- dport: {{ rule.destination_port }}
{%- endif %}
{%- if rule.destination_ports is defined %}
- dports:
{%- for port in rule.destination_ports %}
- {{ port }}
{% endfor %}
{%- endif %}
{%- if rule.source_port is defined %}
- sport: {{ rule.source_port }}
{%- endif %}
{%- if rule.in_interface is defined %}
- in-interface: {{ rule.in_interface }}
{%- endif %}
{%- if rule.out_interface is defined %}
- out-interface: {{ rule.out_interface }}
{%- endif %}
{%- if rule.to_destination is defined %}
- to-destination: {{ rule.to_destination }}
{%- endif %}
{%- if rule.to_port is defined %}
- to-port: {{ rule.to_port }}
{%- endif %}
{%- if rule.to_source is defined %}
- to-source: {{ rule.to_source }}
{%- endif %}
{%- if rule.source_network is defined %}
- source: {{ rule.source_network }}
{%- endif %}
{%- if rule.destination_network is defined %}
- destination: {{ rule.destination_network }}
{%- endif %}
{%- if rule.log_prefix is defined %}
- log-prefix: '{{ rule.log_prefix }}'
{%- endif %}
{%- if rule.log_level is defined %}
- log-level: {{ rule.log_level }}
{%- endif %}
{%- if rule.limit is defined %}
- limit: '{{ rule.limit }}'
{%- endif %}
{%- if chain.policy is defined %}
{%- if chain.policy is string %}
- require_in:
- iptables: iptables_filter_{{ chain_name }}_policy
{%- else %}
{%- if table in chain.policy %}
- require_in:
- iptables: iptables_{{ table }}_{{ chain_name }}_policy
{%- endif %}
{%- endif %}
{%- endif %}
{%- if grains.get('virtual_subtype', None) not in ['Docker', 'LXC'] %}
- require:
- iptables: iptables_{{ table}}_{{ chain_name }}{% if rule.family is defined %}_{{ rule.family }}{% endif %}
{%- endif %}
- save: True

+ 20
- 3
iptables/init.sls Dosyayı Görüntüle

@@ -1,4 +1,21 @@
{%- from "iptables/map.jinja" import schema with context %}

{%- set include_allowed = true %}
{%- if grains.get('virtual_subtype', None) in ['Docker', 'LXC'] %}
{%- set include_allowed = false %}
echo_usupported_environment:
cmd.run:
- name: echo "You are trying to use iptables inside of docker or lxc. Kernel modules loading are not supported here"
{%- endif %}

{%- if pillar.iptables.service.enabled is defined %}
{%- set include_allowed = false %}
echo_usupported_pillars_schema:
cmd.run:
- name: echo "You are trying to use old style pillars schema. Please update pillars according to the current schema"
{%- endif %}

{%- if include_allowed %}
include:
{%- if pillar.iptables.service is defined %}
- iptables.service
{%- endif %}
- iptables.v{{ schema.epoch }}
{%- endif %}

+ 79
- 9
iptables/map.jinja Dosyayı Görüntüle

@@ -1,15 +1,85 @@
{% set schema = salt['grains.filter_by']({
'default': {
},
}, grain='os_family', merge=salt['pillar.get']('iptables:schema')) %}

{% set service = salt['grains.filter_by']({
'RedHat': {
'v4': {
'enabled': true,
'persistent_config': '/etc/sysconfig/iptables',
'pkgs': [' iptables' ],
'service': 'iptables',
'modules': [],
},
'v6': {
'enabled': true,
'persistent_config': '/etc/sysconfig/ip6tables',
'pkgs': [ 'iptables' ],
'service': 'iptables',
'modules': [],
},
},
'Debian': {
'pkgs': ['iptables','iptables-persistent' ],
'service': 'netfilter-persistent',
'v4': {
'enabled': true,
'persistent_config': '/etc/iptables/rules.v4',
'pkgs': [ 'iptables','iptables-persistent' ],
'service': 'netfilter-persistent',
'modules': [ 'iptable_filter', 'ip_tables' ],
},
'v6': {
'enabled': true,
'persistent_config': '/etc/iptables/rules.v6',
'pkgs': [ 'iptables','iptables-persistent' ],
'service': 'netfilter-persistent',
'modules': [ 'ip6table_filter', 'ip6_tables' ],
},
},
'RedHat': {
'pkgs': ['iptables'],
'service': 'iptables',
}, grain='os_family', merge=salt['pillar.get']('iptables:service')) %}

{% set defaults = salt['grains.filter_by']({
'default': {
'v4': {
'metadata_rules': false,
'policy': 'ACCEPT',
'ruleset': {
'action': 'ACCEPT',
'params': '',
'rule': '',
},
},
'v6': {
'metadata_rules': false,
'policy': 'ACCEPT',
'ruleset': {
'action': 'ACCEPT',
'params': '',
'rule': '',
},
},
},
}, merge=salt['grains.filter_by']({
'trusty': {
'service': 'iptables-persistent',
}, grain='os_family', merge=salt['pillar.get']('iptables:defaults')) %}

{% set tables = salt['grains.filter_by']({
'default': {
'v4': {
'filter': {
'chains': {
'INPUT': {},
'OUTPUT': {},
'FORWARD': {},
},
},
},
'v6': {
'filter': {
'chains': {
'INPUT': {},
'OUTPUT': {},
'FORWARD': {},
},
},
},
},
}, grain='oscodename', merge=salt['pillar.get']('iptables:service'))) %}
}, grain='os_family', merge=salt['pillar.get']('iptables:tables')) %}

+ 0
- 117
iptables/rules.sls Dosyayı Görüntüle

@@ -1,117 +0,0 @@
{% from "iptables/map.jinja" import service with context %}
{%- if grains.get('virtual_subtype', None) not in ['Docker', 'LXC'] %}

{%- set chains = service.get('chain', {}).keys() %}
{%- for chain_name, chain in service.get('chain', {}).items() %}

{%- set tables = [] %}
{%- for rule in chain.get('rules', []) %}
{%- set table = rule.get('table', 'filter') %}
{%- if table not in tables %}
{%- do tables.append(table) %}
{%- endif %}
{%- endfor %}
{%- if chain.policy is defined %}
{%- if chain.policy is string %}
{%- if 'filter' not in tables %}
{%- do tables.append('filter') %}
{%- endif %}
{%- else %}
{%- for policy in chain.policy %}
{%- if policy.table not in tables %}
{%- do tables.append(policy.table) %}
{%- endif %}
{%- endfor %}
{%- endif %}
{%- endif %}

{%- for table in tables %}
iptables_{{ table }}_{{ chain_name }}:
iptables.chain_present:
- family: ipv4
- name: {{ chain_name }}
- table: {{ table }}
- require:
- pkg: iptables_packages

{%- if grains.ipv6|default(False) and service.ipv6|default(True) %}
iptables_{{ table }}_{{ chain_name }}_ipv6:
iptables.chain_present:
- family: ipv6
- name: {{ chain_name }}
- table: {{ table }}
- require:
- pkg: iptables_packages
{%- if chain.policy is defined %}
{%- if chain.policy is string %}
- require_in:
- iptables: iptables_filter_{{ chain_name }}_ipv6_policy
{%- else %}
{%- if table in chain.policy %}
- require_in:
- iptables: iptables_filter_{{ chain_name }}_ipv6_policy
{%- endif %}
{%- endif %}
{%- endif %}
{%- endif %}
{%- endfor %}

{%- if chain.policy is defined %}

{%- if chain.policy is string %}
{%- set map = [{'table':'filter', 'policy':chain.policy}] %}
{%- else %}
{%- set map = chain.policy %}
{%- endif %}

{%- for policy in map %}
iptables_{{ policy.table }}_{{ chain_name }}_policy:
iptables.set_policy:
- family: ipv4
- chain: {{ chain_name }}
- policy: {{ policy.policy }}
- table: {{ policy.table }}
- require:
- iptables: iptables_{{ policy.table }}_{{ chain_name }}

{%- if grains.ipv6|default(False) and service.ipv6|default(True) %}
iptables_{{ policy.table }}_{{ chain_name }}_ipv6_policy:
iptables.set_policy:
- family: ipv6
- chain: {{ chain_name }}
- policy: {{ policy.policy }}
- table: {{ policy.table }}
- require:
- iptables: iptables_{{ policy.table }}_{{ chain_name }}_ipv6
{%- endif %}
{%- endfor %}
{%- endif %}

{%- for service_name, service in pillar.items() %}
{%- if service is mapping %}
{%- if service.get('_support', {}).get('iptables', {}).get('enabled', False) %}

{%- set grains_fragment_file = service_name+'/meta/iptables.yml' %}
{%- macro load_grains_file() %}{% include grains_fragment_file %}{% endmacro %}
{%- set grains_yaml = load_grains_file()|load_yaml %}

{%- if grains_yaml is iterable %}
{%- if grains_yaml.get('iptables',{}).rules is defined %}
{%- for rule in grains_yaml.iptables.rules %}
{%- set rule_name = service_name+'_'+loop.index|string %}
{% include "iptables/_rule.sls" %}
{%- endfor %}
{%- endif %}
{%- endif %}

{%- endif %}
{%- endif %}
{%- endfor %}

{%- for rule in chain.get('rules', []) %}
{%- set rule_name = loop.index %}
{% include "iptables/_rule.sls" %}
{%- endfor %}

{%- endfor %}
{%- endif %}

+ 0
- 63
iptables/service.sls Dosyayı Görüntüle

@@ -1,63 +0,0 @@
{% from "iptables/map.jinja" import service with context %}

{%- if service.enabled %}

include:
- iptables.rules

iptables_packages:
pkg.installed:
- names: {{ service.pkgs }}

iptables_services:
{%- if grains.init == 'systemd' %}
service.running:
{%- else %}
service.dead:
{%- endif %}
- enable: true
- name: {{ service.service }}
- sig: test -e /etc/iptables/rules.v4
- require:
- pkg: iptables_packages

{%- else %}

iptables_services:
service.dead:
- enable: false
- name: {{ service.service }}

{%- for chain_name in ['INPUT', 'OUTPUT', 'FORWARD'] %}
iptables_{{ chain_name }}_policy:
iptables.set_policy:
- chain: {{ chain_name }}
- policy: ACCEPT
- table: filter
- require_in:
- iptables: iptables_flush

{%- if grains.ipv6|default(False) and service.ipv6|default(True) %}
iptables_{{ chain_name }}_ipv6_policy:
iptables.set_policy:
- chain: {{ chain_name }}
- family: ipv6
- policy: ACCEPT
- table: filter
- require_in:
- iptables: ip6tables_flush
{%- endif %}

{%- endfor %}

iptables_flush:
iptables.flush

{%- if grains.ipv6|default(False) and service.ipv6|default(True) %}
ip6tables_flush:
iptables.flush:
- family: ipv6
{%- endif %}


{%- endif %}

+ 72
- 0
iptables/v1/files/v4_rules Dosyayı Görüntüle

@@ -0,0 +1,72 @@
{%- from "iptables/map.jinja" import defaults,service,tables with context %}
{%- if service.v4.enabled -%}
# Generated by salt v{{ grains['saltversion'] }}
{%- if not defaults.v4.metadata_rules %}
{%- for s_name, svc in pillar.items() %}
{%- if svc is mapping %}
{%- if svc.get('_support', {}).get('iptables', {}).get('enabled', False) %}
{%- macro load_grains_file() %}{% include s_name + '/meta/iptables.yml' %}{% endmacro %}
{%- set grains_yaml = load_grains_file()|load_yaml %}
{%- if grains_yaml is iterable %}
{%- set grains_tables = grains_yaml.get('iptables', {}).get('tables', {}).get('v4', {}) %}
{%- if grains_tables is iterable %}
{%- for gt_name, gt in grains_tables.items() %}
{%- if gt_name not in tables.v4 %}
{%- do tables.v4.update( { gt_name: gt } ) %}
{%- else %}
{%- for gc_name, gc in gt.chains.items() %}
{%- set gt_obj = tables.v4.get(gt_name) %}
{%- if gc_name not in gt_obj.chains %}
{%- do gt_obj.chains.update( { gc_name: gc } ) %}
{%- else %}
{%- set gc_obj = gt_obj.chains.get(gc_name) %}
{%- if gc.ruleset is defined %}
{%- if gc_obj.ruleset is not defined %}
{%- do gc_obj.update( { 'ruleset': {} } ) %}
{%- endif %}
{%- for grule_id, gr in gc.ruleset.items()|sort %}
{%- if grule_id not in gc_obj.ruleset %}
{%- do gc_obj.ruleset.update( { grule_id: gr } ) %}
{%- endif %}
{%- endfor %}
{%- endif %}
{%- endif %}
{%- endfor %}
{%- endif %}
{%- endfor %}
{%- endif %}
{%- endif %}
{%- endif %}
{%- endif %}
{%- endfor %}
{%- endif %}
{%- for t_name, t in tables.v4.items() %}
*{{ t_name }}
{%- for c_name, c in t.chains.items() %}
{%- if c_name in ('INPUT','FORWARD','OUTPUT','PREROUTING','POSTROUTING') %}
{%- set policy = c.get('policy', defaults.v4.policy) %}
{%- else %}
{%- set policy = "- [0:0]" %}
{%- endif %}
:{{ c_name }} {{ policy }}
{%- endfor %}
{%- for c_name, c in t.chains.items() %}
{%- for rule_id, r in c.get('ruleset', {}).items()|sort %}
{%- set rule = r.get('rule', defaults.v4.ruleset.rule) %}
{%- set action = r.get('action', defaults.v4.ruleset.action) %}
{%- set params = r.get('params', defaults.v4.ruleset.params) %}
{%- if rule != "" %}
{%- set rule = " " + rule %}
{%- endif %}
{%- if action != "" %}
{%- set action = " -j " + action %}
{%- endif %}
{%- if params != "" %}
{%- set params = " " + params %}
{%- endif %}
-A {{ c_name }}{{ rule }}{{ action }}{{ params }}
{%- endfor %}
{%- endfor %}
COMMIT
{%- endfor %}
{%- endif %}

+ 72
- 0
iptables/v1/files/v6_rules Dosyayı Görüntüle

@@ -0,0 +1,72 @@
{%- from "iptables/map.jinja" import defaults,service,tables with context %}
{%- if service.v6.enabled -%}
# Generated by salt v{{ grains['saltversion'] }}
{%- if not defaults.v6.metadata_rules %}
{%- for s_name, svc in pillar.items() %}
{%- if svc is mapping %}
{%- if svc.get('_support', {}).get('iptables', {}).get('enabled', False) %}
{%- macro load_grains_file() %}{% include s_name + '/meta/iptables.yml' %}{% endmacro %}
{%- set grains_yaml = load_grains_file()|load_yaml %}
{%- if grains_yaml is iterable %}
{%- set grains_tables = grains_yaml.get('iptables', {}).get('tables', {}).get('v6', {}) %}
{%- if grains_tables is iterable %}
{%- for gt_name, gt in grains_tables.items() %}
{%- if gt_name not in tables.v6 %}
{%- do tables.v6.update( { gt_name: gt } ) %}
{%- else %}
{%- for gc_name, gc in gt.chains.items() %}
{%- set gt_obj = tables.v6.get(gt_name) %}
{%- if gc_name not in gt_obj.chains %}
{%- do gt_obj.chains.update( { gc_name: gc } ) %}
{%- else %}
{%- set gc_obj = gt_obj.chains.get(gc_name) %}
{%- if gc.ruleset is defined %}
{%- if gc_obj.ruleset is not defined %}
{%- do gc_obj.update( { 'ruleset': {} } ) %}
{%- endif %}
{%- for grule_id, gr in gc.ruleset.items()|sort %}
{%- if grule_id not in gc_obj.ruleset %}
{%- do gc_obj.ruleset.update( { grule_id: gr } ) %}
{%- endif %}
{%- endfor %}
{%- endif %}
{%- endif %}
{%- endfor %}
{%- endif %}
{%- endfor %}
{%- endif %}
{%- endif %}
{%- endif %}
{%- endif %}
{%- endfor %}
{%- endif %}
{%- for t_name, t in tables.v6.items() %}
*{{ t_name }}
{%- for c_name, c in t.chains.items() %}
{%- if c_name in ('INPUT','FORWARD','OUTPUT','PREROUTING','POSTROUTING') %}
{%- set policy = c.get('policy', defaults.v6.policy) %}
{%- else %}
{%- set policy = "- [0:0]" %}
{%- endif %}
:{{ c_name }} {{ policy }}
{%- endfor %}
{%- for c_name, c in t.chains.items() %}
{%- for rule_id, r in c.get('ruleset', {}).items()|sort %}
{%- set rule = r.get('rule', defaults.v6.ruleset.rule) %}
{%- set action = r.get('action', defaults.v6.ruleset.action) %}
{%- set params = r.get('params', defaults.v6.ruleset.params) %}
{%- if rule != "" %}
{%- set rule = " " + rule %}
{%- endif %}
{%- if action != "" %}
{%- set action = " -j " + action %}
{%- endif %}
{%- if params != "" %}
{%- set params = " " + params %}
{%- endif %}
-A {{ c_name }}{{ rule }}{{ action }}{{ params }}
{%- endfor %}
{%- endfor %}
COMMIT
{%- endfor %}
{%- endif %}

+ 6
- 0
iptables/v1/init.sls Dosyayı Görüntüle

@@ -0,0 +1,6 @@
{%- from "iptables/map.jinja" import schema with context %}
{%- if pillar.iptables.service.enabled is not defined %}
include:
- iptables.v{{ schema.epoch }}.v4_service
- iptables.v{{ schema.epoch }}.v6_service
{%- endif %}

iptables/meta/sphinx.yml → iptables/v1/meta/sphinx.yml Dosyayı Görüntüle


+ 79
- 0
iptables/v1/v4_service.sls Dosyayı Görüntüle

@@ -0,0 +1,79 @@
{% from "iptables/map.jinja" import defaults,schema,service with context %}

{%- if service.v4.enabled %}

iptables_packages_v4:
pkg.installed:
- names: {{ service.v4.pkgs }}

iptables_modules_v4_load:
kmod.present:
- persist: true
- mods: {{ service.v4.modules }}
- require:
- pkg: iptables_packages_v4

{{ service.v4.persistent_config }}:
file.managed:
- user: root
- group: root
- mode: 640
- source: salt://iptables/v{{ schema.epoch }}/files/v4_rules
- template: jinja
- require:
- pkg: iptables_packages_v4

{% if grains['os'] == 'Ubuntu' %}

iptables_services_v4_start:
cmd.run:
- name: find /usr/share/netfilter-persistent/plugins.d/[0-9]*-ip4tables -exec {} start \;
- onlyif: test $(iptables-save | wc -l) -eq 0
- require:
- file: {{ service.v4.persistent_config }}
- kmod: iptables_modules_v4_load

{%- endif %}

{{ service.v4.service }}:
service.running:
- enable: true
- require:
- file: {{ service.v4.persistent_config }}
- kmod: iptables_modules_v4_load
- watch:
- file: {{ service.v4.persistent_config }}

iptables_tables_cleanup_v4:
module.wait:
- name: iptables_extra.remove_stale_tables
- config_file: {{ service.v4.persistent_config }}
- family: ipv4
- require:
- file: {{ service.v4.persistent_config }}
- watch:
- file: {{ service.v4.persistent_config }}
{%- else %}

{% if grains['os'] == 'Ubuntu' %}

iptables_services_v4_stop:
cmd.run:
- name: find /usr/share/netfilter-persistent/plugins.d/[0-9]*-ip4tables -exec {} flush \;
- onlyif: test $(which iptables-save) -eq 0 && test $(iptables-save | wc -l) -ne 0

{{ service.v4.persistent_config }}:
file.absent:
- require:
- cmd: iptables_services_v4_stop

iptables_tables_flush_v4:
module.wait:
- name: iptables_extra.flush_all
- family: ipv4
- watch:
- file: {{ service.v4.persistent_config }}

{%- endif %}

{%- endif %}

+ 79
- 0
iptables/v1/v6_service.sls Dosyayı Görüntüle

@@ -0,0 +1,79 @@
{% from "iptables/map.jinja" import defaults,schema,service with context %}

{%- if service.v6.enabled %}

iptables_packages_v6:
pkg.installed:
- names: {{ service.v6.pkgs }}

iptables_modules_v6_load:
kmod.present:
- persist: true
- mods: {{ service.v6.modules }}
- require:
- pkg: iptables_packages_v6

{{ service.v6.persistent_config }}:
file.managed:
- user: root
- group: root
- mode: 640
- source: salt://iptables/v{{ schema.epoch }}/files/v6_rules
- template: jinja
- require:
- pkg: iptables_packages_v6

{% if grains['os'] == 'Ubuntu' %}

iptables_services_v6_start:
cmd.run:
- name: find /usr/share/netfilter-persistent/plugins.d/[0-9]*-ip6tables -exec {} start \;
- onlyif: test $(ip6tables-save | wc -l) -eq 0
- require:
- file: {{ service.v6.persistent_config }}
- kmod: iptables_modules_v6_load

{%- endif %}

{{ service.v6.service }}:
service.running:
- enable: true
- require:
- file: {{ service.v6.persistent_config }}
- kmod: iptables_modules_v6_load
- watch:
- file: {{ service.v6.persistent_config }}

iptables_tables_cleanup_v6:
module.wait:
- name: iptables_extra.remove_stale_tables
- config_file: {{ service.v6.persistent_config }}
- family: ipv6
- require:
- file: {{ service.v6.persistent_config }}
- watch:
- file: {{ service.v6.persistent_config }}
{%- else %}

{% if grains['os'] == 'Ubuntu' %}

iptables_services_v6_stop:
cmd.run:
- name: find /usr/share/netfilter-persistent/plugins.d/[0-9]*-ip6tables -exec {} flush \;
- onlyif: test $(which ip6tables-save) -eq 0 && test $(ip6tables-save | wc -l) -ne 0

{{ service.v6.persistent_config }}:
file.absent:
- require:
- cmd: iptables_services_v6_stop

iptables_tables_flush_v6:
module.wait:
- name: iptables_extra.flush_all
- family: ipv6
- watch:
- file: {{ service.v6.persistent_config }}

{%- endif %}

{%- endif %}

+ 1
- 2
metadata.yml Dosyayı Görüntüle

@@ -1,4 +1,3 @@
name: "iptables"
version: "0.2"
version: "1.0.0"
source: "https://github.com/salt-formulas/salt-formula-iptables"


+ 71
- 0
tests/pillar/iptables.sls Dosyayı Görüntüle

@@ -0,0 +1,71 @@
iptables:
schema:
epoch: 1
service:
v4:
enabled: true
modules:
- nf_conntrack_ftp
- nf_conntrack_pptp
v6:
enabled: false
modules:
- nf_conntrack_ipv6
defaults:
v4:
metadata_rules: false
policy: ACCEPT
ruleset:
action: ACCEPT
params: ""
rule: ""
v6:
metadata_rules: false
policy: DROP
ruleset:
action: ACCEPT
params: ""
rule: ""
tables:
v4:
filter:
chains:
INPUT:
ruleset:
5:
action: log_drop
10:
rule: -s 192.168.0.0/24 -p tcp
log_drop:
policy: DROP
ruleset:
10:
rule: ""
action: LOG
nat:
chains:
OUTPUT: {}
PREROUTING: {}
POSTROUTING:
policy: ACCEPT
ruleset:
10:
rule: -s 192.168.0.0/24 -p tcp -o lo
action: SNAT
params: --to-source=127.0.0.1
config: v4
v6:
filter:
chains:
INPUT:
ruleset:
5:
action: log_drop
10:
rule: -s 200A:0:200C::1/64 -p tcp
log_drop:
policy: DROP
ruleset:
10:
rule: ""
action: LOG

+ 0
- 28
tests/pillar/iptables_server.sls Dosyayı Görüntüle

@@ -1,28 +0,0 @@
iptables:
service:
enabled: true
chain:
INPUT:
policy:
- table: nat
policy: ACCEPT
rules:
- position: 1
table: filter
protocol: tcp
destination_port: 8088
source_network: 127.0.0.1
jump: ACCEPT
comment: Blah
OUTPUT:
policy: ACCEPT
FORWARD:
policy:
- table: mangle
policy: DROP
POSTROUTING:
rules:
- jump: MASQUERADE
protocol: icmp
out_interface: ens3
table: nat

+ 15
- 0
user_data.sh Dosyayı Görüntüle

@@ -0,0 +1,15 @@
#!/bin/bash -xe
# Speedup reverse hostname lookup
sed -i "s/127.0.0.1.*/127.0.0.1 localhost $(hostname)/" /etc/hosts
# Enabling password auth for kitchen user
sed -i 's/PasswordAuthentication.*/PasswordAuthentication yes/' /etc/ssh/sshd_config
# Disable sshd NS lookups
echo "UseDNS no" >> /etc/ssh/sshd_config
service ssh restart
# Create user 'kitchen' with password 'kitchen'
useradd -m -G adm,sudo -p '$6$DqOdqb/l$hOpDWFPeC8/45Oo8NbqZyqLZxYd.Vtlujf9A4OdwUKgBjRcETuc9Gd2C7OyI99MY2N/pACrbV8WymqV.H1XZ1.' -s /bin/bash kitchen
# Passwordless sudo for user 'kitchen'
echo "kitchen ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/99-kitchen
# Secure kitchen home
chown kitchen:root /home/kitchen -R
chmod 0700 /home/kitchen

Yükleniyor…
İptal
Kaydet