Przeglądaj źródła

Fix documentation, remove obsolete

tags/2016.12^0
Filip Pytloun 8 lat temu
rodzic
commit
6006256763
2 zmienionych plików z 72 dodań i 289 usunięć
  1. +72
    -285
      README.rst
  2. +0
    -4
      iptables/rules.sls

+ 72
- 285
README.rst Wyświetl plik

@@ -3,33 +3,90 @@
iptables formula
================

iptables is a user-space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall and the chains and rules it stores.
Iptables is used to set up, maintain, and inspect the tables of IPv4 packet
filter rules in the Linux kernel. Several different tables may be defined.
Each table contains a number of built-in chains and may also contain
user-defined chains. Each chain is a list of rules which can match a set of
packets. Each rule specifies what to do with a packet that matches. This is
called a `target`, which may be a jump to a user-defined chain in the same
table.

Sample pillars
==============

Simple INPUT chain httpd ACCEPT rule on position 1
Most common rules - allow traffic on localhost, accept related,established and
ping

.. code-block:: yaml

iptables:
service:
enabled: false
parametetrs:
iptables:
service:
chain:
INPUT:
enabled: true
policy: DROP
rule:
httpd:
position: 1
table: filter
rules:
- in_interface: lo
jump: ACCEPT
family: ipv6
- connection_state: RELATED,ESTABLISHED
match: state
connection_state: NEW
jump: ACCEPT
- protocol: icmp
jump: ACCEPT

Accept connections on port 22

.. code-block:: yaml

parametetrs:
iptables:
service:
chain:
INPUT:
rules:
- destination_port: 22
protocol: tcp
source_port: 1025:65535
destination_port: 80
jump: ACCEPT

Set drop policy on INPUT chain:

.. code-block:: yaml

parametetrs:
iptables:
service:
chain:
INPUT:
policy: DROP

Redirect privileged port 443 to 8081

.. code-block:: yaml

parameters:
iptables:
service:
chain:
PREROUTING:
filter: nat
destination_port: 443
to_port: 8081
protocol: tcp
jump: REDIRECT

Allow access from local network

.. code-block:: yaml

parameters:
iptables:
service:
chain:
INPUT:
rules:
- protocol: tcp
destination_port: 22
source_network: 192.168.1.0/24
jump: ACCEPT

Read more
=========
@@ -37,273 +94,3 @@ Read more
* http://docs.saltstack.com/en/latest/ref/states/all/salt.states.iptables.html
* https://help.ubuntu.com/community/IptablesHowTo
* http://wiki.centos.org/HowTos/Network/IPTables

.. code-block:: yaml

chain:
PREROUTING:
enabled: true
rule:
dnat_ssh_185:
table: filter
jump: DNAT
match: tcp
protocol: tcp
destination_network: 185.22.97.132/32
destination_port: 20022
to_destination:
host: 10.0.110.38
port: 22
comment: Premapovani ssh zvenku na standardni port
dnat_ssh_10:
table: filter
jump: DNAT
match: tcp
protocol: tcp
destination_network: 10.0.110.38/32
destination_port: 20022
to_destination:
host: 10.0.110.38
port: 22
comment: Premapovani ssh 20022-22
redirect_vpn_185:
table: filter
jump: REDIRECT
match: udp
protocol: udp
destination_network: 185.22.97.132/32
destination_port: 3690
to_port:
port: 1194
comment: Presmerovani VPN portu 3690 > 1194
POSTROUTING:
enabled: true
rule:
snat_vpn_185:
table: filter
jump: SNAT
match: udp
protocol: udp
source_network: 10.8.0.0/24
out_interface: eth1
to_source:
host: 185.22.97.132
comment: NAT pro klienty administratorske VPNky
INPUT:
enabled: true
rule:
allow_conn_established:
table: filter
jump: ACCEPT
match: state
connection_state: RELATED,ESTABLISHED
comment: Vsechen provoz souvisejici s povolenymi pravidly pustit
allow_proto_icmp:
table: filter
jump: ACCEPT
protocol: icmp
comment: ICMP nechceme filtrovat
allow_iface_lo:
table: filter
jump: ACCEPT
in_interface: lo
comment: Lokalni smycka muze vsechno
allow_ssh_10.0.110.38:
table: filter
jump: ACCEPT
match: tcp
protocol: tcp
destination_network: 10.0.110.38/32
destination_port: 22
comment: SSH z lokalni site
allow_ssh_10.8.0.1:
table: filter
jump: ACCEPT
match: tcp
protocol: tcp
destination_network: 10.8.0.1/32
destination_port: 22
comment: SSH z VPN site
allow_ssh_private_10:
table: filter
jump: ACCEPT
match: state
connection_state: NEW
source_network: 10.0.0.0/8
destination_network: 185.22.97.132/32
destination_port: 22
comment: ssh z vnitrni site 10.0.0.0/8 povolit na obvykly protokol
allow_ssh_private_192:
table: filter
jump: ACCEPT
match: state
connection_state: NEW
source_network: 192.0.0.0/8
destination_network: 185.22.97.132/32
destination_port: 22
comment: ssh z vnitrni site 192.0.0.0/8 povolit na obvykly protokol
allow_ssh_private_172:
table: filter
jump: ACCEPT
match: state
connection_state: NEW
source_network: 172.16.162.0/24
destination_network: 185.22.97.132/32
destination_port: 22
comment: ssh z vnitrni site 10.0.0.0/8 povolit na obvykly protokol
allow_ssh_private_185:
table: filter
jump: ACCEPT
match: state
connection_state: NEW
source_network: 185.22.97.0/24
destination_network: 185.22.97.132/32
destination_port: 22
comment: ssh z vnitrni site 192.0.0.0/8 povolit na obvykly protokol
deny_ssh_public:
table: filter
jump: DROP
match: tpc
protocol: tcp
destination_network: 185.22.97.132/32
destination_port: 22
comment: ssh z vnejsi site na obvykly port ZAKAZAT, budeme ho presmerovavat
allow_ssh_public_redirect:
table: filter
jump: ACCEPT
match: tpc
protocol: tcp
destination_port: 22022
comment: nahradni ssh port bude presmerovan na 22 pokud se prijde z vnejsi site
allow_zabbix_server:
table: filter
jump: ACCEPT
match: tpc
protocol: tcp
source_network: 10.0.110.36/32
destination_port: 10050
comment: zabbix monitoring
allow_tsmc_web_10:
table: filter
jump: ACCEPT
match: tpc
protocol: tcp
source_network: 10.0.0.0/8
destination_port: 1581
comment: tsm client web gui
allow_tsmc_37010_10:
table: filter
jump: ACCEPT
match: state
protocol: tcp
source_network: 10.0.0.0/8
destination_port: 37010
comment: tsmc web
allow_tsmc_39876_10:
table: filter
jump: ACCEPT
match: state
protocol: tcp
source_network: 10.0.0.0/8
destination_port: 39876
comment: tsmc web
allow_tsm_web_172:
table: filter
jump: ACCEPT
match: tpc
protocol: tcp
source_network: 172.16.162.0/24
destination_port: 1581
comment: tsm client web gui
allow_tsmc_37010_172:
table: filter
jump: ACCEPT
match: state
protocol: tcp
source_network: 172.16.162.0/24
destination_port: 37010
comment: tsmc web
allow_tsmc_39876_172:
table: filter
jump: ACCEPT
match: state
protocol: tcp
source_network: 172.16.162.0/24
destination_port: 39876
comment: tsmc web
allow_vpn_public:
table: filter
jump: ACCEPT
match: state
connection_state: NEW
destination_port: 1194
comment: Povolime VPN odkudkoli
reject_rest:
table: filter
jump: REJECT
comment: Zdvorile odmitame ostatni komunikaci; --reject-with icmp-host-prohibited neni
FORWARD:
enabled: true
rule:
allow_conn_established:
table: filter
jump: ACCEPT
match: state
connection_state: RELATED,ESTABLISHED
comment: Vsechen provoz souvisejici s povolenymi pravidly pustit
snat_vpn_185:
table: filter
jump: SNAT
match: udp
protocol: udp
source_network: 10.8.0.0/24
out_interface: eth1
to_source:
host: 185.22.97.132
comment: NAT pro klienty administratorske VPNky
accept_net_10.0.110.0_vpn:
table: filter
jump: ACCEPT
source_network: 10.0.110.0/24
destionation_network: 10.8.0.0/24
comment: vnitrni komunikace management
accept_net_10.10.0.0_vpn:
table: filter
jump: ACCEPT
source_network: 10.10.0.0/16
destionation_network: 10.8.0.0/24
comment: vnitrni komunikace management
accept_net_10.0.101.0_vpn:
table: filter
jump: ACCEPT
source_network: 10.0.101.0/24
destionation_network: 10.8.0.0/24
comment: vnitrni komunikace VLAN1501
accept_net_10.0.102.0_vpn:
table: filter
jump: ACCEPT
source_network: 10.0.102.0/24
destionation_network: 10.8.0.0/24
comment: vnitrni komunikace VLAN1502
accept_net_10.0.103.0_vpn:
table: filter
jump: ACCEPT
source_network: 10.0.103.0/24
destionation_network: 10.8.0.0/24
comment: vnitrni komunikace VLAN1503
accept_net_10.0.106.0_vpn:
table: filter
jump: ACCEPT
source_network: 10.0.106.0/24
destionation_network: 10.8.0.0/24
comment: vnitrni komunikace VLAN1506
accept_net_10.0.110.0:
table: filter
jump: ACCEPT
source_network: 10.0.110.0/24
comment: Vse ze site 10.0.110.0
accept_net_10.8.0.0:
table: filter
jump: ACCEPT
source_network: 10.8.0.0/24
comment: Z teto VPN se smi skoro vsechno

+ 0
- 4
iptables/rules.sls Wyświetl plik

@@ -30,8 +30,4 @@ iptables_{{ chain_name }}_policy:
{% include "iptables/_rule.sls" %}
{%- endfor %}

{%- for rule_name, rule in chain.get('rule', {}).iteritems() %}
{% include "iptables/_rule.sls" %}
{%- endfor %}

{%- endfor %}

Ładowanie…
Anuluj
Zapisz