salt
/
iptables-formula
forked from ExternalMirrors/iptables-formula
Watch 1
Star 0
Fork 0
Code Releases 6 Activity
Browse Source

Initial commit

tags/0.2
Filip Pytloun 9 years ago
commit
ab43e7b3a6
16 changed files with 476 additions and 0 deletions
Split View Show Diff Stats
  1. +7
    -0
      CHANGELOG.rst
  2. +13
    -0
      LICENSE
  3. +308
    -0
      README.rst
  4. +1
    -0
      VERSION
  5. +11
    -0
      debian/changelog
  6. +1
    -0
      debian/compat
  7. +15
    -0
      debian/control
  8. +15
    -0
      debian/copyright
  9. +3
    -0
      debian/docs
  10. +2
    -0
      debian/install
  11. +5
    -0
      debian/rules
  12. +1
    -0
      debian/source/format
  13. +4
    -0
      iptables/init.sls
  14. +11
    -0
      iptables/map.jinja
  15. +77
    -0
      iptables/service.sls
  16. +2
    -0
      metadata/service/server/init.yml

+ 7
- 0
CHANGELOG.rst View File

@@ -0,0 +1,7 @@

iptables-formula
================

0.0.1 (2015-08-03)

- Initial formula setup

+ 13
- 0
LICENSE View File

@@ -0,0 +1,13 @@
Copyright (c) 2014-2015 tcp cloud a.s.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

+ 308
- 0
README.rst View File

@@ -0,0 +1,308 @@

================
iptables formula
================

iptables is a user-space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall and the chains and rules it stores.

Sample pillars
==============

Simple INPUT chain httpd ACCEPT rule on position 1

.. code-block:: yaml

iptables:
service:
enabled: false
chain:
INPUT:
enabled: true
rule:
httpd:
position: 1
table: filter
jump: ACCEPT
family: ipv6
match: state
connection_state: NEW
protocol: tcp
source_port: 1025:65535
destination_port: 80

Read more
=========

* http://docs.saltstack.com/en/latest/ref/states/all/salt.states.iptables.html
* https://help.ubuntu.com/community/IptablesHowTo
* http://wiki.centos.org/HowTos/Network/IPTables

.. code-block:: yaml

chain:
PREROUTING:
enabled: true
rule:
dnat_ssh_185:
table: filter
jump: DNAT
match: tcp
protocol: tcp
destination_network: 185.22.97.132/32
destination_port: 20022
to_destination:
host: 10.0.110.38
port: 22
comment: Premapovani ssh zvenku na standardni port
dnat_ssh_10:
table: filter
jump: DNAT
match: tcp
protocol: tcp
destination_network: 10.0.110.38/32
destination_port: 20022
to_destination:
host: 10.0.110.38
port: 22
comment: Premapovani ssh 20022-22
redirect_vpn_185:
table: filter
jump: REDIRECT
match: udp
protocol: udp
destination_network: 185.22.97.132/32
destination_port: 3690
to_port:
port: 1194
comment: Presmerovani VPN portu 3690 > 1194
POSTROUTING:
enabled: true
rule:
snat_vpn_185:
table: filter
jump: SNAT
match: udp
protocol: udp
source_network: 10.8.0.0/24
out_interface: eth1
to_source:
host: 185.22.97.132
comment: NAT pro klienty administratorske VPNky
INPUT:
enabled: true
rule:
allow_conn_established:
table: filter
jump: ACCEPT
match: state
connection_state: RELATED,ESTABLISHED
comment: Vsechen provoz souvisejici s povolenymi pravidly pustit
allow_proto_icmp:
table: filter
jump: ACCEPT
protocol: icmp
comment: ICMP nechceme filtrovat
allow_iface_lo:
table: filter
jump: ACCEPT
in_interface: lo
comment: Lokalni smycka muze vsechno
allow_ssh_10.0.110.38:
table: filter
jump: ACCEPT
match: tcp
protocol: tcp
destination_network: 10.0.110.38/32
destination_port: 22
comment: SSH z lokalni site
allow_ssh_10.8.0.1:
table: filter
jump: ACCEPT
match: tcp
protocol: tcp
destination_network: 10.8.0.1/32
destination_port: 22
comment: SSH z VPN site
allow_ssh_private_10:
table: filter
jump: ACCEPT
match: state
connection_state: NEW
source_network: 10.0.0.0/8
destination_network: 185.22.97.132/32
destination_port: 22
comment: ssh z vnitrni site 10.0.0.0/8 povolit na obvykly protokol
allow_ssh_private_192:
table: filter
jump: ACCEPT
match: state
connection_state: NEW
source_network: 192.0.0.0/8
destination_network: 185.22.97.132/32
destination_port: 22
comment: ssh z vnitrni site 192.0.0.0/8 povolit na obvykly protokol
allow_ssh_private_172:
table: filter
jump: ACCEPT
match: state
connection_state: NEW
source_network: 172.16.162.0/24
destination_network: 185.22.97.132/32
destination_port: 22
comment: ssh z vnitrni site 10.0.0.0/8 povolit na obvykly protokol
allow_ssh_private_185:
table: filter
jump: ACCEPT
match: state
connection_state: NEW
source_network: 185.22.97.0/24
destination_network: 185.22.97.132/32
destination_port: 22
comment: ssh z vnitrni site 192.0.0.0/8 povolit na obvykly protokol
deny_ssh_public:
table: filter
jump: DROP
match: tpc
protocol: tcp
destination_network: 185.22.97.132/32
destination_port: 22
comment: ssh z vnejsi site na obvykly port ZAKAZAT, budeme ho presmerovavat
allow_ssh_public_redirect:
table: filter
jump: ACCEPT
match: tpc
protocol: tcp
destination_port: 22022
comment: nahradni ssh port bude presmerovan na 22 pokud se prijde z vnejsi site
allow_zabbix_server:
table: filter
jump: ACCEPT
match: tpc
protocol: tcp
source_network: 10.0.110.36/32
destination_port: 10050
comment: zabbix monitoring
allow_tsmc_web_10:
table: filter
jump: ACCEPT
match: tpc
protocol: tcp
source_network: 10.0.0.0/8
destination_port: 1581
comment: tsm client web gui
allow_tsmc_37010_10:
table: filter
jump: ACCEPT
match: state
protocol: tcp
source_network: 10.0.0.0/8
destination_port: 37010
comment: tsmc web
allow_tsmc_39876_10:
table: filter
jump: ACCEPT
match: state
protocol: tcp
source_network: 10.0.0.0/8
destination_port: 39876
comment: tsmc web
allow_tsm_web_172:
table: filter
jump: ACCEPT
match: tpc
protocol: tcp
source_network: 172.16.162.0/24
destination_port: 1581
comment: tsm client web gui
allow_tsmc_37010_172:
table: filter
jump: ACCEPT
match: state
protocol: tcp
source_network: 172.16.162.0/24
destination_port: 37010
comment: tsmc web
allow_tsmc_39876_172:
table: filter
jump: ACCEPT
match: state
protocol: tcp
source_network: 172.16.162.0/24
destination_port: 39876
comment: tsmc web
allow_vpn_public:
table: filter
jump: ACCEPT
match: state
connection_state: NEW
destination_port: 1194
comment: Povolime VPN odkudkoli
reject_rest:
table: filter
jump: REJECT
comment: Zdvorile odmitame ostatni komunikaci; --reject-with icmp-host-prohibited neni
FORWARD:
enabled: true
rule:
allow_conn_established:
table: filter
jump: ACCEPT
match: state
connection_state: RELATED,ESTABLISHED
comment: Vsechen provoz souvisejici s povolenymi pravidly pustit
snat_vpn_185:
table: filter
jump: SNAT
match: udp
protocol: udp
source_network: 10.8.0.0/24
out_interface: eth1
to_source:
host: 185.22.97.132
comment: NAT pro klienty administratorske VPNky
accept_net_10.0.110.0_vpn:
table: filter
jump: ACCEPT
source_network: 10.0.110.0/24
destionation_network: 10.8.0.0/24
comment: vnitrni komunikace management
accept_net_10.10.0.0_vpn:
table: filter
jump: ACCEPT
source_network: 10.10.0.0/16
destionation_network: 10.8.0.0/24
comment: vnitrni komunikace management
accept_net_10.0.101.0_vpn:
table: filter
jump: ACCEPT
source_network: 10.0.101.0/24
destionation_network: 10.8.0.0/24
comment: vnitrni komunikace VLAN1501
accept_net_10.0.102.0_vpn:
table: filter
jump: ACCEPT
source_network: 10.0.102.0/24
destionation_network: 10.8.0.0/24
comment: vnitrni komunikace VLAN1502
accept_net_10.0.103.0_vpn:
table: filter
jump: ACCEPT
source_network: 10.0.103.0/24
destionation_network: 10.8.0.0/24
comment: vnitrni komunikace VLAN1503
accept_net_10.0.106.0_vpn:
table: filter
jump: ACCEPT
source_network: 10.0.106.0/24
destionation_network: 10.8.0.0/24
comment: vnitrni komunikace VLAN1506
accept_net_10.0.110.0:
table: filter
jump: ACCEPT
source_network: 10.0.110.0/24
comment: Vse ze site 10.0.110.0
accept_net_10.8.0.0:
table: filter
jump: ACCEPT
source_network: 10.8.0.0/24
comment: Z teto VPN se smi skoro vsechno

+ 1
- 0
VERSION View File

@@ -0,0 +1 @@
0.2

+ 11
- 0
debian/changelog View File

@@ -0,0 +1,11 @@
salt-formula-iptables (0.2) trusty; urgency=medium

* First public release

-- Filip Pytloun <filip.pytloun@tcpcloud.eu> Tue, 06 Oct 2015 16:38:43 +0200

salt-formula-iptables (0.1) trusty; urgency=medium

* Initial release

-- Jan Kaufman <jan.kaufman@tcpcloud.eu> Thu, 13 Aug 2015 23:23:41 +0200

+ 1
- 0
debian/compat View File

@@ -0,0 +1 @@
9

+ 15
- 0
debian/control View File

@@ -0,0 +1,15 @@
Source: salt-formula-iptables
Maintainer: Jan Kaufman <jan.kaufman@tcpcloud.eu>
Section: admin
Priority: optional
Build-Depends: debhelper (>= 9)
Standards-Version: 3.9.6
Homepage: http://www.tcpcloud.eu
Vcs-Browser: https://github.com/tcpcloud/salt-formula-iptables
Vcs-Git: https://github.com/tcpcloud/salt-formula-iptables.git

Package: salt-formula-iptables
Architecture: all
Depends: ${misc:Depends}, salt-master, reclass
Description: iptables salt formula
Configure iptables rules.

+ 15
- 0
debian/copyright View File

@@ -0,0 +1,15 @@
Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: salt-formula-iptables
Upstream-Contact: Ales Komarek <ales.komarek@tcpcloud.eu>
Source: https://github.com/tcpcloud/salt-formula-iptables

Files: *
Copyright: 2014-2015 tcp cloud a.s.
License: Apache-2.0
Copyright (C) 2014-2015 tcp cloud a.s.
.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
.
On a Debian system you can find a copy of this license in
/usr/share/common-licenses/Apache-2.0.

+ 3
- 0
debian/docs View File

@@ -0,0 +1,3 @@
README.rst
CHANGELOG.rst
VERSION

+ 2
- 0
debian/install View File

@@ -0,0 +1,2 @@
iptables/* /usr/share/salt-formulas/env/iptables/
metadata/service/* /usr/share/salt-formulas/reclass/service/iptables/

+ 5
- 0
debian/rules View File

@@ -0,0 +1,5 @@
#!/usr/bin/make -f

%:
dh $@


+ 1
- 0
debian/source/format View File

@@ -0,0 +1 @@
3.0 (native)

+ 4
- 0
iptables/init.sls View File

@@ -0,0 +1,4 @@
include:
{%- if pillar.iptables.service is defined %}
- iptables.service
{%- endif %}

+ 11
- 0
iptables/map.jinja View File

@@ -0,0 +1,11 @@

{% set service = salt['grains.filter_by']({
'Debian': {
'pkgs': ['iptables','iptables-persistent' ],
'service': 'iptables-persistent',
},
'RedHat': {
'pkgs': ['iptables'],
'service': 'iptables',
},
}, merge=salt['pillar.get']('iptables:service')) %}

+ 77
- 0
iptables/service.sls View File

@@ -0,0 +1,77 @@
{% from "iptables/map.jinja" import service with context %}

{%- if pillar.iptables.service.enabled %}

iptables_packages:
pkg.installed:
- names: {{ service.pkgs }}

iptables_services:
service.dead:
- enable: true
- name: {{ service.service }}
- sig: test -e /etc/iptables/rules.v4
- require:
- pkg: iptables_packages

{%- for chain_name, chain in service.get('chain', {}).iteritems() %}
{%- for rule_name, rule in chain.get('rule', {}).iteritems() %}

iptables_{{ chain_name }}_{{ rule_name }}:
iptables.insert:
{%- if rule.position is defined %}
- position: {{ rule.position }}
{%- endif %}
{%- if rule.table is defined %}
- table: {{ rule.table }}
{%- endif %}
- chain: {{ chain_name }}
{%- if rule.jump is defined %}
- jump: {{ rule.jump }}
{%- endif %}
{%- if rule.match is defined %}
- match: {{ rule.match }}
{%- endif %}
{%- if rule.connection_state is defined %}
- connstate: {{ rule.connection_state }}
{%- endif %}
{%- if rule.protocol is defined %}
- proto: {{ rule.protocol }}
{%- endif %}
{%- if rule.destination_port is defined %}
- dport: {{ rule.destination_port }}
{%- endif %}
{%- if rule.source_port is defined %}
- sport: {{ rule.source_port }}
{%- endif %}
{%- if rule.in_interface is defined %}
- in-interface: {{ rule.in_interface }}
{%- endif %}
{%- if rule.out_interface is defined %}
- out-interface: {{ rule.out_interface }}
{%- endif %}
{%- if rule.to_destination is defined %}
- to-destination: {{ rule.to_destination }}
{%- endif %}
{%- if rule.source_network is defined %}
- source: {{ rule.source_network }}
{%- endif %}
{%- if rule.destination_network is defined %}
- destination: {{ rule.destination_network }}
{%- endif %}

- save: True

{%- endfor %}

{%- endfor %}

{%- else %}

iptables_services:
service.dead:
- enable: false
- name: {{ service.service }}

{%- endif %}

+ 2
- 0
metadata/service/server/init.yml View File

@@ -0,0 +1,2 @@
applications:
- iptables

Write Preview
Loading…
Cancel
Save