Filip Pytloun
il y a 8 ans
2 fichiers modifiés avec 86 ajouts et 67 suppressions
+ 70
- 0
iptables/rules.sls
Voir le fichier
| @@ -0,0 +1,70 @@ | |||
| {% from "iptables/map.jinja" import service with context %} | |||
| {%- for chain_name, chain in service.get('chain', {}).iteritems() %} | |||
| {%- if chain.policy is defined %} | |||
| iptables_{{ chain_name }}_policy: | |||
| iptables.set_policy: | |||
| - chain: {{ chain_name }} | |||
| - policy: {{ chain.policy }} | |||
| - table: filter | |||
| {%- endif %} | |||
| {%- for rule_name, rule in chain.get('rule', {}).iteritems() %} | |||
| iptables_{{ chain_name }}_{{ rule_name }}: | |||
| {%- if rule.position is defined %} | |||
| iptables.insert: | |||
| - position: {{ rule.position }} | |||
| {%- else %} | |||
| iptables.append: | |||
| {%- endif %} | |||
| {%- if rule.table is defined %} | |||
| - table: {{ rule.table }} | |||
| {%- endif %} | |||
| - chain: {{ chain_name }} | |||
| {%- if rule.jump is defined %} | |||
| - jump: {{ rule.jump }} | |||
| {%- endif %} | |||
| {%- if rule.match is defined %} | |||
| - match: {{ rule.match }} | |||
| {%- endif %} | |||
| {%- if rule.connection_state is defined %} | |||
| - connstate: {{ rule.connection_state }} | |||
| {%- endif %} | |||
| {%- if rule.protocol is defined %} | |||
| - proto: {{ rule.protocol }} | |||
| {%- endif %} | |||
| {%- if rule.destination_port is defined %} | |||
| - dport: {{ rule.destination_port }} | |||
| {%- endif %} | |||
| {%- if rule.source_port is defined %} | |||
| - sport: {{ rule.source_port }} | |||
| {%- endif %} | |||
| {%- if rule.in_interface is defined %} | |||
| - in-interface: {{ rule.in_interface }} | |||
| {%- endif %} | |||
| {%- if rule.out_interface is defined %} | |||
| - out-interface: {{ rule.out_interface }} | |||
| {%- endif %} | |||
| {%- if rule.to_destination is defined %} | |||
| - to-destination: {{ rule.to_destination }} | |||
| {%- endif %} | |||
| {%- if rule.to_source is defined %} | |||
| - to-source: {{ rule.to_source }} | |||
| {%- endif %} | |||
| {%- if rule.source_network is defined %} | |||
| - source: {{ rule.source_network }} | |||
| {%- endif %} | |||
| {%- if rule.destination_network is defined %} | |||
| - destination: {{ rule.destination_network }} | |||
| {%- endif %} | |||
| {%- if chain.policy is defined %} | |||
| - require_in: | |||
| - iptables: iptables_{{ chain_name }}_policy: | |||
| {%- endif %} | |||
| - save: True | |||
| {%- endfor %} | |||
| {%- endfor %} | |||
+ 16
- 67
iptables/service.sls
Voir le fichier
| @@ -1,6 +1,9 @@ | |||
| {% from "iptables/map.jinja" import service with context %} | |||
| {%- if pillar.iptables.service.enabled %} | |||
| {%- if service.enabled %} | |||
| include: | |||
| - iptables.rules | |||
| iptables_packages: | |||
| pkg.installed: | |||
| @@ -14,78 +17,24 @@ iptables_services: | |||
| - require: | |||
| - pkg: iptables_packages | |||
| {%- for chain_name, chain in service.get('chain', {}).iteritems() %} | |||
| {%- else %} | |||
| iptables_services: | |||
| service.dead: | |||
| - enable: false | |||
| - name: {{ service.service }} | |||
| {%- if chain.policy is defined %} | |||
| {%- for chain_name in ['INPUT', 'OUTPUT', 'FORWARD'] %} | |||
| iptables_{{ chain_name }}_policy: | |||
| iptables.set_policy: | |||
| - chain: {{ chain_name }} | |||
| - policy: {{ chain.policy }} | |||
| - policy: ACCEPT | |||
| - table: filter | |||
| {%- endif %} | |||
| {%- for rule_name, rule in chain.get('rule', {}).iteritems() %} | |||
| iptables_{{ chain_name }}_{{ rule_name }}: | |||
| iptables.insert: | |||
| {%- if rule.position is defined %} | |||
| - position: {{ rule.position }} | |||
| {%- endif %} | |||
| {%- if rule.table is defined %} | |||
| - table: {{ rule.table }} | |||
| {%- endif %} | |||
| - chain: {{ chain_name }} | |||
| {%- if rule.jump is defined %} | |||
| - jump: {{ rule.jump }} | |||
| {%- endif %} | |||
| {%- if rule.match is defined %} | |||
| - match: {{ rule.match }} | |||
| {%- endif %} | |||
| {%- if rule.connection_state is defined %} | |||
| - connstate: {{ rule.connection_state }} | |||
| {%- endif %} | |||
| {%- if rule.protocol is defined %} | |||
| - proto: {{ rule.protocol }} | |||
| {%- endif %} | |||
| {%- if rule.destination_port is defined %} | |||
| - dport: {{ rule.destination_port }} | |||
| {%- endif %} | |||
| {%- if rule.source_port is defined %} | |||
| - sport: {{ rule.source_port }} | |||
| {%- endif %} | |||
| {%- if rule.in_interface is defined %} | |||
| - in-interface: {{ rule.in_interface }} | |||
| {%- endif %} | |||
| {%- if rule.out_interface is defined %} | |||
| - out-interface: {{ rule.out_interface }} | |||
| {%- endif %} | |||
| {%- if rule.to_destination is defined %} | |||
| - to-destination: {{ rule.to_destination }} | |||
| {%- endif %} | |||
| {%- if rule.to_source is defined %} | |||
| - to-source: {{ rule.to_source }} | |||
| {%- endif %} | |||
| {%- if rule.source_network is defined %} | |||
| - source: {{ rule.source_network }} | |||
| {%- endif %} | |||
| {%- if rule.destination_network is defined %} | |||
| - destination: {{ rule.destination_network }} | |||
| {%- endif %} | |||
| {%- if chain.policy is defined %} | |||
| - require_in: | |||
| - iptables: iptables_{{ chain_name }}_policy: | |||
| {%- endif %} | |||
| - save: True | |||
| {%- endfor %} | |||
| - require_in: | |||
| - iptables: iptables_flush | |||
| {%- endfor %} | |||
| {%- else %} | |||
| iptables_services: | |||
| service.dead: | |||
| - enable: false | |||
| - name: {{ service.service }} | |||
| iptables_flush: | |||
| iptables.flush | |||
| {%- endif %} | |||
Chargement…