salt/iptables/firewall

#!/bin/bash
# Start/stop/restart firewall
### BEGIN INIT INFO
# Provides: firewall
# Required-Start: $network
# Required-Stop: $network
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: iptables
# Description: iptables
### END INIT INFO

IPT=/sbin/iptables
IPT6=/sbin/ip6tables

firewall_start() {

	echo 1 > /proc/sys/net/ipv4/tcp_syncookies
	echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
	echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
	echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
	echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
	echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
	echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

	# Set default policy to DROP
	$IPT -P INPUT DROP
	$IPT -P OUTPUT ACCEPT
	$IPT -P FORWARD DROP

	$IPT6 -P INPUT DROP
	$IPT6 -P OUTPUT ACCEPT
	$IPT6 -P FORWARD DROP

	# Flush old rules
	$IPT -F
	$IPT6 -F

	# Allow loopback traffic
	$IPT -A INPUT -i lo -j ACCEPT
	$IPT -A OUTPUT -o lo -j ACCEPT
	$IPT6 -A INPUT -i lo -j ACCEPT
	$IPT6 -A OUTPUT -o lo -j ACCEPT

	# icmp
	$IPT -A INPUT -p icmp --icmp-type 8 -s 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
	$IPT -A OUTPUT -p icmp --icmp-type 0 -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT
	$IPT6 -A INPUT -p ipv6-icmp -j ACCEPT

{%- for iface in grains['ip_interfaces'].keys() %}
{% if iface != "lo" %}
	#Interface "{{ iface }}"
	$IPT -A INPUT -i {{ iface }} -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
	$IPT6 -A INPUT -i {{ iface }} -p all -m state --state ESTABLISHED,RELATED -j ACCEPT

	# Allow services
	$IPT -A INPUT -i {{ iface }} -p tcp --destination-port 25 -m state --state NEW -j ACCEPT
	$IPT -A INPUT -i {{ iface }} -p tcp --destination-port 80 -m state --state NEW -j ACCEPT
	$IPT -A INPUT -i {{ iface }} -p tcp --destination-port 443 -m state --state NEW -j ACCEPT
	$IPT -A INPUT -i {{ iface }} -p tcp --destination-port 465 -m state --state NEW -j ACCEPT
	$IPT -A INPUT -i {{ iface }} -p tcp --destination-port 587 -m state --state NEW -j ACCEPT
	$IPT -A INPUT -i {{ iface }} -p tcp --destination-port 993 -m state --state NEW -j ACCEPT
	$IPT -A INPUT -i {{ iface }} -p tcp --destination-port {{ pillar.ssh_port }} -m state --state NEW -j ACCEPT

	$IPT6 -A INPUT -i {{ iface }} -p tcp --destination-port 25 -m state --state NEW -j ACCEPT
	$IPT6 -A INPUT -i {{ iface }} -p tcp --destination-port 80 -m state --state NEW -j ACCEPT
	$IPT6 -A INPUT -i {{ iface }} -p tcp --destination-port 443 -m state --state NEW -j ACCEPT
	$IPT6 -A INPUT -i {{ iface }} -p tcp --destination-port 465 -m state --state NEW -j ACCEPT
	$IPT6 -A INPUT -i {{ iface }} -p tcp --destination-port 587 -m state --state NEW -j ACCEPT
	$IPT6 -A INPUT -i {{ iface }} -p tcp --destination-port 993 -m state --state NEW -j ACCEPT
	$IPT6 -A INPUT -i {{ iface }} -p tcp --destination-port {{ pillar.ssh_port }} -m state --state NEW -j ACCEPT
{% endif %}
{%- endfor %}

}

firewall_stop() {
	$IPT -F
	$IPT -X
	$IPT -P INPUT ACCEPT
	$IPT -P OUTPUT ACCEPT
	$IPT -P FORWARD ACCEPT

	$IPT6 -F
	$IPT6 -X
	$IPT6 -P INPUT ACCEPT
	$IPT6 -P OUTPUT ACCEPT
	$IPT6 -P FORWARD ACCEPT
}

firewall_restart() {
  firewall_stop
  firewall_start
}

case "$1" in
'start')
  firewall_start
  ;;
'stop')
  firewall_stop
  ;;
'restart')
  firewall_restart
  ;;
*)
  firewall_start
esac