Switch branches/tags
Clone or download
Pull request Compare This branch is 6 commits ahead, 21 commits behind saltstack-formulas:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
iptables
CHANGELOG.rst
README.md
pillar.example

README.md

iptables-formula

This module manages your firewall using iptables with pillar configured rules. Thanks to the nature of Pillars it is possible to write global and local settings (e.g. enable globally, configure locally)

Pull requests are welcome for other platforms (or other improvements ofcourse!)

Usage

All the configuration for the firewall is done via pillar (pillar.example).

Enable globally: pillars/firewall.sls

firewall:
  enabled: True
  install: True  
  strict: True

Allow SSH: pillars/firewall/ssh.sls

firewall:
  services:
    ssh:
      allow:
        - ['eth0','tcp','10.94.0.0/16']
        - ['eth1','','']
        - ['','','172.22.42.0/24']

Allow an entire class such as your internal network:

  whitelist:
    networks:
      ips_allow:
        - 10.0.0.0/8

Salt combines both and effectively enables your firewall and applies the rules.

Notes:

  • Setting install to True will install iptables and iptables-perrsistent for you
  • Strict mode means: Deny everything except explicitly allowed (use with care!), including ipv6 traffic
  • block_nomatch: With non-strict mode adds in a "REJECT" rule below the accept rules, otherwise other traffic to that service is still allowed. Can be defined per-service or globally, defaults to False.
  • Servicenames can be either port numbers or servicenames (e.g. ssh, zabbix-agent, http) and are available for viewing/configuring in /etc/services
  • Allow rules are defined with : [interface, protocol, ip/subnet]. Empty interface or ip/subnet means "match all". Empty protocol means "tcp".
  • You can define rules in multiple pillars. services items will be merged when you enable multiple services pillars.

Using iptables.nat

You can use nat for interface.

#!stateconf yaml . jinja

# iptables -t nat -A POSTROUTING -o eth0 -s 192.168.18.0/24 -j MASQUERADE

  nat:
    eth0:
      ips_allow:
        - 192.168.18.0/24