Fix documentation, remove obsolete
diff --git a/README.rst b/README.rst
index 19e037c..8605ae0 100644
--- a/README.rst
+++ b/README.rst
@@ -3,33 +3,90 @@
iptables formula
================
-iptables is a user-space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall and the chains and rules it stores.
+Iptables is used to set up, maintain, and inspect the tables of IPv4 packet
+filter rules in the Linux kernel. Several different tables may be defined.
+Each table contains a number of built-in chains and may also contain
+user-defined chains. Each chain is a list of rules which can match a set of
+packets. Each rule specifies what to do with a packet that matches. This is
+called a `target`, which may be a jump to a user-defined chain in the same
+table.
Sample pillars
==============
-Simple INPUT chain httpd ACCEPT rule on position 1
+Most common rules - allow traffic on localhost, accept related,established and
+ping
.. code-block:: yaml
- iptables:
- service:
- enabled: false
+ parametetrs:
+ iptables:
+ service:
chain:
INPUT:
- enabled: true
- policy: DROP
- rule:
- httpd:
- position: 1
- table: filter
+ rules:
+ - in_interface: lo
jump: ACCEPT
- family: ipv6
+ - connection_state: RELATED,ESTABLISHED
match: state
- connection_state: NEW
+ jump: ACCEPT
+ - protocol: icmp
+ jump: ACCEPT
+
+Accept connections on port 22
+
+.. code-block:: yaml
+
+ parametetrs:
+ iptables:
+ service:
+ chain:
+ INPUT:
+ rules:
+ - destination_port: 22
protocol: tcp
- source_port: 1025:65535
- destination_port: 80
+ jump: ACCEPT
+
+Set drop policy on INPUT chain:
+
+.. code-block:: yaml
+
+ parametetrs:
+ iptables:
+ service:
+ chain:
+ INPUT:
+ policy: DROP
+
+Redirect privileged port 443 to 8081
+
+.. code-block:: yaml
+
+ parameters:
+ iptables:
+ service:
+ chain:
+ PREROUTING:
+ filter: nat
+ destination_port: 443
+ to_port: 8081
+ protocol: tcp
+ jump: REDIRECT
+
+Allow access from local network
+
+.. code-block:: yaml
+
+ parameters:
+ iptables:
+ service:
+ chain:
+ INPUT:
+ rules:
+ - protocol: tcp
+ destination_port: 22
+ source_network: 192.168.1.0/24
+ jump: ACCEPT
Read more
=========
@@ -37,273 +94,3 @@
* http://docs.saltstack.com/en/latest/ref/states/all/salt.states.iptables.html
* https://help.ubuntu.com/community/IptablesHowTo
* http://wiki.centos.org/HowTos/Network/IPTables
-
-.. code-block:: yaml
-
- chain:
- PREROUTING:
- enabled: true
- rule:
- dnat_ssh_185:
- table: filter
- jump: DNAT
- match: tcp
- protocol: tcp
- destination_network: 185.22.97.132/32
- destination_port: 20022
- to_destination:
- host: 10.0.110.38
- port: 22
- comment: Premapovani ssh zvenku na standardni port
- dnat_ssh_10:
- table: filter
- jump: DNAT
- match: tcp
- protocol: tcp
- destination_network: 10.0.110.38/32
- destination_port: 20022
- to_destination:
- host: 10.0.110.38
- port: 22
- comment: Premapovani ssh 20022-22
- redirect_vpn_185:
- table: filter
- jump: REDIRECT
- match: udp
- protocol: udp
- destination_network: 185.22.97.132/32
- destination_port: 3690
- to_port:
- port: 1194
- comment: Presmerovani VPN portu 3690 > 1194
- POSTROUTING:
- enabled: true
- rule:
- snat_vpn_185:
- table: filter
- jump: SNAT
- match: udp
- protocol: udp
- source_network: 10.8.0.0/24
- out_interface: eth1
- to_source:
- host: 185.22.97.132
- comment: NAT pro klienty administratorske VPNky
- INPUT:
- enabled: true
- rule:
- allow_conn_established:
- table: filter
- jump: ACCEPT
- match: state
- connection_state: RELATED,ESTABLISHED
- comment: Vsechen provoz souvisejici s povolenymi pravidly pustit
- allow_proto_icmp:
- table: filter
- jump: ACCEPT
- protocol: icmp
- comment: ICMP nechceme filtrovat
- allow_iface_lo:
- table: filter
- jump: ACCEPT
- in_interface: lo
- comment: Lokalni smycka muze vsechno
- allow_ssh_10.0.110.38:
- table: filter
- jump: ACCEPT
- match: tcp
- protocol: tcp
- destination_network: 10.0.110.38/32
- destination_port: 22
- comment: SSH z lokalni site
- allow_ssh_10.8.0.1:
- table: filter
- jump: ACCEPT
- match: tcp
- protocol: tcp
- destination_network: 10.8.0.1/32
- destination_port: 22
- comment: SSH z VPN site
- allow_ssh_private_10:
- table: filter
- jump: ACCEPT
- match: state
- connection_state: NEW
- source_network: 10.0.0.0/8
- destination_network: 185.22.97.132/32
- destination_port: 22
- comment: ssh z vnitrni site 10.0.0.0/8 povolit na obvykly protokol
- allow_ssh_private_192:
- table: filter
- jump: ACCEPT
- match: state
- connection_state: NEW
- source_network: 192.0.0.0/8
- destination_network: 185.22.97.132/32
- destination_port: 22
- comment: ssh z vnitrni site 192.0.0.0/8 povolit na obvykly protokol
- allow_ssh_private_172:
- table: filter
- jump: ACCEPT
- match: state
- connection_state: NEW
- source_network: 172.16.162.0/24
- destination_network: 185.22.97.132/32
- destination_port: 22
- comment: ssh z vnitrni site 10.0.0.0/8 povolit na obvykly protokol
- allow_ssh_private_185:
- table: filter
- jump: ACCEPT
- match: state
- connection_state: NEW
- source_network: 185.22.97.0/24
- destination_network: 185.22.97.132/32
- destination_port: 22
- comment: ssh z vnitrni site 192.0.0.0/8 povolit na obvykly protokol
- deny_ssh_public:
- table: filter
- jump: DROP
- match: tpc
- protocol: tcp
- destination_network: 185.22.97.132/32
- destination_port: 22
- comment: ssh z vnejsi site na obvykly port ZAKAZAT, budeme ho presmerovavat
- allow_ssh_public_redirect:
- table: filter
- jump: ACCEPT
- match: tpc
- protocol: tcp
- destination_port: 22022
- comment: nahradni ssh port bude presmerovan na 22 pokud se prijde z vnejsi site
- allow_zabbix_server:
- table: filter
- jump: ACCEPT
- match: tpc
- protocol: tcp
- source_network: 10.0.110.36/32
- destination_port: 10050
- comment: zabbix monitoring
- allow_tsmc_web_10:
- table: filter
- jump: ACCEPT
- match: tpc
- protocol: tcp
- source_network: 10.0.0.0/8
- destination_port: 1581
- comment: tsm client web gui
- allow_tsmc_37010_10:
- table: filter
- jump: ACCEPT
- match: state
- protocol: tcp
- source_network: 10.0.0.0/8
- destination_port: 37010
- comment: tsmc web
- allow_tsmc_39876_10:
- table: filter
- jump: ACCEPT
- match: state
- protocol: tcp
- source_network: 10.0.0.0/8
- destination_port: 39876
- comment: tsmc web
- allow_tsm_web_172:
- table: filter
- jump: ACCEPT
- match: tpc
- protocol: tcp
- source_network: 172.16.162.0/24
- destination_port: 1581
- comment: tsm client web gui
- allow_tsmc_37010_172:
- table: filter
- jump: ACCEPT
- match: state
- protocol: tcp
- source_network: 172.16.162.0/24
- destination_port: 37010
- comment: tsmc web
- allow_tsmc_39876_172:
- table: filter
- jump: ACCEPT
- match: state
- protocol: tcp
- source_network: 172.16.162.0/24
- destination_port: 39876
- comment: tsmc web
- allow_vpn_public:
- table: filter
- jump: ACCEPT
- match: state
- connection_state: NEW
- destination_port: 1194
- comment: Povolime VPN odkudkoli
- reject_rest:
- table: filter
- jump: REJECT
- comment: Zdvorile odmitame ostatni komunikaci; --reject-with icmp-host-prohibited neni
- FORWARD:
- enabled: true
- rule:
- allow_conn_established:
- table: filter
- jump: ACCEPT
- match: state
- connection_state: RELATED,ESTABLISHED
- comment: Vsechen provoz souvisejici s povolenymi pravidly pustit
- snat_vpn_185:
- table: filter
- jump: SNAT
- match: udp
- protocol: udp
- source_network: 10.8.0.0/24
- out_interface: eth1
- to_source:
- host: 185.22.97.132
- comment: NAT pro klienty administratorske VPNky
- accept_net_10.0.110.0_vpn:
- table: filter
- jump: ACCEPT
- source_network: 10.0.110.0/24
- destionation_network: 10.8.0.0/24
- comment: vnitrni komunikace management
- accept_net_10.10.0.0_vpn:
- table: filter
- jump: ACCEPT
- source_network: 10.10.0.0/16
- destionation_network: 10.8.0.0/24
- comment: vnitrni komunikace management
- accept_net_10.0.101.0_vpn:
- table: filter
- jump: ACCEPT
- source_network: 10.0.101.0/24
- destionation_network: 10.8.0.0/24
- comment: vnitrni komunikace VLAN1501
- accept_net_10.0.102.0_vpn:
- table: filter
- jump: ACCEPT
- source_network: 10.0.102.0/24
- destionation_network: 10.8.0.0/24
- comment: vnitrni komunikace VLAN1502
- accept_net_10.0.103.0_vpn:
- table: filter
- jump: ACCEPT
- source_network: 10.0.103.0/24
- destionation_network: 10.8.0.0/24
- comment: vnitrni komunikace VLAN1503
- accept_net_10.0.106.0_vpn:
- table: filter
- jump: ACCEPT
- source_network: 10.0.106.0/24
- destionation_network: 10.8.0.0/24
- comment: vnitrni komunikace VLAN1506
- accept_net_10.0.110.0:
- table: filter
- jump: ACCEPT
- source_network: 10.0.110.0/24
- comment: Vse ze site 10.0.110.0
- accept_net_10.8.0.0:
- table: filter
- jump: ACCEPT
- source_network: 10.8.0.0/24
- comment: Z teto VPN se smi skoro vsechno