Initial commit
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
new file mode 100644
index 0000000..fa0bbc5
--- /dev/null
+++ b/CHANGELOG.rst
@@ -0,0 +1,7 @@
+
+iptables-formula
+================
+
+0.0.1 (2015-08-03)
+
+- Initial formula setup
\ No newline at end of file
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..6f2b42f
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,13 @@
+Copyright (c) 2014-2015 tcp cloud a.s.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
\ No newline at end of file
diff --git a/README.rst b/README.rst
new file mode 100644
index 0000000..1a2d8e1
--- /dev/null
+++ b/README.rst
@@ -0,0 +1,308 @@
+
+================
+iptables formula
+================
+
+iptables is a user-space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall and the chains and rules it stores.
+
+Sample pillars
+==============
+
+Simple INPUT chain httpd ACCEPT rule on position 1
+
+.. code-block:: yaml
+
+ iptables:
+ service:
+ enabled: false
+ chain:
+ INPUT:
+ enabled: true
+ rule:
+ httpd:
+ position: 1
+ table: filter
+ jump: ACCEPT
+ family: ipv6
+ match: state
+ connection_state: NEW
+ protocol: tcp
+ source_port: 1025:65535
+ destination_port: 80
+
+Read more
+=========
+
+* http://docs.saltstack.com/en/latest/ref/states/all/salt.states.iptables.html
+* https://help.ubuntu.com/community/IptablesHowTo
+* http://wiki.centos.org/HowTos/Network/IPTables
+
+.. code-block:: yaml
+
+ chain:
+ PREROUTING:
+ enabled: true
+ rule:
+ dnat_ssh_185:
+ table: filter
+ jump: DNAT
+ match: tcp
+ protocol: tcp
+ destination_network: 185.22.97.132/32
+ destination_port: 20022
+ to_destination:
+ host: 10.0.110.38
+ port: 22
+ comment: Premapovani ssh zvenku na standardni port
+ dnat_ssh_10:
+ table: filter
+ jump: DNAT
+ match: tcp
+ protocol: tcp
+ destination_network: 10.0.110.38/32
+ destination_port: 20022
+ to_destination:
+ host: 10.0.110.38
+ port: 22
+ comment: Premapovani ssh 20022-22
+ redirect_vpn_185:
+ table: filter
+ jump: REDIRECT
+ match: udp
+ protocol: udp
+ destination_network: 185.22.97.132/32
+ destination_port: 3690
+ to_port:
+ port: 1194
+ comment: Presmerovani VPN portu 3690 > 1194
+ POSTROUTING:
+ enabled: true
+ rule:
+ snat_vpn_185:
+ table: filter
+ jump: SNAT
+ match: udp
+ protocol: udp
+ source_network: 10.8.0.0/24
+ out_interface: eth1
+ to_source:
+ host: 185.22.97.132
+ comment: NAT pro klienty administratorske VPNky
+ INPUT:
+ enabled: true
+ rule:
+ allow_conn_established:
+ table: filter
+ jump: ACCEPT
+ match: state
+ connection_state: RELATED,ESTABLISHED
+ comment: Vsechen provoz souvisejici s povolenymi pravidly pustit
+ allow_proto_icmp:
+ table: filter
+ jump: ACCEPT
+ protocol: icmp
+ comment: ICMP nechceme filtrovat
+ allow_iface_lo:
+ table: filter
+ jump: ACCEPT
+ in_interface: lo
+ comment: Lokalni smycka muze vsechno
+ allow_ssh_10.0.110.38:
+ table: filter
+ jump: ACCEPT
+ match: tcp
+ protocol: tcp
+ destination_network: 10.0.110.38/32
+ destination_port: 22
+ comment: SSH z lokalni site
+ allow_ssh_10.8.0.1:
+ table: filter
+ jump: ACCEPT
+ match: tcp
+ protocol: tcp
+ destination_network: 10.8.0.1/32
+ destination_port: 22
+ comment: SSH z VPN site
+ allow_ssh_private_10:
+ table: filter
+ jump: ACCEPT
+ match: state
+ connection_state: NEW
+ source_network: 10.0.0.0/8
+ destination_network: 185.22.97.132/32
+ destination_port: 22
+ comment: ssh z vnitrni site 10.0.0.0/8 povolit na obvykly protokol
+ allow_ssh_private_192:
+ table: filter
+ jump: ACCEPT
+ match: state
+ connection_state: NEW
+ source_network: 192.0.0.0/8
+ destination_network: 185.22.97.132/32
+ destination_port: 22
+ comment: ssh z vnitrni site 192.0.0.0/8 povolit na obvykly protokol
+ allow_ssh_private_172:
+ table: filter
+ jump: ACCEPT
+ match: state
+ connection_state: NEW
+ source_network: 172.16.162.0/24
+ destination_network: 185.22.97.132/32
+ destination_port: 22
+ comment: ssh z vnitrni site 10.0.0.0/8 povolit na obvykly protokol
+ allow_ssh_private_185:
+ table: filter
+ jump: ACCEPT
+ match: state
+ connection_state: NEW
+ source_network: 185.22.97.0/24
+ destination_network: 185.22.97.132/32
+ destination_port: 22
+ comment: ssh z vnitrni site 192.0.0.0/8 povolit na obvykly protokol
+ deny_ssh_public:
+ table: filter
+ jump: DROP
+ match: tpc
+ protocol: tcp
+ destination_network: 185.22.97.132/32
+ destination_port: 22
+ comment: ssh z vnejsi site na obvykly port ZAKAZAT, budeme ho presmerovavat
+ allow_ssh_public_redirect:
+ table: filter
+ jump: ACCEPT
+ match: tpc
+ protocol: tcp
+ destination_port: 22022
+ comment: nahradni ssh port bude presmerovan na 22 pokud se prijde z vnejsi site
+ allow_zabbix_server:
+ table: filter
+ jump: ACCEPT
+ match: tpc
+ protocol: tcp
+ source_network: 10.0.110.36/32
+ destination_port: 10050
+ comment: zabbix monitoring
+ allow_tsmc_web_10:
+ table: filter
+ jump: ACCEPT
+ match: tpc
+ protocol: tcp
+ source_network: 10.0.0.0/8
+ destination_port: 1581
+ comment: tsm client web gui
+ allow_tsmc_37010_10:
+ table: filter
+ jump: ACCEPT
+ match: state
+ protocol: tcp
+ source_network: 10.0.0.0/8
+ destination_port: 37010
+ comment: tsmc web
+ allow_tsmc_39876_10:
+ table: filter
+ jump: ACCEPT
+ match: state
+ protocol: tcp
+ source_network: 10.0.0.0/8
+ destination_port: 39876
+ comment: tsmc web
+ allow_tsm_web_172:
+ table: filter
+ jump: ACCEPT
+ match: tpc
+ protocol: tcp
+ source_network: 172.16.162.0/24
+ destination_port: 1581
+ comment: tsm client web gui
+ allow_tsmc_37010_172:
+ table: filter
+ jump: ACCEPT
+ match: state
+ protocol: tcp
+ source_network: 172.16.162.0/24
+ destination_port: 37010
+ comment: tsmc web
+ allow_tsmc_39876_172:
+ table: filter
+ jump: ACCEPT
+ match: state
+ protocol: tcp
+ source_network: 172.16.162.0/24
+ destination_port: 39876
+ comment: tsmc web
+ allow_vpn_public:
+ table: filter
+ jump: ACCEPT
+ match: state
+ connection_state: NEW
+ destination_port: 1194
+ comment: Povolime VPN odkudkoli
+ reject_rest:
+ table: filter
+ jump: REJECT
+ comment: Zdvorile odmitame ostatni komunikaci; --reject-with icmp-host-prohibited neni
+ FORWARD:
+ enabled: true
+ rule:
+ allow_conn_established:
+ table: filter
+ jump: ACCEPT
+ match: state
+ connection_state: RELATED,ESTABLISHED
+ comment: Vsechen provoz souvisejici s povolenymi pravidly pustit
+ snat_vpn_185:
+ table: filter
+ jump: SNAT
+ match: udp
+ protocol: udp
+ source_network: 10.8.0.0/24
+ out_interface: eth1
+ to_source:
+ host: 185.22.97.132
+ comment: NAT pro klienty administratorske VPNky
+ accept_net_10.0.110.0_vpn:
+ table: filter
+ jump: ACCEPT
+ source_network: 10.0.110.0/24
+ destionation_network: 10.8.0.0/24
+ comment: vnitrni komunikace management
+ accept_net_10.10.0.0_vpn:
+ table: filter
+ jump: ACCEPT
+ source_network: 10.10.0.0/16
+ destionation_network: 10.8.0.0/24
+ comment: vnitrni komunikace management
+ accept_net_10.0.101.0_vpn:
+ table: filter
+ jump: ACCEPT
+ source_network: 10.0.101.0/24
+ destionation_network: 10.8.0.0/24
+ comment: vnitrni komunikace VLAN1501
+ accept_net_10.0.102.0_vpn:
+ table: filter
+ jump: ACCEPT
+ source_network: 10.0.102.0/24
+ destionation_network: 10.8.0.0/24
+ comment: vnitrni komunikace VLAN1502
+ accept_net_10.0.103.0_vpn:
+ table: filter
+ jump: ACCEPT
+ source_network: 10.0.103.0/24
+ destionation_network: 10.8.0.0/24
+ comment: vnitrni komunikace VLAN1503
+ accept_net_10.0.106.0_vpn:
+ table: filter
+ jump: ACCEPT
+ source_network: 10.0.106.0/24
+ destionation_network: 10.8.0.0/24
+ comment: vnitrni komunikace VLAN1506
+ accept_net_10.0.110.0:
+ table: filter
+ jump: ACCEPT
+ source_network: 10.0.110.0/24
+ comment: Vse ze site 10.0.110.0
+ accept_net_10.8.0.0:
+ table: filter
+ jump: ACCEPT
+ source_network: 10.8.0.0/24
+ comment: Z teto VPN se smi skoro vsechno
diff --git a/VERSION b/VERSION
new file mode 100644
index 0000000..3b04cfb
--- /dev/null
+++ b/VERSION
@@ -0,0 +1 @@
+0.2
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..02b2933
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,11 @@
+salt-formula-iptables (0.2) trusty; urgency=medium
+
+ * First public release
+
+ -- Filip Pytloun <filip.pytloun@tcpcloud.eu> Tue, 06 Oct 2015 16:38:43 +0200
+
+salt-formula-iptables (0.1) trusty; urgency=medium
+
+ * Initial release
+
+ -- Jan Kaufman <jan.kaufman@tcpcloud.eu> Thu, 13 Aug 2015 23:23:41 +0200
diff --git a/debian/compat b/debian/compat
new file mode 100644
index 0000000..ec63514
--- /dev/null
+++ b/debian/compat
@@ -0,0 +1 @@
+9
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..6c61c33
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,15 @@
+Source: salt-formula-iptables
+Maintainer: Jan Kaufman <jan.kaufman@tcpcloud.eu>
+Section: admin
+Priority: optional
+Build-Depends: debhelper (>= 9)
+Standards-Version: 3.9.6
+Homepage: http://www.tcpcloud.eu
+Vcs-Browser: https://github.com/tcpcloud/salt-formula-iptables
+Vcs-Git: https://github.com/tcpcloud/salt-formula-iptables.git
+
+Package: salt-formula-iptables
+Architecture: all
+Depends: ${misc:Depends}, salt-master, reclass
+Description: iptables salt formula
+ Configure iptables rules.
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 0000000..8f82be0
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,15 @@
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: salt-formula-iptables
+Upstream-Contact: Ales Komarek <ales.komarek@tcpcloud.eu>
+Source: https://github.com/tcpcloud/salt-formula-iptables
+
+Files: *
+Copyright: 2014-2015 tcp cloud a.s.
+License: Apache-2.0
+ Copyright (C) 2014-2015 tcp cloud a.s.
+ .
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ .
+ On a Debian system you can find a copy of this license in
+ /usr/share/common-licenses/Apache-2.0.
diff --git a/debian/docs b/debian/docs
new file mode 100644
index 0000000..d585829
--- /dev/null
+++ b/debian/docs
@@ -0,0 +1,3 @@
+README.rst
+CHANGELOG.rst
+VERSION
diff --git a/debian/install b/debian/install
new file mode 100644
index 0000000..313b79a
--- /dev/null
+++ b/debian/install
@@ -0,0 +1,2 @@
+iptables/* /usr/share/salt-formulas/env/iptables/
+metadata/service/* /usr/share/salt-formulas/reclass/service/iptables/
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 0000000..abde6ef
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,5 @@
+#!/usr/bin/make -f
+
+%:
+ dh $@
+
diff --git a/debian/source/format b/debian/source/format
new file mode 100644
index 0000000..89ae9db
--- /dev/null
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (native)
diff --git a/iptables/init.sls b/iptables/init.sls
new file mode 100644
index 0000000..43a97fc
--- /dev/null
+++ b/iptables/init.sls
@@ -0,0 +1,4 @@
+include:
+{%- if pillar.iptables.service is defined %}
+- iptables.service
+{%- endif %}
\ No newline at end of file
diff --git a/iptables/map.jinja b/iptables/map.jinja
new file mode 100644
index 0000000..9e9c115
--- /dev/null
+++ b/iptables/map.jinja
@@ -0,0 +1,11 @@
+
+{% set service = salt['grains.filter_by']({
+ 'Debian': {
+ 'pkgs': ['iptables','iptables-persistent' ],
+ 'service': 'iptables-persistent',
+ },
+ 'RedHat': {
+ 'pkgs': ['iptables'],
+ 'service': 'iptables',
+ },
+}, merge=salt['pillar.get']('iptables:service')) %}
diff --git a/iptables/service.sls b/iptables/service.sls
new file mode 100644
index 0000000..f126bd2
--- /dev/null
+++ b/iptables/service.sls
@@ -0,0 +1,77 @@
+{% from "iptables/map.jinja" import service with context %}
+
+{%- if pillar.iptables.service.enabled %}
+
+iptables_packages:
+ pkg.installed:
+ - names: {{ service.pkgs }}
+
+iptables_services:
+ service.dead:
+ - enable: true
+ - name: {{ service.service }}
+ - sig: test -e /etc/iptables/rules.v4
+ - require:
+ - pkg: iptables_packages
+
+{%- for chain_name, chain in service.get('chain', {}).iteritems() %}
+
+{%- for rule_name, rule in chain.get('rule', {}).iteritems() %}
+
+iptables_{{ chain_name }}_{{ rule_name }}:
+ iptables.insert:
+ {%- if rule.position is defined %}
+ - position: {{ rule.position }}
+ {%- endif %}
+ {%- if rule.table is defined %}
+ - table: {{ rule.table }}
+ {%- endif %}
+ - chain: {{ chain_name }}
+ {%- if rule.jump is defined %}
+ - jump: {{ rule.jump }}
+ {%- endif %}
+ {%- if rule.match is defined %}
+ - match: {{ rule.match }}
+ {%- endif %}
+ {%- if rule.connection_state is defined %}
+ - connstate: {{ rule.connection_state }}
+ {%- endif %}
+ {%- if rule.protocol is defined %}
+ - proto: {{ rule.protocol }}
+ {%- endif %}
+ {%- if rule.destination_port is defined %}
+ - dport: {{ rule.destination_port }}
+ {%- endif %}
+ {%- if rule.source_port is defined %}
+ - sport: {{ rule.source_port }}
+ {%- endif %}
+ {%- if rule.in_interface is defined %}
+ - in-interface: {{ rule.in_interface }}
+ {%- endif %}
+ {%- if rule.out_interface is defined %}
+ - out-interface: {{ rule.out_interface }}
+ {%- endif %}
+ {%- if rule.to_destination is defined %}
+ - to-destination: {{ rule.to_destination }}
+ {%- endif %}
+ {%- if rule.source_network is defined %}
+ - source: {{ rule.source_network }}
+ {%- endif %}
+ {%- if rule.destination_network is defined %}
+ - destination: {{ rule.destination_network }}
+ {%- endif %}
+
+ - save: True
+
+{%- endfor %}
+
+{%- endfor %}
+
+{%- else %}
+
+iptables_services:
+ service.dead:
+ - enable: false
+ - name: {{ service.service }}
+
+{%- endif %}
diff --git a/metadata/service/server/init.yml b/metadata/service/server/init.yml
new file mode 100644
index 0000000..09c3cb0
--- /dev/null
+++ b/metadata/service/server/init.yml
@@ -0,0 +1,2 @@
+applications:
+- iptables
\ No newline at end of file