| |
| ================ |
| iptables formula |
| ================ |
| |
| iptables is a user-space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall and the chains and rules it stores. |
| |
| Sample pillars |
| ============== |
| |
| Simple INPUT chain httpd ACCEPT rule on position 1 |
| |
| .. code-block:: yaml |
| |
| iptables: |
| service: |
| enabled: false |
| chain: |
| INPUT: |
| enabled: true |
| policy: DROP |
| rule: |
| httpd: |
| position: 1 |
| table: filter |
| jump: ACCEPT |
| family: ipv6 |
| match: state |
| connection_state: NEW |
| protocol: tcp |
| source_port: 1025:65535 |
| destination_port: 80 |
| |
| Read more |
| ========= |
| |
| * http://docs.saltstack.com/en/latest/ref/states/all/salt.states.iptables.html |
| * https://help.ubuntu.com/community/IptablesHowTo |
| * http://wiki.centos.org/HowTos/Network/IPTables |
| |
| .. code-block:: yaml |
| |
| chain: |
| PREROUTING: |
| enabled: true |
| rule: |
| dnat_ssh_185: |
| table: filter |
| jump: DNAT |
| match: tcp |
| protocol: tcp |
| destination_network: 185.22.97.132/32 |
| destination_port: 20022 |
| to_destination: |
| host: 10.0.110.38 |
| port: 22 |
| comment: Premapovani ssh zvenku na standardni port |
| dnat_ssh_10: |
| table: filter |
| jump: DNAT |
| match: tcp |
| protocol: tcp |
| destination_network: 10.0.110.38/32 |
| destination_port: 20022 |
| to_destination: |
| host: 10.0.110.38 |
| port: 22 |
| comment: Premapovani ssh 20022-22 |
| redirect_vpn_185: |
| table: filter |
| jump: REDIRECT |
| match: udp |
| protocol: udp |
| destination_network: 185.22.97.132/32 |
| destination_port: 3690 |
| to_port: |
| port: 1194 |
| comment: Presmerovani VPN portu 3690 > 1194 |
| POSTROUTING: |
| enabled: true |
| rule: |
| snat_vpn_185: |
| table: filter |
| jump: SNAT |
| match: udp |
| protocol: udp |
| source_network: 10.8.0.0/24 |
| out_interface: eth1 |
| to_source: |
| host: 185.22.97.132 |
| comment: NAT pro klienty administratorske VPNky |
| INPUT: |
| enabled: true |
| rule: |
| allow_conn_established: |
| table: filter |
| jump: ACCEPT |
| match: state |
| connection_state: RELATED,ESTABLISHED |
| comment: Vsechen provoz souvisejici s povolenymi pravidly pustit |
| allow_proto_icmp: |
| table: filter |
| jump: ACCEPT |
| protocol: icmp |
| comment: ICMP nechceme filtrovat |
| allow_iface_lo: |
| table: filter |
| jump: ACCEPT |
| in_interface: lo |
| comment: Lokalni smycka muze vsechno |
| allow_ssh_10.0.110.38: |
| table: filter |
| jump: ACCEPT |
| match: tcp |
| protocol: tcp |
| destination_network: 10.0.110.38/32 |
| destination_port: 22 |
| comment: SSH z lokalni site |
| allow_ssh_10.8.0.1: |
| table: filter |
| jump: ACCEPT |
| match: tcp |
| protocol: tcp |
| destination_network: 10.8.0.1/32 |
| destination_port: 22 |
| comment: SSH z VPN site |
| allow_ssh_private_10: |
| table: filter |
| jump: ACCEPT |
| match: state |
| connection_state: NEW |
| source_network: 10.0.0.0/8 |
| destination_network: 185.22.97.132/32 |
| destination_port: 22 |
| comment: ssh z vnitrni site 10.0.0.0/8 povolit na obvykly protokol |
| allow_ssh_private_192: |
| table: filter |
| jump: ACCEPT |
| match: state |
| connection_state: NEW |
| source_network: 192.0.0.0/8 |
| destination_network: 185.22.97.132/32 |
| destination_port: 22 |
| comment: ssh z vnitrni site 192.0.0.0/8 povolit na obvykly protokol |
| allow_ssh_private_172: |
| table: filter |
| jump: ACCEPT |
| match: state |
| connection_state: NEW |
| source_network: 172.16.162.0/24 |
| destination_network: 185.22.97.132/32 |
| destination_port: 22 |
| comment: ssh z vnitrni site 10.0.0.0/8 povolit na obvykly protokol |
| allow_ssh_private_185: |
| table: filter |
| jump: ACCEPT |
| match: state |
| connection_state: NEW |
| source_network: 185.22.97.0/24 |
| destination_network: 185.22.97.132/32 |
| destination_port: 22 |
| comment: ssh z vnitrni site 192.0.0.0/8 povolit na obvykly protokol |
| deny_ssh_public: |
| table: filter |
| jump: DROP |
| match: tpc |
| protocol: tcp |
| destination_network: 185.22.97.132/32 |
| destination_port: 22 |
| comment: ssh z vnejsi site na obvykly port ZAKAZAT, budeme ho presmerovavat |
| allow_ssh_public_redirect: |
| table: filter |
| jump: ACCEPT |
| match: tpc |
| protocol: tcp |
| destination_port: 22022 |
| comment: nahradni ssh port bude presmerovan na 22 pokud se prijde z vnejsi site |
| allow_zabbix_server: |
| table: filter |
| jump: ACCEPT |
| match: tpc |
| protocol: tcp |
| source_network: 10.0.110.36/32 |
| destination_port: 10050 |
| comment: zabbix monitoring |
| allow_tsmc_web_10: |
| table: filter |
| jump: ACCEPT |
| match: tpc |
| protocol: tcp |
| source_network: 10.0.0.0/8 |
| destination_port: 1581 |
| comment: tsm client web gui |
| allow_tsmc_37010_10: |
| table: filter |
| jump: ACCEPT |
| match: state |
| protocol: tcp |
| source_network: 10.0.0.0/8 |
| destination_port: 37010 |
| comment: tsmc web |
| allow_tsmc_39876_10: |
| table: filter |
| jump: ACCEPT |
| match: state |
| protocol: tcp |
| source_network: 10.0.0.0/8 |
| destination_port: 39876 |
| comment: tsmc web |
| allow_tsm_web_172: |
| table: filter |
| jump: ACCEPT |
| match: tpc |
| protocol: tcp |
| source_network: 172.16.162.0/24 |
| destination_port: 1581 |
| comment: tsm client web gui |
| allow_tsmc_37010_172: |
| table: filter |
| jump: ACCEPT |
| match: state |
| protocol: tcp |
| source_network: 172.16.162.0/24 |
| destination_port: 37010 |
| comment: tsmc web |
| allow_tsmc_39876_172: |
| table: filter |
| jump: ACCEPT |
| match: state |
| protocol: tcp |
| source_network: 172.16.162.0/24 |
| destination_port: 39876 |
| comment: tsmc web |
| allow_vpn_public: |
| table: filter |
| jump: ACCEPT |
| match: state |
| connection_state: NEW |
| destination_port: 1194 |
| comment: Povolime VPN odkudkoli |
| reject_rest: |
| table: filter |
| jump: REJECT |
| comment: Zdvorile odmitame ostatni komunikaci; --reject-with icmp-host-prohibited neni |
| FORWARD: |
| enabled: true |
| rule: |
| allow_conn_established: |
| table: filter |
| jump: ACCEPT |
| match: state |
| connection_state: RELATED,ESTABLISHED |
| comment: Vsechen provoz souvisejici s povolenymi pravidly pustit |
| snat_vpn_185: |
| table: filter |
| jump: SNAT |
| match: udp |
| protocol: udp |
| source_network: 10.8.0.0/24 |
| out_interface: eth1 |
| to_source: |
| host: 185.22.97.132 |
| comment: NAT pro klienty administratorske VPNky |
| accept_net_10.0.110.0_vpn: |
| table: filter |
| jump: ACCEPT |
| source_network: 10.0.110.0/24 |
| destionation_network: 10.8.0.0/24 |
| comment: vnitrni komunikace management |
| accept_net_10.10.0.0_vpn: |
| table: filter |
| jump: ACCEPT |
| source_network: 10.10.0.0/16 |
| destionation_network: 10.8.0.0/24 |
| comment: vnitrni komunikace management |
| accept_net_10.0.101.0_vpn: |
| table: filter |
| jump: ACCEPT |
| source_network: 10.0.101.0/24 |
| destionation_network: 10.8.0.0/24 |
| comment: vnitrni komunikace VLAN1501 |
| accept_net_10.0.102.0_vpn: |
| table: filter |
| jump: ACCEPT |
| source_network: 10.0.102.0/24 |
| destionation_network: 10.8.0.0/24 |
| comment: vnitrni komunikace VLAN1502 |
| accept_net_10.0.103.0_vpn: |
| table: filter |
| jump: ACCEPT |
| source_network: 10.0.103.0/24 |
| destionation_network: 10.8.0.0/24 |
| comment: vnitrni komunikace VLAN1503 |
| accept_net_10.0.106.0_vpn: |
| table: filter |
| jump: ACCEPT |
| source_network: 10.0.106.0/24 |
| destionation_network: 10.8.0.0/24 |
| comment: vnitrni komunikace VLAN1506 |
| accept_net_10.0.110.0: |
| table: filter |
| jump: ACCEPT |
| source_network: 10.0.110.0/24 |
| comment: Vse ze site 10.0.110.0 |
| accept_net_10.8.0.0: |
| table: filter |
| jump: ACCEPT |
| source_network: 10.8.0.0/24 |
| comment: Z teto VPN se smi skoro vsechno |