blob: 7fbd80309549b545aed0728d73fe72b0c655629e [file] [log] [blame]
Filip Pytlounab43e7b2015-10-06 16:28:32 +02001
2================
3iptables formula
4================
5
Filip Pytloun60062562016-07-27 14:41:15 +02006Iptables is used to set up, maintain, and inspect the tables of IPv4 packet
7filter rules in the Linux kernel. Several different tables may be defined.
8Each table contains a number of built-in chains and may also contain
9user-defined chains. Each chain is a list of rules which can match a set of
10packets. Each rule specifies what to do with a packet that matches. This is
11called a `target`, which may be a jump to a user-defined chain in the same
12table.
Filip Pytlounab43e7b2015-10-06 16:28:32 +020013
14Sample pillars
15==============
16
Filip Pytloun60062562016-07-27 14:41:15 +020017Most common rules - allow traffic on localhost, accept related,established and
18ping
Filip Pytlounab43e7b2015-10-06 16:28:32 +020019
20.. code-block:: yaml
21
Nitin Madhok574663a2017-03-28 10:08:26 -040022 parameters:
Filip Pytloun60062562016-07-27 14:41:15 +020023 iptables:
24 service:
Dennis van Dok3bee76d2017-02-07 15:22:23 +010025 enabled: True
Filip Pytlounab43e7b2015-10-06 16:28:32 +020026 chain:
27 INPUT:
Filip Pytloun60062562016-07-27 14:41:15 +020028 rules:
29 - in_interface: lo
Filip Pytlounab43e7b2015-10-06 16:28:32 +020030 jump: ACCEPT
Filip Pytloun60062562016-07-27 14:41:15 +020031 - connection_state: RELATED,ESTABLISHED
Filip Pytlounab43e7b2015-10-06 16:28:32 +020032 match: state
Filip Pytloun60062562016-07-27 14:41:15 +020033 jump: ACCEPT
34 - protocol: icmp
35 jump: ACCEPT
36
37Accept connections on port 22
38
39.. code-block:: yaml
40
Nitin Madhok574663a2017-03-28 10:08:26 -040041 parameters:
Filip Pytloun60062562016-07-27 14:41:15 +020042 iptables:
43 service:
44 chain:
45 INPUT:
46 rules:
47 - destination_port: 22
Filip Pytlounab43e7b2015-10-06 16:28:32 +020048 protocol: tcp
Filip Pytloun60062562016-07-27 14:41:15 +020049 jump: ACCEPT
50
51Set drop policy on INPUT chain:
52
53.. code-block:: yaml
54
Nitin Madhok574663a2017-03-28 10:08:26 -040055 parameters:
Filip Pytloun60062562016-07-27 14:41:15 +020056 iptables:
57 service:
58 chain:
59 INPUT:
60 policy: DROP
61
62Redirect privileged port 443 to 8081
63
64.. code-block:: yaml
65
66 parameters:
67 iptables:
68 service:
69 chain:
70 PREROUTING:
71 filter: nat
72 destination_port: 443
73 to_port: 8081
74 protocol: tcp
75 jump: REDIRECT
76
77Allow access from local network
78
79.. code-block:: yaml
80
81 parameters:
82 iptables:
83 service:
84 chain:
85 INPUT:
86 rules:
87 - protocol: tcp
88 destination_port: 22
89 source_network: 192.168.1.0/24
90 jump: ACCEPT
Dmitry Stremkouskiafb406c2017-11-21 12:11:50 +030091 comment: Blah
Filip Pytlounab43e7b2015-10-06 16:28:32 +020092
Dennis van Dok3bee76d2017-02-07 15:22:23 +010093IPv6 is supported as well
94
95.. code-block:: yaml
96
97 parameters:
98 iptables:
99 service:
100 enabled: True
101 ipv6: True
102 chain:
103 INPUT:
104 rules:
105 - protocol: tcp
106 family: ipv6
107 destination_port: 22
108 source_network: 2001:DB8::/32
109 jump: ACCEPT
110
Filip Pytlounab43e7b2015-10-06 16:28:32 +0200111Read more
112=========
113
114* http://docs.saltstack.com/en/latest/ref/states/all/salt.states.iptables.html
115* https://help.ubuntu.com/community/IptablesHowTo
116* http://wiki.centos.org/HowTos/Network/IPTables
Filip Pytlounb817b352017-02-02 13:02:03 +0100117
118Documentation and Bugs
119======================
120
121To learn how to install and update salt-formulas, consult the documentation
122available online at:
123
124 http://salt-formulas.readthedocs.io/
125
126In the unfortunate event that bugs are discovered, they should be reported to
127the appropriate issue tracker. Use Github issue tracker for specific salt
128formula:
129
130 https://github.com/salt-formulas/salt-formula-iptables/issues
131
132For feature requests, bug reports or blueprints affecting entire ecosystem,
133use Launchpad salt-formulas project:
134
135 https://launchpad.net/salt-formulas
136
137You can also join salt-formulas-users team and subscribe to mailing list:
138
139 https://launchpad.net/~salt-formulas-users
140
141Developers wishing to work on the salt-formulas projects should always base
142their work on master branch and submit pull request against specific formula.
143
144 https://github.com/salt-formulas/salt-formula-iptables
145
146Any questions or feedback is always welcome so feel free to join our IRC
147channel:
148
149 #salt-formulas @ irc.freenode.net