Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / iptables / ab43e7b3a628d48b2136ed7defa16a3b08b0eb4b / . / README.rst
blob: 1a2d8e1933cbae68a8dd70e019442e86100ca4fa [file] [log] [blame]
Filip Pytlounab43e7b2015-10-06 16:28:32 +0200[diff] [blame^]1
2================
3iptables formula
4================
5
6iptables is a user-space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall and the chains and rules it stores.
7
8Sample pillars
9==============
10
11Simple INPUT chain httpd ACCEPT rule on position 1
12
13.. code-block:: yaml
14
15 iptables:
16 service:
17 enabled: false
18 chain:
19 INPUT:
20 enabled: true
21 rule:
22 httpd:
23 position: 1
24 table: filter
25 jump: ACCEPT
26 family: ipv6
27 match: state
28 connection_state: NEW
29 protocol: tcp
30 source_port: 1025:65535
31 destination_port: 80
32
33Read more
34=========
35
36* http://docs.saltstack.com/en/latest/ref/states/all/salt.states.iptables.html
37* https://help.ubuntu.com/community/IptablesHowTo
38* http://wiki.centos.org/HowTos/Network/IPTables
39
40.. code-block:: yaml
41
42 chain:
43 PREROUTING:
44 enabled: true
45 rule:
46 dnat_ssh_185:
47 table: filter
48 jump: DNAT
49 match: tcp
50 protocol: tcp
51 destination_network: 185.22.97.132/32
52 destination_port: 20022
53 to_destination:
54 host: 10.0.110.38
55 port: 22
56 comment: Premapovani ssh zvenku na standardni port
57 dnat_ssh_10:
58 table: filter
59 jump: DNAT
60 match: tcp
61 protocol: tcp
62 destination_network: 10.0.110.38/32
63 destination_port: 20022
64 to_destination:
65 host: 10.0.110.38
66 port: 22
67 comment: Premapovani ssh 20022-22
68 redirect_vpn_185:
69 table: filter
70 jump: REDIRECT
71 match: udp
72 protocol: udp
73 destination_network: 185.22.97.132/32
74 destination_port: 3690
75 to_port:
76 port: 1194
77 comment: Presmerovani VPN portu 3690 > 1194
78 POSTROUTING:
79 enabled: true
80 rule:
81 snat_vpn_185:
82 table: filter
83 jump: SNAT
84 match: udp
85 protocol: udp
86 source_network: 10.8.0.0/24
87 out_interface: eth1
88 to_source:
89 host: 185.22.97.132
90 comment: NAT pro klienty administratorske VPNky
91 INPUT:
92 enabled: true
93 rule:
94 allow_conn_established:
95 table: filter
96 jump: ACCEPT
97 match: state
98 connection_state: RELATED,ESTABLISHED
99 comment: Vsechen provoz souvisejici s povolenymi pravidly pustit
100 allow_proto_icmp:
101 table: filter
102 jump: ACCEPT
103 protocol: icmp
104 comment: ICMP nechceme filtrovat
105 allow_iface_lo:
106 table: filter
107 jump: ACCEPT
108 in_interface: lo
109 comment: Lokalni smycka muze vsechno
110 allow_ssh_10.0.110.38:
111 table: filter
112 jump: ACCEPT
113 match: tcp
114 protocol: tcp
115 destination_network: 10.0.110.38/32
116 destination_port: 22
117 comment: SSH z lokalni site
118 allow_ssh_10.8.0.1:
119 table: filter
120 jump: ACCEPT
121 match: tcp
122 protocol: tcp
123 destination_network: 10.8.0.1/32
124 destination_port: 22
125 comment: SSH z VPN site
126 allow_ssh_private_10:
127 table: filter
128 jump: ACCEPT
129 match: state
130 connection_state: NEW
131 source_network: 10.0.0.0/8
132 destination_network: 185.22.97.132/32
133 destination_port: 22
134 comment: ssh z vnitrni site 10.0.0.0/8 povolit na obvykly protokol
135 allow_ssh_private_192:
136 table: filter
137 jump: ACCEPT
138 match: state
139 connection_state: NEW
140 source_network: 192.0.0.0/8
141 destination_network: 185.22.97.132/32
142 destination_port: 22
143 comment: ssh z vnitrni site 192.0.0.0/8 povolit na obvykly protokol
144 allow_ssh_private_172:
145 table: filter
146 jump: ACCEPT
147 match: state
148 connection_state: NEW
149 source_network: 172.16.162.0/24
150 destination_network: 185.22.97.132/32
151 destination_port: 22
152 comment: ssh z vnitrni site 10.0.0.0/8 povolit na obvykly protokol
153 allow_ssh_private_185:
154 table: filter
155 jump: ACCEPT
156 match: state
157 connection_state: NEW
158 source_network: 185.22.97.0/24
159 destination_network: 185.22.97.132/32
160 destination_port: 22
161 comment: ssh z vnitrni site 192.0.0.0/8 povolit na obvykly protokol
162 deny_ssh_public:
163 table: filter
164 jump: DROP
165 match: tpc
166 protocol: tcp
167 destination_network: 185.22.97.132/32
168 destination_port: 22
169 comment: ssh z vnejsi site na obvykly port ZAKAZAT, budeme ho presmerovavat
170 allow_ssh_public_redirect:
171 table: filter
172 jump: ACCEPT
173 match: tpc
174 protocol: tcp
175 destination_port: 22022
176 comment: nahradni ssh port bude presmerovan na 22 pokud se prijde z vnejsi site
177 allow_zabbix_server:
178 table: filter
179 jump: ACCEPT
180 match: tpc
181 protocol: tcp
182 source_network: 10.0.110.36/32
183 destination_port: 10050
184 comment: zabbix monitoring
185 allow_tsmc_web_10:
186 table: filter
187 jump: ACCEPT
188 match: tpc
189 protocol: tcp
190 source_network: 10.0.0.0/8
191 destination_port: 1581
192 comment: tsm client web gui
193 allow_tsmc_37010_10:
194 table: filter
195 jump: ACCEPT
196 match: state
197 protocol: tcp
198 source_network: 10.0.0.0/8
199 destination_port: 37010
200 comment: tsmc web
201 allow_tsmc_39876_10:
202 table: filter
203 jump: ACCEPT
204 match: state
205 protocol: tcp
206 source_network: 10.0.0.0/8
207 destination_port: 39876
208 comment: tsmc web
209 allow_tsm_web_172:
210 table: filter
211 jump: ACCEPT
212 match: tpc
213 protocol: tcp
214 source_network: 172.16.162.0/24
215 destination_port: 1581
216 comment: tsm client web gui
217 allow_tsmc_37010_172:
218 table: filter
219 jump: ACCEPT
220 match: state
221 protocol: tcp
222 source_network: 172.16.162.0/24
223 destination_port: 37010
224 comment: tsmc web
225 allow_tsmc_39876_172:
226 table: filter
227 jump: ACCEPT
228 match: state
229 protocol: tcp
230 source_network: 172.16.162.0/24
231 destination_port: 39876
232 comment: tsmc web
233 allow_vpn_public:
234 table: filter
235 jump: ACCEPT
236 match: state
237 connection_state: NEW
238 destination_port: 1194
239 comment: Povolime VPN odkudkoli
240 reject_rest:
241 table: filter
242 jump: REJECT
243 comment: Zdvorile odmitame ostatni komunikaci; --reject-with icmp-host-prohibited neni
244 FORWARD:
245 enabled: true
246 rule:
247 allow_conn_established:
248 table: filter
249 jump: ACCEPT
250 match: state
251 connection_state: RELATED,ESTABLISHED
252 comment: Vsechen provoz souvisejici s povolenymi pravidly pustit
253 snat_vpn_185:
254 table: filter
255 jump: SNAT
256 match: udp
257 protocol: udp
258 source_network: 10.8.0.0/24
259 out_interface: eth1
260 to_source:
261 host: 185.22.97.132
262 comment: NAT pro klienty administratorske VPNky
263 accept_net_10.0.110.0_vpn:
264 table: filter
265 jump: ACCEPT
266 source_network: 10.0.110.0/24
267 destionation_network: 10.8.0.0/24
268 comment: vnitrni komunikace management
269 accept_net_10.10.0.0_vpn:
270 table: filter
271 jump: ACCEPT
272 source_network: 10.10.0.0/16
273 destionation_network: 10.8.0.0/24
274 comment: vnitrni komunikace management
275 accept_net_10.0.101.0_vpn:
276 table: filter
277 jump: ACCEPT
278 source_network: 10.0.101.0/24
279 destionation_network: 10.8.0.0/24
280 comment: vnitrni komunikace VLAN1501
281 accept_net_10.0.102.0_vpn:
282 table: filter
283 jump: ACCEPT
284 source_network: 10.0.102.0/24
285 destionation_network: 10.8.0.0/24
286 comment: vnitrni komunikace VLAN1502
287 accept_net_10.0.103.0_vpn:
288 table: filter
289 jump: ACCEPT
290 source_network: 10.0.103.0/24
291 destionation_network: 10.8.0.0/24
292 comment: vnitrni komunikace VLAN1503
293 accept_net_10.0.106.0_vpn:
294 table: filter
295 jump: ACCEPT
296 source_network: 10.0.106.0/24
297 destionation_network: 10.8.0.0/24
298 comment: vnitrni komunikace VLAN1506
299 accept_net_10.0.110.0:
300 table: filter
301 jump: ACCEPT
302 source_network: 10.0.110.0/24
303 comment: Vse ze site 10.0.110.0
304 accept_net_10.8.0.0:
305 table: filter
306 jump: ACCEPT
307 source_network: 10.8.0.0/24
308 comment: Z teto VPN se smi skoro vsechno