blob: a59e5e84c4407b1b60e180b8aaa4d63f32762c27 [file] [log] [blame]
Dzmitry Stremkouskie353ce32018-08-30 17:22:32 +02001=====================
2iptables salt formula
3=====================
Filip Pytlounab43e7b2015-10-06 16:28:32 +02004
Filip Pytloun60062562016-07-27 14:41:15 +02005Iptables is used to set up, maintain, and inspect the tables of IPv4 packet
6filter rules in the Linux kernel. Several different tables may be defined.
7Each table contains a number of built-in chains and may also contain
8user-defined chains. Each chain is a list of rules which can match a set of
9packets. Each rule specifies what to do with a packet that matches. This is
10called a `target`, which may be a jump to a user-defined chain in the same
11table.
Filip Pytlounab43e7b2015-10-06 16:28:32 +020012
Dzmitry Stremkouskie353ce32018-08-30 17:22:32 +020013This version of a formula guarantees that manually added rules or rules which
14has been added in runtime would be removed.
15
16In order to ensure architecture, proper epoch value should be specified.
17Refer to an example.
18
Filip Pytlounab43e7b2015-10-06 16:28:32 +020019Sample pillars
20==============
21
Filip Pytlounab43e7b2015-10-06 16:28:32 +020022.. code-block:: yaml
23
Nitin Madhok574663a2017-03-28 10:08:26 -040024 parameters:
Filip Pytloun60062562016-07-27 14:41:15 +020025 iptables:
Dzmitry Stremkouskie353ce32018-08-30 17:22:32 +020026 schema:
27 epoch: 1
Filip Pytloun60062562016-07-27 14:41:15 +020028 service:
Dzmitry Stremkouskie353ce32018-08-30 17:22:32 +020029 v4:
30 enabled: true
31 persistent_config: /etc/iptables.v4
32 modules:
33 - nf_conntrack_ftp
34 - nf_conntrack_pptp
35 v6:
36 enabled: false
37 persistent_config: /etc/iptables.v6
38 modules:
39 - nf_conntrack_ipv6
40 defaults:
41 v4:
42 metadata_rules: false
43 policy: ACCEPT
44 ruleset:
45 action: ACCEPT
46 params: ""
47 rule: ""
48 v6:
49 metadata_rules: false
50 policy: DROP
51 ruleset:
52 action: ACCEPT
53 params: ""
54 rule: ""
55 tables:
56 v4:
57 filter:
58 chains:
59 INPUT:
60 ruleset:
61 5:
62 action: log_drop
63 10:
64 rule: -s 192.168.0.0/24 -p tcp
65 log_drop:
66 policy: DROP
67 ruleset:
68 10:
69 action: LOG
70 comment: "Log my packets"
71 nat:
72 chains:
73 OUTPUT:
74 PREROUTING:
75 POSTROUTING:
76 policy: ACCEPT
77 ruleset:
78 10:
79 rule: -s 192.168.0.0/24 -p tcp -o lo
80 action: SNAT
81 params: --to-source=127.0.0.1
Filip Pytloun60062562016-07-27 14:41:15 +020082
Dzmitry Stremkouski1a1e8c72018-03-07 00:51:45 +010083
Filip Pytlounab43e7b2015-10-06 16:28:32 +020084Read more
85=========
86
87* http://docs.saltstack.com/en/latest/ref/states/all/salt.states.iptables.html
88* https://help.ubuntu.com/community/IptablesHowTo
89* http://wiki.centos.org/HowTos/Network/IPTables
Filip Pytlounb817b352017-02-02 13:02:03 +010090
91Documentation and Bugs
92======================
93
94To learn how to install and update salt-formulas, consult the documentation
95available online at:
96
97 http://salt-formulas.readthedocs.io/
98
99In the unfortunate event that bugs are discovered, they should be reported to
100the appropriate issue tracker. Use Github issue tracker for specific salt
101formula:
102
103 https://github.com/salt-formulas/salt-formula-iptables/issues
104
Filip Pytlounb817b352017-02-02 13:02:03 +0100105
106Developers wishing to work on the salt-formulas projects should always base
107their work on master branch and submit pull request against specific formula.
108
109 https://github.com/salt-formulas/salt-formula-iptables
110