Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / iptables / ef400203909459ee3a4d06da8eeea7e86494df95 / . / README.rst
blob: c0a25af44dd8334bb7fdaf3880d96b0184f08fad [file] [log] [blame]
Filip Pytlounab43e7b2015-10-06 16:28:32 +0200[diff] [blame]1
2================
3iptables formula
4================
5
Filip Pytloun60062562016-07-27 14:41:15 +0200[diff] [blame]6Iptables is used to set up, maintain, and inspect the tables of IPv4 packet
7filter rules in the Linux kernel. Several different tables may be defined.
8Each table contains a number of built-in chains and may also contain
9user-defined chains. Each chain is a list of rules which can match a set of
10packets. Each rule specifies what to do with a packet that matches. This is
11called a `target`, which may be a jump to a user-defined chain in the same
12table.
Filip Pytlounab43e7b2015-10-06 16:28:32 +0200[diff] [blame]13
14Sample pillars
15==============
16
Filip Pytloun60062562016-07-27 14:41:15 +0200[diff] [blame]17Most common rules - allow traffic on localhost, accept related,established and
18ping
Filip Pytlounab43e7b2015-10-06 16:28:32 +0200[diff] [blame]19
20.. code-block:: yaml
21
Nitin Madhok574663a2017-03-28 10:08:26 -0400[diff] [blame]22 parameters:
Filip Pytloun60062562016-07-27 14:41:15 +0200[diff] [blame]23 iptables:
24 service:
Dennis van Dok3bee76d2017-02-07 15:22:23 +0100[diff] [blame]25 enabled: True
Filip Pytlounab43e7b2015-10-06 16:28:32 +0200[diff] [blame]26 chain:
27 INPUT:
Filip Pytloun60062562016-07-27 14:41:15 +0200[diff] [blame]28 rules:
29 - in_interface: lo
Filip Pytlounab43e7b2015-10-06 16:28:32 +0200[diff] [blame]30 jump: ACCEPT
Filip Pytloun60062562016-07-27 14:41:15 +0200[diff] [blame]31 - connection_state: RELATED,ESTABLISHED
Filip Pytlounab43e7b2015-10-06 16:28:32 +0200[diff] [blame]32 match: state
Filip Pytloun60062562016-07-27 14:41:15 +0200[diff] [blame]33 jump: ACCEPT
34 - protocol: icmp
35 jump: ACCEPT
36
37Accept connections on port 22
38
39.. code-block:: yaml
40
Nitin Madhok574663a2017-03-28 10:08:26 -0400[diff] [blame]41 parameters:
Filip Pytloun60062562016-07-27 14:41:15 +0200[diff] [blame]42 iptables:
43 service:
44 chain:
45 INPUT:
46 rules:
47 - destination_port: 22
Filip Pytlounab43e7b2015-10-06 16:28:32 +0200[diff] [blame]48 protocol: tcp
Filip Pytloun60062562016-07-27 14:41:15 +0200[diff] [blame]49 jump: ACCEPT
50
51Set drop policy on INPUT chain:
52
53.. code-block:: yaml
54
Nitin Madhok574663a2017-03-28 10:08:26 -0400[diff] [blame]55 parameters:
Filip Pytloun60062562016-07-27 14:41:15 +0200[diff] [blame]56 iptables:
57 service:
58 chain:
59 INPUT:
60 policy: DROP
61
62Redirect privileged port 443 to 8081
63
64.. code-block:: yaml
65
66 parameters:
67 iptables:
68 service:
69 chain:
70 PREROUTING:
71 filter: nat
72 destination_port: 443
73 to_port: 8081
74 protocol: tcp
75 jump: REDIRECT
76
77Allow access from local network
78
79.. code-block:: yaml
80
81 parameters:
82 iptables:
83 service:
84 chain:
85 INPUT:
86 rules:
87 - protocol: tcp
88 destination_port: 22
89 source_network: 192.168.1.0/24
90 jump: ACCEPT
Dmitry Stremkouskiafb406c2017-11-21 12:11:50 +0300[diff] [blame]91 comment: Blah
Filip Pytlounab43e7b2015-10-06 16:28:32 +0200[diff] [blame]92
Piotr Pieprzycki91ac1492017-12-11 12:44:09 +0000[diff] [blame]93Support logging with custom prefix and log level
94
95.. code-block:: yaml
96
97 parameters:
98 iptables:
99 service:
100 chain:
101 POSTROUTING:
102 rules:
103 - table: nat
104 protocol: tcp
105 match: multiport
106 destination_ports:
107 - 21
108 - 80
109 - 443
110 - 2220
111 source_network: '10.20.30.0/24'
112 log_level: 7
113 log_prefix: 'iptables-logging: '
114 jump: LOG
115
116
Dennis van Dok3bee76d2017-02-07 15:22:23 +0100[diff] [blame]117IPv6 is supported as well
118
119.. code-block:: yaml
120
121 parameters:
122 iptables:
123 service:
124 enabled: True
125 ipv6: True
126 chain:
127 INPUT:
128 rules:
129 - protocol: tcp
130 family: ipv6
131 destination_port: 22
132 source_network: 2001:DB8::/32
133 jump: ACCEPT
134
Filip Pytlounab43e7b2015-10-06 16:28:32 +0200[diff] [blame]135Read more
136=========
137
138* http://docs.saltstack.com/en/latest/ref/states/all/salt.states.iptables.html
139* https://help.ubuntu.com/community/IptablesHowTo
140* http://wiki.centos.org/HowTos/Network/IPTables
Filip Pytlounb817b352017-02-02 13:02:03 +0100[diff] [blame]141
142Documentation and Bugs
143======================
144
145To learn how to install and update salt-formulas, consult the documentation
146available online at:
147
148 http://salt-formulas.readthedocs.io/
149
150In the unfortunate event that bugs are discovered, they should be reported to
151the appropriate issue tracker. Use Github issue tracker for specific salt
152formula:
153
154 https://github.com/salt-formulas/salt-formula-iptables/issues
155
156For feature requests, bug reports or blueprints affecting entire ecosystem,
157use Launchpad salt-formulas project:
158
159 https://launchpad.net/salt-formulas
160
161You can also join salt-formulas-users team and subscribe to mailing list:
162
163 https://launchpad.net/~salt-formulas-users
164
165Developers wishing to work on the salt-formulas projects should always base
166their work on master branch and submit pull request against specific formula.
167
168 https://github.com/salt-formulas/salt-formula-iptables
169
170Any questions or feedback is always welcome so feel free to join our IRC
171channel:
172
173 #salt-formulas @ irc.freenode.net