Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / iptables / refs/heads/feature/spm-packaging-meta / . / README.rst
blob: 19e037c1b4236897e9b758bde2b2369d48c4af5f [file] [log] [blame]
Filip Pytlounab43e7b2015-10-06 16:28:32 +0200[diff] [blame]1
2================
3iptables formula
4================
5
6iptables is a user-space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall and the chains and rules it stores.
7
8Sample pillars
9==============
10
11Simple INPUT chain httpd ACCEPT rule on position 1
12
13.. code-block:: yaml
14
15 iptables:
16 service:
17 enabled: false
18 chain:
19 INPUT:
20 enabled: true
Filip Pytloun9dc2a1a2015-11-09 12:50:14 +0100[diff] [blame]21 policy: DROP
Filip Pytlounab43e7b2015-10-06 16:28:32 +0200[diff] [blame]22 rule:
23 httpd:
24 position: 1
25 table: filter
26 jump: ACCEPT
27 family: ipv6
28 match: state
29 connection_state: NEW
30 protocol: tcp
31 source_port: 1025:65535
32 destination_port: 80
33
34Read more
35=========
36
37* http://docs.saltstack.com/en/latest/ref/states/all/salt.states.iptables.html
38* https://help.ubuntu.com/community/IptablesHowTo
39* http://wiki.centos.org/HowTos/Network/IPTables
40
41.. code-block:: yaml
42
43 chain:
44 PREROUTING:
45 enabled: true
46 rule:
47 dnat_ssh_185:
48 table: filter
49 jump: DNAT
50 match: tcp
51 protocol: tcp
52 destination_network: 185.22.97.132/32
53 destination_port: 20022
54 to_destination:
55 host: 10.0.110.38
56 port: 22
57 comment: Premapovani ssh zvenku na standardni port
58 dnat_ssh_10:
59 table: filter
60 jump: DNAT
61 match: tcp
62 protocol: tcp
63 destination_network: 10.0.110.38/32
64 destination_port: 20022
65 to_destination:
66 host: 10.0.110.38
67 port: 22
68 comment: Premapovani ssh 20022-22
69 redirect_vpn_185:
70 table: filter
71 jump: REDIRECT
72 match: udp
73 protocol: udp
74 destination_network: 185.22.97.132/32
75 destination_port: 3690
76 to_port:
77 port: 1194
78 comment: Presmerovani VPN portu 3690 > 1194
79 POSTROUTING:
80 enabled: true
81 rule:
82 snat_vpn_185:
83 table: filter
84 jump: SNAT
85 match: udp
86 protocol: udp
87 source_network: 10.8.0.0/24
88 out_interface: eth1
89 to_source:
90 host: 185.22.97.132
91 comment: NAT pro klienty administratorske VPNky
92 INPUT:
93 enabled: true
94 rule:
95 allow_conn_established:
96 table: filter
97 jump: ACCEPT
98 match: state
99 connection_state: RELATED,ESTABLISHED
100 comment: Vsechen provoz souvisejici s povolenymi pravidly pustit
101 allow_proto_icmp:
102 table: filter
103 jump: ACCEPT
104 protocol: icmp
105 comment: ICMP nechceme filtrovat
106 allow_iface_lo:
107 table: filter
108 jump: ACCEPT
109 in_interface: lo
110 comment: Lokalni smycka muze vsechno
111 allow_ssh_10.0.110.38:
112 table: filter
113 jump: ACCEPT
114 match: tcp
115 protocol: tcp
116 destination_network: 10.0.110.38/32
117 destination_port: 22
118 comment: SSH z lokalni site
119 allow_ssh_10.8.0.1:
120 table: filter
121 jump: ACCEPT
122 match: tcp
123 protocol: tcp
124 destination_network: 10.8.0.1/32
125 destination_port: 22
126 comment: SSH z VPN site
127 allow_ssh_private_10:
128 table: filter
129 jump: ACCEPT
130 match: state
131 connection_state: NEW
132 source_network: 10.0.0.0/8
133 destination_network: 185.22.97.132/32
134 destination_port: 22
135 comment: ssh z vnitrni site 10.0.0.0/8 povolit na obvykly protokol
136 allow_ssh_private_192:
137 table: filter
138 jump: ACCEPT
139 match: state
140 connection_state: NEW
141 source_network: 192.0.0.0/8
142 destination_network: 185.22.97.132/32
143 destination_port: 22
144 comment: ssh z vnitrni site 192.0.0.0/8 povolit na obvykly protokol
145 allow_ssh_private_172:
146 table: filter
147 jump: ACCEPT
148 match: state
149 connection_state: NEW
150 source_network: 172.16.162.0/24
151 destination_network: 185.22.97.132/32
152 destination_port: 22
153 comment: ssh z vnitrni site 10.0.0.0/8 povolit na obvykly protokol
154 allow_ssh_private_185:
155 table: filter
156 jump: ACCEPT
157 match: state
158 connection_state: NEW
159 source_network: 185.22.97.0/24
160 destination_network: 185.22.97.132/32
161 destination_port: 22
162 comment: ssh z vnitrni site 192.0.0.0/8 povolit na obvykly protokol
163 deny_ssh_public:
164 table: filter
165 jump: DROP
166 match: tpc
167 protocol: tcp
168 destination_network: 185.22.97.132/32
169 destination_port: 22
170 comment: ssh z vnejsi site na obvykly port ZAKAZAT, budeme ho presmerovavat
171 allow_ssh_public_redirect:
172 table: filter
173 jump: ACCEPT
174 match: tpc
175 protocol: tcp
176 destination_port: 22022
177 comment: nahradni ssh port bude presmerovan na 22 pokud se prijde z vnejsi site
178 allow_zabbix_server:
179 table: filter
180 jump: ACCEPT
181 match: tpc
182 protocol: tcp
183 source_network: 10.0.110.36/32
184 destination_port: 10050
185 comment: zabbix monitoring
186 allow_tsmc_web_10:
187 table: filter
188 jump: ACCEPT
189 match: tpc
190 protocol: tcp
191 source_network: 10.0.0.0/8
192 destination_port: 1581
193 comment: tsm client web gui
194 allow_tsmc_37010_10:
195 table: filter
196 jump: ACCEPT
197 match: state
198 protocol: tcp
199 source_network: 10.0.0.0/8
200 destination_port: 37010
201 comment: tsmc web
202 allow_tsmc_39876_10:
203 table: filter
204 jump: ACCEPT
205 match: state
206 protocol: tcp
207 source_network: 10.0.0.0/8
208 destination_port: 39876
209 comment: tsmc web
210 allow_tsm_web_172:
211 table: filter
212 jump: ACCEPT
213 match: tpc
214 protocol: tcp
215 source_network: 172.16.162.0/24
216 destination_port: 1581
217 comment: tsm client web gui
218 allow_tsmc_37010_172:
219 table: filter
220 jump: ACCEPT
221 match: state
222 protocol: tcp
223 source_network: 172.16.162.0/24
224 destination_port: 37010
225 comment: tsmc web
226 allow_tsmc_39876_172:
227 table: filter
228 jump: ACCEPT
229 match: state
230 protocol: tcp
231 source_network: 172.16.162.0/24
232 destination_port: 39876
233 comment: tsmc web
234 allow_vpn_public:
235 table: filter
236 jump: ACCEPT
237 match: state
238 connection_state: NEW
239 destination_port: 1194
240 comment: Povolime VPN odkudkoli
241 reject_rest:
242 table: filter
243 jump: REJECT
244 comment: Zdvorile odmitame ostatni komunikaci; --reject-with icmp-host-prohibited neni
245 FORWARD:
246 enabled: true
247 rule:
248 allow_conn_established:
249 table: filter
250 jump: ACCEPT
251 match: state
252 connection_state: RELATED,ESTABLISHED
253 comment: Vsechen provoz souvisejici s povolenymi pravidly pustit
254 snat_vpn_185:
255 table: filter
256 jump: SNAT
257 match: udp
258 protocol: udp
259 source_network: 10.8.0.0/24
260 out_interface: eth1
261 to_source:
262 host: 185.22.97.132
263 comment: NAT pro klienty administratorske VPNky
264 accept_net_10.0.110.0_vpn:
265 table: filter
266 jump: ACCEPT
267 source_network: 10.0.110.0/24
268 destionation_network: 10.8.0.0/24
269 comment: vnitrni komunikace management
270 accept_net_10.10.0.0_vpn:
271 table: filter
272 jump: ACCEPT
273 source_network: 10.10.0.0/16
274 destionation_network: 10.8.0.0/24
275 comment: vnitrni komunikace management
276 accept_net_10.0.101.0_vpn:
277 table: filter
278 jump: ACCEPT
279 source_network: 10.0.101.0/24
280 destionation_network: 10.8.0.0/24
281 comment: vnitrni komunikace VLAN1501
282 accept_net_10.0.102.0_vpn:
283 table: filter
284 jump: ACCEPT
285 source_network: 10.0.102.0/24
286 destionation_network: 10.8.0.0/24
287 comment: vnitrni komunikace VLAN1502
288 accept_net_10.0.103.0_vpn:
289 table: filter
290 jump: ACCEPT
291 source_network: 10.0.103.0/24
292 destionation_network: 10.8.0.0/24
293 comment: vnitrni komunikace VLAN1503
294 accept_net_10.0.106.0_vpn:
295 table: filter
296 jump: ACCEPT
297 source_network: 10.0.106.0/24
298 destionation_network: 10.8.0.0/24
299 comment: vnitrni komunikace VLAN1506
300 accept_net_10.0.110.0:
301 table: filter
302 jump: ACCEPT
303 source_network: 10.0.110.0/24
304 comment: Vse ze site 10.0.110.0
305 accept_net_10.8.0.0:
306 table: filter
307 jump: ACCEPT
308 source_network: 10.8.0.0/24
309 comment: Z teto VPN se smi skoro vsechno