salt.states.iptables

Management of iptables

This is an iptables-specific module designed to manage Linux firewalls. It is expected that this state module, and other system-specific firewall states, may at some point be deprecated in favor of a more generic firewall state.

httpd:
  iptables.append:
    - table: filter
    - chain: INPUT
    - jump: ACCEPT
    - match: state
    - connstate: NEW
    - dport: 80
    - protocol: tcp
    - sport: 1025:65535
    - save: True

httpd:
  iptables.append:
    - table: filter
    - chain: INPUT
    - jump: ACCEPT
    - match:
        - state
        - comment
    - comment: "Allow HTTP"
    - connstate: NEW
    - dport: 80
    - protocol: tcp
    - sport: 1025:65535
    - save: True

httpd:
  iptables.append:
    - table: filter
    - chain: INPUT
    - jump: ACCEPT
    - match:
        - state
        - comment
    - comment: "Allow HTTP"
    - connstate: NEW
    - source: '127.0.0.1'
    - dport: 80
    - protocol: tcp
    - sport: 1025:65535
    - save: True

.. Invert Rule
httpd:
  iptables.append:
    - table: filter
    - chain: INPUT
    - jump: ACCEPT
    - match:
        - state
        - comment
    - comment: "Allow HTTP"
    - connstate: NEW
    - source: '! 127.0.0.1'
    - dport: 80
    - protocol: tcp
    - sport: 1025:65535
    - save: True

httpd:
  iptables.append:
    - table: filter
    - chain: INPUT
    - jump: ACCEPT
    - match:
        - state
        - comment
    - comment: "Allow HTTP"
    - connstate: NEW
    - source: 'not 127.0.0.1'
    - dport: 80
    - protocol: tcp
    - sport: 1025:65535
    - save: True

httpd:
  iptables.append:
    - table: filter
    - family: ipv6
    - chain: INPUT
    - jump: ACCEPT
    - match: state
    - connstate: NEW
    - dport: 80
    - protocol: tcp
    - sport: 1025:65535
    - save: True

httpd:
  iptables.append:
    - table: filter
    - family: ipv4
    - chain: INPUT
    - jump: ACCEPT
    - match: state
    - connstate: NEW
    - dports:
        - 80
        - 443
    - protocol: tcp
    - sport: 1025:65535
    - save: True

httpd:
  iptables.insert:
    - position: 1
    - table: filter
    - chain: INPUT
    - jump: ACCEPT
    - match: state
    - connstate: NEW
    - dport: 80
    - protocol: tcp
    - sport: 1025:65535
    - save: True

httpd:
  iptables.insert:
    - position: 1
    - table: filter
    - family: ipv6
    - chain: INPUT
    - jump: ACCEPT
    - match: state
    - connstate: NEW
    - dport: 80
    - protocol: tcp
    - sport: 1025:65535
    - save: True

httpd:
  iptables.delete:
    - table: filter
    - chain: INPUT
    - jump: ACCEPT
    - match: state
    - connstate: NEW
    - dport: 80
    - protocol: tcp
    - sport: 1025:65535
    - save: True

httpd:
  iptables.delete:
    - position: 1
    - table: filter
    - chain: INPUT
    - jump: ACCEPT
    - match: state
    - connstate: NEW
    - dport: 80
    - protocol: tcp
    - sport: 1025:65535
    - save: True

httpd:
  iptables.delete:
    - table: filter
    - family: ipv6
    - chain: INPUT
    - jump: ACCEPT
    - match: state
    - connstate: NEW
    - dport: 80
    - protocol: tcp
    - sport: 1025:65535
    - save: True

default to accept:
  iptables.set_policy:
    - chain: INPUT
    - policy: ACCEPT

Note

Whereas iptables will accept -p, --proto[c[o[l]]] as synonyms of --protocol, if --proto appears in an iptables command after the appearance of -m policy, it is interpreted as the --proto option of the policy extension (see the iptables-extensions(8) man page).

Example rules for IPSec policy:

accept_esp_in:
  iptables.append:
    - table: filter
    - chain: INPUT
    - jump: ACCEPT
    - source: 10.20.0.0/24
    - destination: 10.10.0.0/24
    - in-interface: eth0
    - match: policy
    - dir: in
    - pol: ipsec
    - reqid: 1
    - proto: esp
accept_esp_forward_in:
  iptables.append:
    - use:
      - iptables: accept_esp_in
    - chain: FORWARD

accept_esp_out:
  iptables.append:
    - table: filter
    - chain: OUTPUT
    - jump: ACCEPT
    - source: 10.10.0.0/24
    - destination: 10.20.0.0/24
    - out-interface: eth0
    - match: policy
    - dir: out
    - pol: ipsec
    - reqid: 1
    - proto: esp
accept_esp_forward_out:
  iptables.append:
    - use:
      - iptables: accept_esp_out
    - chain: FORWARD

Note

name is reserved for the Salt state name. To pass --name EXAMPLE to iptables, provide it with - name_: EXAMPLE.

Note

Various functions of the iptables module use the --check option. If the version of iptables on the target system does not include this option, an alternate version of this check will be performed using the output of iptables-save. This may have unintended consequences on legacy releases of iptables.

salt.states.iptables.append(name, table='filter', family='ipv4', **kwargs)

New in version 0.17.0.

Add a rule to the end of the specified chain. If the rule is already present anywhere in the chain, its position is not changed.

name

A user-defined name to call this rule by in another part of a state or formula. This should not be an actual rule.

table

The table that owns the chain which should be modified

family

Network family, ipv4 or ipv6.

save

If set to a true value, the new iptables rules for the given family will be saved to a file.

If the value is True, rules are saved to an OS-dependent file that will be loaded during system startup, resulting in the firewall rule remaining active across reboots if possible.

Note that loading the iptables rules during system startup may require non-default packages to be installed. On Debian-derived systems, the iptables-persistent package is required.

If the value is a string, it is taken to be a filename to which the rules will be saved. Arranging for the rules to be loaded during system startup must be done separately.

All other arguments are passed in with the same name as the long option that would normally be used for iptables, with one exception: --state is specified as connstate instead of state (not to be confused with ctstate).

Jump options that doesn't take arguments should be passed in with an empty string.

salt.states.iptables.chain_absent(name, table='filter', family='ipv4')

New in version 2014.1.0.

Verify the chain is absent.

table

The table to remove the chain from

family

Networking family, either ipv4 or ipv6

salt.states.iptables.chain_present(name, table='filter', family='ipv4')

New in version 2014.1.0.

Verify the chain is exist.

name

A user-defined chain name.

table

The table to own the chain.

family

Networking family, either ipv4 or ipv6

salt.states.iptables.delete(name, table='filter', family='ipv4', **kwargs)

New in version 2014.1.0.

Delete a rule from a chain if present. If the rule is already absent, this is not an error and nothing is changed.

name

A user-defined name to call this rule by in another part of a state or formula. This should not be an actual rule.

table

The table that owns the chain that should be modified

family

Networking family, either ipv4 or ipv6

save

If set to a true value, the new iptables rules for the given family will be saved to a file. See the append state for more details.

All other arguments are passed in with the same name as the long option that would normally be used for iptables, with one exception: --state is specified as connstate instead of state (not to be confused with ctstate).

Jump options that doesn't take arguments should be passed in with an empty string.

salt.states.iptables.flush(name, table='filter', family='ipv4', **kwargs)

New in version 2014.1.0.

Flush current iptables state

table

The table that owns the chain that should be modified

family

Networking family, either ipv4 or ipv6

chain

The chain to be flushed. All the chains in the table if none is given.

salt.states.iptables.insert(name, table='filter', family='ipv4', **kwargs)

New in version 2014.1.0.

Insert a rule into a chain. If the rule is already present anywhere in the chain, its position is not changed.

name

A user-defined name to call this rule by in another part of a state or formula. This should not be an actual rule.

table

The table that owns the chain that should be modified

family

Networking family, either ipv4 or ipv6

position

The numerical representation of where the rule should be inserted into the chain. Note that -1 is not a supported position value.

save

If set to a true value, the new iptables rules for the given family will be saved to a file. See the append state for more details.

All other arguments are passed in with the same name as the long option that would normally be used for iptables, with one exception: --state is specified as connstate instead of state (not to be confused with ctstate).

Jump options that doesn't take arguments should be passed in with an empty string.

salt.states.iptables.mod_aggregate(low, chunks, running)

The mod_aggregate function which looks up all rules in the available low chunks and merges them into a single rules ref in the present low data

salt.states.iptables.set_policy(name, table='filter', family='ipv4', **kwargs)

New in version 2014.1.0.

Sets the default policy for iptables firewall tables

table

The table that owns the chain that should be modified

family

Networking family, either ipv4 or ipv6

policy

The requested table policy

save

If set to a true value, the new iptables rules for the given family will be saved to a file. See the append state for more details.