This is an iptables-specific module designed to manage Linux firewalls. It is
expected that this state module, and other system-specific firewall states, may
at some point be deprecated in favor of a more generic firewall
state.
httpd:
iptables.append:
- table: filter
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- protocol: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.append:
- table: filter
- chain: INPUT
- jump: ACCEPT
- match:
- state
- comment
- comment: "Allow HTTP"
- connstate: NEW
- dport: 80
- protocol: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.append:
- table: filter
- chain: INPUT
- jump: ACCEPT
- match:
- state
- comment
- comment: "Allow HTTP"
- connstate: NEW
- source: '127.0.0.1'
- dport: 80
- protocol: tcp
- sport: 1025:65535
- save: True
.. Invert Rule
httpd:
iptables.append:
- table: filter
- chain: INPUT
- jump: ACCEPT
- match:
- state
- comment
- comment: "Allow HTTP"
- connstate: NEW
- source: '! 127.0.0.1'
- dport: 80
- protocol: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.append:
- table: filter
- chain: INPUT
- jump: ACCEPT
- match:
- state
- comment
- comment: "Allow HTTP"
- connstate: NEW
- source: 'not 127.0.0.1'
- dport: 80
- protocol: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.append:
- table: filter
- family: ipv6
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- protocol: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.append:
- table: filter
- family: ipv4
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dports:
- 80
- 443
- protocol: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.insert:
- position: 1
- table: filter
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- protocol: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.insert:
- position: 1
- table: filter
- family: ipv6
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- protocol: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.delete:
- table: filter
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- protocol: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.delete:
- position: 1
- table: filter
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- protocol: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.delete:
- table: filter
- family: ipv6
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- protocol: tcp
- sport: 1025:65535
- save: True
default to accept:
iptables.set_policy:
- chain: INPUT
- policy: ACCEPT
Note
Whereas iptables will accept -p
, --proto[c[o[l]]]
as synonyms of
--protocol
, if --proto
appears in an iptables command after the
appearance of -m policy
, it is interpreted as the --proto
option of
the policy extension (see the iptables-extensions(8) man page).
Example rules for IPSec policy:
accept_esp_in:
iptables.append:
- table: filter
- chain: INPUT
- jump: ACCEPT
- source: 10.20.0.0/24
- destination: 10.10.0.0/24
- in-interface: eth0
- match: policy
- dir: in
- pol: ipsec
- reqid: 1
- proto: esp
accept_esp_forward_in:
iptables.append:
- use:
- iptables: accept_esp_in
- chain: FORWARD
accept_esp_out:
iptables.append:
- table: filter
- chain: OUTPUT
- jump: ACCEPT
- source: 10.10.0.0/24
- destination: 10.20.0.0/24
- out-interface: eth0
- match: policy
- dir: out
- pol: ipsec
- reqid: 1
- proto: esp
accept_esp_forward_out:
iptables.append:
- use:
- iptables: accept_esp_out
- chain: FORWARD
Note
Various functions of the iptables
module use the --check
option. If
the version of iptables
on the target system does not include this
option, an alternate version of this check will be performed using the
output of iptables-save. This may have unintended consequences on legacy
releases of iptables
.
salt.states.iptables.
append
(name, table='filter', family='ipv4', **kwargs)¶New in version 0.17.0.
Add a rule to the end of the specified chain.
A user-defined name to call this rule by in another part of a state or formula. This should not be an actual rule.
The table that owns the chain which should be modified
Network family, ipv4 or ipv6.
All other arguments are passed in with the same name as the long option
that would normally be used for iptables, with one exception: --state
is
specified as connstate instead of state (not to be confused with
ctstate).
Jump options that doesn't take arguments should be passed in with an empty string.
salt.states.iptables.
chain_absent
(name, table='filter', family='ipv4')¶New in version 2014.1.0.
Verify the chain is absent.
The table to remove the chain from
Networking family, either ipv4 or ipv6
salt.states.iptables.
chain_present
(name, table='filter', family='ipv4')¶New in version 2014.1.0.
Verify the chain is exist.
A user-defined chain name.
The table to own the chain.
Networking family, either ipv4 or ipv6
salt.states.iptables.
delete
(name, table='filter', family='ipv4', **kwargs)¶New in version 2014.1.0.
Delete a rule to a chain
A user-defined name to call this rule by in another part of a state or formula. This should not be an actual rule.
The table that owns the chain that should be modified
Networking family, either ipv4 or ipv6
All other arguments are passed in with the same name as the long option
that would normally be used for iptables, with one exception: --state
is
specified as connstate instead of state (not to be confused with
ctstate).
Jump options that doesn't take arguments should be passed in with an empty string.
salt.states.iptables.
flush
(name, table='filter', family='ipv4', **kwargs)¶New in version 2014.1.0.
Flush current iptables state
The table that owns the chain that should be modified
Networking family, either ipv4 or ipv6
salt.states.iptables.
insert
(name, table='filter', family='ipv4', **kwargs)¶New in version 2014.1.0.
Insert a rule into a chain
A user-defined name to call this rule by in another part of a state or formula. This should not be an actual rule.
The table that owns the chain that should be modified
Networking family, either ipv4 or ipv6
The numerical representation of where the rule should be inserted into
the chain. Note that -1
is not a supported position value.
All other arguments are passed in with the same name as the long option
that would normally be used for iptables, with one exception: --state
is
specified as connstate instead of state (not to be confused with
ctstate).
Jump options that doesn't take arguments should be passed in with an empty string.
salt.states.iptables.
mod_aggregate
(low, chunks, running)¶The mod_aggregate function which looks up all rules in the available low chunks and merges them into a single rules ref in the present low data
salt.states.iptables.
set_policy
(name, table='filter', family='ipv4', **kwargs)¶New in version 2014.1.0.
Sets the default policy for iptables firewall tables
The table that owns the chain that should be modified
Networking family, either ipv4 or ipv6
The requested table policy