saltstack-formulas / iptables-formula Goto Github PK
View Code? Open in Web Editor NEWHome Page: http://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html
License: Other
iptables-formula's People
Stargazers
Watchers
Forkers
syphernl metamx bossjones epotyom fessoga5 housleyjk incutio bogdanr askholme mariodpros emencia egarbi iamtew ckng meiya-dev maximium krustyhack dizzler twellspring volantisops jdsieci timjones geekcrowds fdonzello uoitsci blbradley infra-github oznah leicesterhackspace cmichaelmcclain jsplink thebiglee ofzhur morsik mohae truefitness heystaks karlkode litewhatever enrise sitepoint netmanagers mbools infoportugal stenstad upswell burntout sjreese-marian fizmat suaustralia rooty123 ashishdisawal kaczuh aabouzaid dia-catesm 1and3cr01x opopops irisbricks brnsampson jeduardo kwkdesign kauiler renepardon scub ksubaka jdnlab garethhowell jamesboswell vcsi perceptyx alrayyes cdawg908 mthibaut mamorunl wasabi222 morgana2313 phliphop myii chenmen hr-bit gconklin grandata sfssr mgomersbach horsty wvandervaart tiepinl markwhaite akrugerus opservenl ulfranky carlosmorenoperez riposte-sec fleetwood-systems jrone-git apollo-csiptables-formula's Issues
typo: eht0
Hi,
just looking through your configs, and noticed this:
https://github.com/saltstack-formulas/iptables-formula/blob/master/pillar.example#L22
- looks like a typo.
Delete function is missing
It would be a great feature to have the iptables.delete function integrated. You can't delete old firewall entries with this formula, yet.
[BUG] enable_reject_policy not save changes to file rules.v4
Your setup
Formula commit hash / release tag
commit 0e5ad0eb7a7b955414363a0abdb05fd484fd0bcc
Different to last commit only:
commit df5e9f3a53cae819cade8d01be6e12e5b3d6aaa4 (HEAD -> master, tag: v0.17.2, origin/master, origin/HEAD)
"* **debian:** ensure `netbase` package is installed "
Versions reports (master & minion)
Master:
Salt Version:
Salt: 3000
Dependency Versions:
cffi: Not Installed
cherrypy: Not Installed
dateutil: 2.7.3
docker-py: Not Installed
Mako: Not Installed
pycparser: 2.19
pycrypto: 2.6.1
pycryptodome: Not Installed
pygit2: 0.27.4
Python: 3.7.3 (default, Dec 20 2019, 18:57:59)
python-gnupg: Not Installed
PyZMQ: 17.1.2
smmap: Not Installed
timelib: Not Installed
Tornado: 4.5.3
ZMQ: 4.3.1
System Versions:
dist: debian 10.3
locale: UTF-8
machine: i686
release: 4.19.0-8-686-pae
system: Linux
version: debian 10.3
Minion:
Salt Version:
Salt: 2018.3.4
Dependency Versions:
cffi: Not Installed
cherrypy: Not Installed
dateutil: 2.7.3
docker-py: Not Installed
gitdb: Not Installed
gitpython: Not Installed
ioflo: Not Installed
Jinja2: 2.10
libgit2: Not Installed
libnacl: Not Installed
M2Crypto: Not Installed
Mako: Not Installed
msgpack-pure: Not Installed
msgpack-python: 0.5.6
mysql-python: Not Installed
pycparser: Not Installed
pycrypto: 2.6.1
pycryptodome: 3.6.1
pygit2: Not Installed
Python: 3.7.3 (default, Dec 20 2019, 18:57:59)
python-gnupg: Not Installed
PyYAML: 3.13
PyZMQ: 17.1.2
RAET: Not Installed
smmap: Not Installed
timelib: Not Installed
Tornado: 4.5.3
ZMQ: 4.3.1
System Versions:
dist: debian 10.3
locale: UTF-8
machine: i686
release: 4.19.0-8-686
system: Linux
version: debian 10.3
Pillar / config used
firewall:
install: True
enabled: True
strict: True
use_tables: True
ipv6: False
Bug details
Describe the bug
Problem in iptables.set_policy state, it not save automatically changes to file /etc/iptables/rules.v4
And it reset to default after reboot.
Steps to reproduce the bug
pillar.sls:
firewall:
install: True
enabled: True
strict: True
use_tables: True
ipv6: False
On client:
Before:
root@eeebox1test:~# iptables -L -v -n
Chain INPUT (policy ACCEPT 775 packets, 83519 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
985 209K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1134 packets, 155K bytes)
pkts bytes target prot opt in out source destination
root@eeebox1test:~# cat /etc/iptables/rules.v4
# Generated by xtables-save v1.8.2 on Wed Apr 15 21:27:26 2020
*filter
:INPUT ACCEPT [13:902]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [138:20324]
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Apr 15 21:27:26 2020
Run:
root@eeebox1test:~# salt-call -l debug state.apply iptables
[DEBUG ] Reading configuration from /etc/salt/minion
[DEBUG ] Including configuration from '/etc/salt/minion.d/_schedule.conf'
[DEBUG ] Reading configuration from /etc/salt/minion.d/_schedule.conf
[DEBUG ] Including configuration from '/etc/salt/minion.d/master.conf'
[DEBUG ] Reading configuration from /etc/salt/minion.d/master.conf
[DEBUG ] Using cached minion ID from /etc/salt/minion_id: eeebox1test
[DEBUG ] Configuration file path: /etc/salt/minion
[WARNING ] Insecure logging configuration detected! Sensitive data may be logged.
[DEBUG ] Grains refresh requested. Refreshing grains.
[DEBUG ] Reading configuration from /etc/salt/minion
[DEBUG ] Including configuration from '/etc/salt/minion.d/_schedule.conf'
[DEBUG ] Reading configuration from /etc/salt/minion.d/_schedule.conf
[DEBUG ] Including configuration from '/etc/salt/minion.d/master.conf'
[DEBUG ] Reading configuration from /etc/salt/minion.d/master.conf
[DEBUG ] Please install 'virt-what' to improve results of the 'virtual' grain.
[DEBUG ] Connecting to master. Attempt 1 of 1
[DEBUG ] Master URI: tcp://192.168.1.10:4506
[DEBUG ] Initializing new AsyncAuth for ('/var/lib/salt/pki/minion', 'eeebox1test', 'tcp://192.168.1.10:4506')
[DEBUG ] Generated random reconnect delay between '1000ms' and '11000ms' (10839)
[DEBUG ] Setting zmq_reconnect_ivl to '10839ms'
[DEBUG ] Setting zmq_reconnect_ivl_max to '11000ms'
[DEBUG ] Initializing new AsyncZeroMQReqChannel for ('/var/lib/salt/pki/minion', 'eeebox1test', 'tcp://192.168.1.10:4506', 'clear')
[DEBUG ] Connecting the Minion to the Master URI (for the return server): tcp://192.168.1.10:4506
[DEBUG ] Trying to connect to: tcp://192.168.1.10:4506
[DEBUG ] salt.crypt.get_rsa_pub_key: Loading public key
[DEBUG ] Decrypting the current master AES key
[DEBUG ] salt.crypt.get_rsa_key: Loading private key
[DEBUG ] salt.crypt._get_key_with_evict: Loading private key
[DEBUG ] Loaded minion key: /var/lib/salt/pki/minion/minion.pem
[DEBUG ] salt.crypt.get_rsa_pub_key: Loading public key
[DEBUG ] Connecting the Minion to the Master publish port, using the URI: tcp://192.168.1.10:4505
[DEBUG ] salt.crypt.get_rsa_key: Loading private key
[DEBUG ] Loaded minion key: /var/lib/salt/pki/minion/minion.pem
[DEBUG ] Determining pillar cache
[DEBUG ] Initializing new AsyncZeroMQReqChannel for ('/var/lib/salt/pki/minion', 'eeebox1test', 'tcp://192.168.1.10:4506', 'aes')
[DEBUG ] Initializing new AsyncAuth for ('/var/lib/salt/pki/minion', 'eeebox1test', 'tcp://192.168.1.10:4506')
[DEBUG ] Connecting the Minion to the Master URI (for the return server): tcp://192.168.1.10:4506
[DEBUG ] Trying to connect to: tcp://192.168.1.10:4506
[DEBUG ] salt.crypt.get_rsa_key: Loading private key
[DEBUG ] Loaded minion key: /var/lib/salt/pki/minion/minion.pem
[DEBUG ] LazyLoaded jinja.render
[DEBUG ] LazyLoaded yaml.render
[DEBUG ] LazyLoaded state.apply
[DEBUG ] LazyLoaded saltutil.is_running
[DEBUG ] LazyLoaded grains.get
[DEBUG ] LazyLoaded config.get
[DEBUG ] Initializing new AsyncZeroMQReqChannel for ('/var/lib/salt/pki/minion', 'eeebox1test', 'tcp://192.168.1.10:4506', 'aes')
[DEBUG ] Initializing new AsyncAuth for ('/var/lib/salt/pki/minion', 'eeebox1test', 'tcp://192.168.1.10:4506')
[DEBUG ] Connecting the Minion to the Master URI (for the return server): tcp://192.168.1.10:4506
[DEBUG ] Trying to connect to: tcp://192.168.1.10:4506
[DEBUG ] Gathering pillar data for state run
[DEBUG ] Finished gathering pillar data for state run
[INFO ] Loading fresh modules for state activity
[DEBUG ] LazyLoaded jinja.render
[DEBUG ] LazyLoaded yaml.render
[DEBUG ] Could not find file 'salt://iptables.sls' in saltenv 'base'
[DEBUG ] In saltenv 'base', looking at rel_path 'iptables/init.sls' to resolve 'salt://iptables/init.sls'
[DEBUG ] In saltenv 'base', ** considering ** path '/var/cache/salt/minion/files/base/iptables/init.sls' to resolve 'salt://iptables/init.sls'
[DEBUG ] compile template: /var/cache/salt/minion/files/base/iptables/init.sls
[DEBUG ] Jinja search path: ['/var/cache/salt/minion/files/base']
[DEBUG ] Initializing new AsyncZeroMQReqChannel for ('/var/lib/salt/pki/minion', 'eeebox1test', 'tcp://192.168.1.10:4506', 'aes')
[DEBUG ] Initializing new AsyncAuth for ('/var/lib/salt/pki/minion', 'eeebox1test', 'tcp://192.168.1.10:4506')
[DEBUG ] Connecting the Minion to the Master URI (for the return server): tcp://192.168.1.10:4506
[DEBUG ] Trying to connect to: tcp://192.168.1.10:4506
[DEBUG ] In saltenv 'base', looking at rel_path 'iptables/map.jinja' to resolve 'salt://iptables/map.jinja'
[DEBUG ] In saltenv 'base', ** considering ** path '/var/cache/salt/minion/files/base/iptables/map.jinja' to resolve 'salt://iptables/map.jinja'
[DEBUG ] In saltenv 'base', looking at rel_path 'iptables/defaults.yaml' to resolve 'salt://iptables/defaults.yaml'
[DEBUG ] In saltenv 'base', ** considering ** path '/var/cache/salt/minion/files/base/iptables/defaults.yaml' to resolve 'salt://iptables/defaults.yaml'
[DEBUG ] In saltenv 'base', looking at rel_path 'iptables/osfamilymap.yaml' to resolve 'salt://iptables/osfamilymap.yaml'
[DEBUG ] In saltenv 'base', ** considering ** path '/var/cache/salt/minion/files/base/iptables/osfamilymap.yaml' to resolve 'salt://iptables/osfamilymap.yaml'
[DEBUG ] LazyLoaded grains.filter_by
[DEBUG ] LazyLoaded pillar.get
[PROFILE ] Time (in seconds) to render '/var/cache/salt/minion/files/base/iptables/init.sls' using 'jinja' renderer: 0.2414865493774414
[DEBUG ] Rendered data from file: /var/cache/salt/minion/files/base/iptables/init.sls:
# -*- coding: utf-8 -*-
# vim: ft=sls
# Firewall management module
# Install required packages for firewalling
iptables_packages:
pkg.installed:
- pkgs:
- iptables
- iptables-persistent
# If the firewall is set to strict mode, we'll need to allow some
# that always need access to anything
iptables_allow_localhost:
iptables.append:
- table: filter
- chain: INPUT
- jump: ACCEPT
- source: 127.0.0.1
- save: True
# Allow related/established sessions
iptables_allow_established:
iptables.append:
- table: filter
- chain: INPUT
- jump: ACCEPT
- match: conntrack
- ctstate: 'RELATED,ESTABLISHED'
- save: True
# Set the policy to deny everything unless defined
enable_reject_policy:
iptables.set_policy:
- table: filter
- chain: INPUT
- policy: DROP
- require:
- iptables: iptables_allow_localhost
- iptables: iptables_allow_established
[DEBUG ] Results of YAML rendering:
OrderedDict([('iptables_packages', OrderedDict([('pkg.installed', [OrderedDict([('pkgs', ['iptables', 'iptables-persistent'])])])])), ('iptables_allow_localhost', OrderedDict([('iptables.append', [OrderedDict([('table', 'filter')]), OrderedDict([('chain', 'INPUT')]), OrderedDict([('jump', 'ACCEPT')]), OrderedDict([('source', '127.0.0.1')]), OrderedDict([('save', True)])])])), ('iptables_allow_established', OrderedDict([('iptables.append', [OrderedDict([('table', 'filter')]), OrderedDict([('chain', 'INPUT')]), OrderedDict([('jump', 'ACCEPT')]), OrderedDict([('match', 'conntrack')]), OrderedDict([('ctstate', 'RELATED,ESTABLISHED')]), OrderedDict([('save', True)])])])), ('enable_reject_policy', OrderedDict([('iptables.set_policy', [OrderedDict([('table', 'filter')]), OrderedDict([('chain', 'INPUT')]), OrderedDict([('policy', 'DROP')]), OrderedDict([('require', [OrderedDict([('iptables', 'iptables_allow_localhost')]), OrderedDict([('iptables', 'iptables_allow_established')])])])])]))])
[PROFILE ] Time (in seconds) to render '/var/cache/salt/minion/files/base/iptables/init.sls' using 'yaml' renderer: 0.03357863426208496
[DEBUG ] LazyLoaded config.option
[DEBUG ] LazyLoaded pkg.install
[DEBUG ] LazyLoaded pkg.installed
[WARNING ] /usr/lib/python3/dist-packages/salt/utils/decorators/signature.py:31: DeprecationWarning: `formatargspec` is deprecated since Python 3.5. Use `signature` and the `Signature` object directly
*salt.utils.args.get_function_argspec(original_function)
[WARNING ] /usr/lib/python3/dist-packages/salt/utils/path.py:265: DeprecationWarning: Using or importing the ABCs from 'collections' instead of from 'collections.abc' is deprecated, and in 3.8 it will stop working if not isinstance(exes, collections.Iterable):
[WARNING ] /usr/lib/python3/dist-packages/salt/utils/decorators/signature.py:31: DeprecationWarning: `formatargspec` is deprecated since Python 3.5. Use `signature` and the `Signature` object directly
*salt.utils.args.get_function_argspec(original_function)
[DEBUG ] LazyLoaded systemd.booted
[DEBUG ] DSC: Only available on Windows systems
[DEBUG ] Module PSGet: Only available on Windows systems
[DEBUG ] LazyLoaded platform.is_windows
[DEBUG ] Could not LazyLoad pkg.ex_mod_init: 'pkg.ex_mod_init' is not available.
[INFO ] Running state [iptables_packages] at time 09:53:26.121972
[INFO ] Executing state pkg.installed for [iptables_packages]
[DEBUG ] Could not LazyLoad pkg.resolve_capabilities: 'pkg.resolve_capabilities' is not available.
[INFO ] Executing command ['dpkg-query', '--showformat', '${Status} ${Package} ${Version} ${Architecture}', '-W'] in directory '/root'
[DEBUG ] Could not LazyLoad pkg.normalize_name: 'pkg.normalize_name' is not available.
[INFO ] All specified packages are already installed
[INFO ] Completed state [iptables_packages] at time 09:53:26.817299 (duration_in_ms=695.327)
[DEBUG ] LazyLoaded iptables.append
[INFO ] Running state [iptables_allow_localhost] at time 09:53:26.819312
[INFO ] Executing state iptables.append for [iptables_allow_localhost]
[INFO ] Executing command '/usr/sbin/iptables-save' in directory '/root'
[DEBUG ] stdout: # Generated by xtables-save v1.8.2 on Thu Apr 16 09:53:26 2020
*filter
:INPUT ACCEPT [780:84138]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2038:265848]
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Apr 16 09:53:26 2020
[DEBUG ] output: # Generated by xtables-save v1.8.2 on Thu Apr 16 09:53:26 2020
*filter
:INPUT ACCEPT [780:84138]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2038:265848]
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Apr 16 09:53:26 2020
[INFO ] iptables rule for iptables_allow_localhost already set (/usr/sbin/iptables --wait -t filter -A INPUT --source 127.0.0.1 --jump ACCEPT) for ipv4
[INFO ] Completed state [iptables_allow_localhost] at time 09:53:26.872745 (duration_in_ms=53.432)
[INFO ] Running state [iptables_allow_established] at time 09:53:26.873554
[INFO ] Executing state iptables.append for [iptables_allow_established]
[INFO ] Executing command '/usr/sbin/iptables-save' in directory '/root'
[DEBUG ] stdout: # Generated by xtables-save v1.8.2 on Thu Apr 16 09:53:26 2020
*filter
:INPUT ACCEPT [780:84138]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2049:267828]
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Apr 16 09:53:26 2020
[DEBUG ] output: # Generated by xtables-save v1.8.2 on Thu Apr 16 09:53:26 2020
*filter
:INPUT ACCEPT [780:84138]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2049:267828]
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Apr 16 09:53:26 2020
[INFO ] iptables rule for iptables_allow_established already set (/usr/sbin/iptables --wait -t filter -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED --jump ACCEPT) for ipv4
[INFO ] Completed state [iptables_allow_established] at time 09:53:26.925164 (duration_in_ms=51.608) [INFO ] Running state [enable_reject_policy] at time 09:53:26.926718
[INFO ] Executing state iptables.set_policy for [enable_reject_policy]
[INFO ] Executing command '/usr/sbin/iptables-save' in directory '/root'
[DEBUG ] stdout: # Generated by xtables-save v1.8.2 on Thu Apr 16 09:53:26 2020
*filter
:INPUT ACCEPT [780:84138]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2060:269816]
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Apr 16 09:53:26 2020
[DEBUG ] output: # Generated by xtables-save v1.8.2 on Thu Apr 16 09:53:26 2020
*filter
:INPUT ACCEPT [780:84138]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2060:269816]
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Apr 16 09:53:26 2020
[INFO ] Executing command '/usr/sbin/iptables --wait -t filter -P INPUT DROP' in directory '/root'
[DEBUG ] output:
[INFO ] {'locale': 'enable_reject_policy'}
[INFO ] Completed state [enable_reject_policy] at time 09:53:26.957670 (duration_in_ms=30.95)
[DEBUG ] File /var/cache/salt/minion/accumulator/3008306028 does not exist, no need to cleanup
[DEBUG ] LazyLoaded state.check_result
[DEBUG ] Initializing new AsyncZeroMQReqChannel for ('/var/lib/salt/pki/minion', 'eeebox1test', 'tcp://192.168.1.10:4506', 'aes')
[DEBUG ] Initializing new AsyncAuth for ('/var/lib/salt/pki/minion', 'eeebox1test', 'tcp://192.168.1.10:4506')
[DEBUG ] Connecting the Minion to the Master URI (for the return server): tcp://192.168.1.10:4506
[DEBUG ] Trying to connect to: tcp://192.168.1.10:4506
[DEBUG ] LazyLoaded highstate.output
[DEBUG ] LazyLoaded nested.output
local:
----------
ID: iptables_packages
Function: pkg.installed
Result: True
Comment: All specified packages are already installed
Started: 09:53:26.121972
Duration: 695.327 ms
Changes:
----------
ID: iptables_allow_localhost
Function: iptables.append
Result: True
Comment: iptables rule for iptables_allow_localhost already set (/usr/sbin/iptables --wait -t filter -A INPUT --source 127.0.0.1 --jump ACCEPT) for ipv4
Started: 09:53:26.819313
Duration: 53.432 ms
Changes:
----------
ID: iptables_allow_established
Function: iptables.append
Result: True
Comment: iptables rule for iptables_allow_established already set (/usr/sbin/iptables --wait -t filter -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED --jump ACCEPT) for ipv4
Started: 09:53:26.873556
Duration: 51.608 ms
Changes:
----------
ID: enable_reject_policy
Function: iptables.set_policy
Result: True
Comment: Set default policy for INPUT to DROP family ipv4
Started: 09:53:26.926720
Duration: 30.95 ms
Changes:
----------
locale:
enable_reject_policy
Summary for local
------------
Succeeded: 4 (changed=1)
Failed: 0
------------
Total states run: 4
Total run time: 831.317 ms
root@eeebox1test:~#
Check:
root@eeebox1test:~# cat /etc/iptables/rules.v4
# Generated by xtables-save v1.8.2 on Wed Apr 15 21:27:26 2020
*filter
:INPUT ACCEPT [13:902]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [138:20324]
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
root@eeebox1test:~# iptables -L -v -n
Chain INPUT (policy DROP 776 packets, 83767 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
1252 260K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1357 packets, 183K bytes)
pkts bytes target prot opt in out source destination
So if reboot server INPUT policy back to ACCEPT.
Expected behaviour
After iptables.set_policy need save changes to file.
Attempts to fix the bug
To save chandges need run
root@eeebox1test:~# salt-call iptables.save
[WARNING ] /usr/lib/python3/dist-packages/salt/modules/file.py:32: DeprecationWarning: Using or importing the ABCs from 'collections' instead of from 'collections.abc' is deprecated, and in 3.8 it will stop working from collections import Iterable, Mapping
local:
Wrote 1 lines to "/etc/iptables/rules.v4"
And now it saved correctly.
root@eeebox1test:~# iptables -L -v -n
Chain INPUT (policy DROP 777 packets, 83799 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 127.0.0.1 0.0.0.0/0
1388 278K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1473 packets, 197K bytes)
pkts bytes target prot opt in out source destination
root@eeebox1test:~# cat /etc/iptables/rules.v4
# Generated by xtables-save v1.8.2 on Thu Apr 16 09:49:45 2020
*filter
:INPUT DROP [777:83799]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1448:194307]
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Thu Apr 16 09:49:45 2020
Additional context
Add icmp protocol support
Hello,
It would be great to be able to configure icmp using this formula.
Could do something like:
firewall:
enabled: True
icmp:
ips_allow: 10.0.0.0/8
type:
- echo-request
- echo-replyThoughts?
Formula generates always "changed" states
When I use the simpliest config from readme, iptables rules are always appended and therefore always in "changed" state. Is this the intended behavior, or can be customized?
firewall:
install: True
enabled: True
strict: True
services:
ssh:
block_nomatch: False
ips_allow:
- 192.168.0.0/24
Versions report is
Salt: 2014.7.1
Python: 2.6.6 (r266:84292, Aug 12 2014, 07:57:07)
Jinja2: 2.6
M2Crypto: 0.20.1
msgpack-python: 0.1.10
msgpack-pure: Not Installed
pycrypto: 2.1.0
libnacl: Not Installed
PyYAML: 3.09
ioflo: Not Installed
PyZMQ: 13.1.0
RAET: Not Installed
ZMQ: 3.2.3
Mako: 0.7.0
OS is Debian squeeze.
Remove firewalld
I'd recommend, at least optionally via a pillar, being able to remove firewalld for e.g. CentOS/RHEL 7+:
- It'll avoid runtime conflicts
- iptables offers more flexible rulesets
3. firewalld is trash
You may also want to do the same for UFW for Ubuntu-based systems -- though it's not the system default, it can also cause runtime conflicts.
minion pillar bug on Salt 2016.11.5
On 2016.11.5:
# salt 'ceetah1-staging' pillar.get firewall
ceetah1-staging:
----------
pillar.items returns the correct pillar data. pillar.get worked on some of my other data. So, that's why I'm reporting here.
On 2016.11.6:
# salt 'ceetah1-staging' pillar.get firewall
ceetah1-staging:
----------
enabled:
True
install:
True
services:
----------
ssh:
----------
block_nomatch:
False
ips_allows:
- 192.168.1.0/24
protos:
- tcp
strict:
True
whitelist:
----------
networks:
----------
ips_allow:
- 192.168.1.0/24
[BUG] Order of chain creation unintuitive
Your setup
Formula commit hash / release tag
Versions reports (master & minion)
Pillar / config used
Bug details
Describe the bug
Currently the creation of the chains is done in tandem with it's rules.
On top of that it alphabetically sorted on chain name, which requires using prefixes on chain names like "AA" or numbering.
This is inflexible with other tooling like sshguard.
Steps to reproduce the bug
firewall:
filter:
sshguard:
policy: ACCEPT
rules: {}
INPUT:
rules:
01_sshguard:
protocol: tcp
dport: 22
jump: sshguard
Would result in:
----------
ID: rule_filter_INPUT_01_sshguard
Function: iptables.append
Result: False
Comment: Failed to set iptables rule for rule_filter_INPUT_01_sshguard.
Attempted rule was /sbin/iptables --wait -t filter -A INPUT -p tcp --dport 22 --jump sshguard for ipv4
Started: 14:54:39.433678
Duration: 266.473 ms
Changes:
As the "s" get sorted after "I"
Expected behaviour
A more expected pattern would be that the pillar is merged and the order of inclusion is maintained.
Attempts to fix the bug
The fix from https://github.com/mgomersbach/iptables-formula/tree/fix-chain-creation-order changes the order of chain creation to the pillar inclusion order and separates the loop of the rules so they can jump to other chains.
Additional context
IPv6 Completely Ignored
This formula completely ignores ipv6 leaving ip6tables open
Missing LICENSE
This repository is missing a LICENSE file. See https://github.com/saltstack-formulas/template-formula.
Can't specify services only with protocols
This config doesn't work:
firewall:
services:
ssh:
protos:
- udp
- tcp
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.