iptables formula

Iptables is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains. Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called a target, which may be a jump to a user-defined chain in the same table.

Sample pillars

Most common rules - allow traffic on localhost, accept related,established and ping

parameters:
  iptables:
    service:
      enabled: True
      chain:
        INPUT:
          rules:
            - in_interface: lo
              jump: ACCEPT
            - connection_state: RELATED,ESTABLISHED
              match: state
              jump: ACCEPT
            - protocol: icmp
              jump: ACCEPT

Accept connections on port 22

parameters:
  iptables:
    service:
      chain:
        INPUT:
          rules:
            - destination_port: 22
              protocol: tcp
              jump: ACCEPT

Set drop policy on INPUT chain:

parameters:
  iptables:
    service:
      chain:
        INPUT:
          policy: DROP

Redirect privileged port 443 to 8081

parameters:
  iptables:
    service:
      chain:
        PREROUTING:
          filter: nat
          destination_port: 443
          to_port: 8081
          protocol: tcp
          jump: REDIRECT

Allow access from local network

parameters:
  iptables:
    service:
      chain:
        INPUT:
          rules:
            - protocol: tcp
              destination_port: 22
              source_network: 192.168.1.0/24
              jump: ACCEPT
              comment: Blah

Support logging with custom prefix and log level

parameters:
  iptables:
    service:
      chain:
        POSTROUTING:
          rules:
            - table: nat
              protocol: tcp
              match: multiport
              destination_ports:
                - 21
                - 80
                - 443
                - 2220
              source_network: '10.20.30.0/24'
              log_level: 7
              log_prefix: 'iptables-logging: '
              jump: LOG

IPv6 is supported as well

parameters:
  iptables:
    service:
      enabled: True
      ipv6: True
      chain:
        INPUT:
          rules:
            - protocol: tcp
              family: ipv6
              destination_port: 22
              source_network: 2001:DB8::/32
              jump: ACCEPT

Read more

• http://docs.saltstack.com/en/latest/ref/states/all/salt.states.iptables.html
• https://help.ubuntu.com/community/IptablesHowTo
• http://wiki.centos.org/HowTos/Network/IPTables

Documentation and Bugs

To learn how to install and update salt-formulas, consult the documentation available online at:

http://salt-formulas.readthedocs.io/

In the unfortunate event that bugs are discovered, they should be reported to the appropriate issue tracker. Use Github issue tracker for specific salt formula:

https://github.com/salt-formulas/salt-formula-iptables/issues

For feature requests, bug reports or blueprints affecting entire ecosystem, use Launchpad salt-formulas project:

https://launchpad.net/salt-formulas

You can also join salt-formulas-users team and subscribe to mailing list:

https://launchpad.net/~salt-formulas-users

Developers wishing to work on the salt-formulas projects should always base their work on master branch and submit pull request against specific formula.

https://github.com/salt-formulas/salt-formula-iptables

Any questions or feedback is always welcome so feel free to join our IRC channel:

#salt-formulas @ irc.freenode.net