/etc/salt/master
注意配置文件每行前边是有空格的
file_roots:
base:
- /srv/salt/base
dev:
- /srv/salt/dev
prod:
- /srv/salt/prod
pillar_roots:
base:
- /srv/salt/pillar
/srv/salt/pillar/top.sls
base:
'*':
- iptables.whitelist
- iptables.nginx
- iptables.ntp
/srv/salt/pillar/nginx.sls
open_allow:
allow_http:
port: 80
procto: 'tcp'
allow_https:
port: 443
procto: 'tcp'
/srv/salt/pillar/whitelist.sls
white_ips:
allow_lan1:
allowip: 192.168.0.0/16
allow_lan2:
allowip: 172.20.60.1
/srv/salt/pillar/ntp.sls
out_allow:
ntp_out_allow:
port: 123
procto: 'udp'
/srv/salt/base/iptables_init.sls
###### 清空原规则 ######
clear_iptables:
cmd.run:
{% if grains['osfinger'] == 'CentOS-6' %}
- name: service iptables stop && echo >/etc/sysconfig/iptables
{% elif grains['osfinger'] == 'Ubuntu-16.04' %}
- name: iptables -F; iptables -X
{% endif %}
#### 添加白名单ip
{% for fw, rule in pillar['white_ips'].items() %}
{{ fw }}_INPUT:
iptables.insert:
- position: 1
- table: filter
- chain: INPUT
- jump: ACCEPT
- source: {{ rule['allowip'] }}
- save: True
{{ fw }}_OUTPUT:
iptables.insert:
- position: 1
- table: filter
- chain: OUTPUT
- jump: ACCEPT
- destination: {{ rule['allowip'] }}
- save: True
{% endfor %}
###### 获取自定义需要开放的服务端口并加入iptables规则中(同时取消状态追踪) ### 如果有对外开放的服务时 ###
{% if 'open_allow' in pillar.keys() %}
{% for eachfw, fw_rule in pillar['open_allow'].items() %}
{{ eachfw }}_INPUT:
iptables.append:
# - position: 1
- table: filter
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW,ESTABLISHED
- protocol: {{ fw_rule['procto'] }}
- dport: {{ fw_rule['port'] }}
- save: True
{{ eachfw }}_OUTPUT:
iptables.append:
# - position: 1
- table: filter
- chain: OUTPUT
- jump: ACCEPT
- match: state
- connstate: ESTABLISHED
- sport: {{ fw_rule['port'] }}
- protocol: {{ fw_rule['procto'] }}
- save: True
{{ eachfw }}_NOTRACK_FROM_OUTPUT:
iptables.insert:
- position: 1
- table: raw
- chain: OUTPUT
- jump: NOTRACK
- match: state
- connstate: ESTABLISHED
- sport: {{ fw_rule['port'] }}
- protocol: {{ fw_rule['procto'] }}
- save: True
{{ eachfw }}_NOTRACK_TO_OUTPUT:
iptables.insert:
- position: 1
- table: raw
- chain: OUTPUT
- jump: NOTRACK
- match: state
- connstate: ESTABLISHED
- dport: {{ fw_rule['port'] }}
- protocol: {{ fw_rule['procto'] }}
- save: True
{{ eachfw }}_NOTRACK_FROM_PREROUTING:
iptables.insert:
- position: 1
- table: raw
- chain: PREROUTING
- jump: NOTRACK
- match: state
- connstate: ESTABLISHED
- sport: {{ fw_rule['port'] }}
- protocol: {{ fw_rule['procto'] }}
- save: True
{{ eachfw }}_NOTRACK_TO_PREROUTING:
iptables.insert:
- position: 1
- table: raw
- chain: PREROUTING
- jump: NOTRACK
- match: state
- connstate: ESTABLISHED
- dport: {{ fw_rule['port'] }}
- protocol: {{ fw_rule['procto'] }}
- save: True
{% endfor %}
{% endif %}
# 允许访问外网服务
{% for fw, rule in pillar['out_allow'].items() %}
{{ fw }}_INPUT:
iptables.insert:
- position: 1
- table: filter
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: ESTABLISHED
- protocol: {{ rule['procto'] }}
- sport: {{ rule['port'] }}
- save: True
{{ fw }}_OUTPUT:
iptables.insert:
- position: 1
- table: filter
- chain: OUTPUT
- jump: ACCEPT
- match: state
- connstate: NEW,RELATED,ESTABLISHED
- protocol: {{ rule['procto'] }}
- dport: {{ rule['port'] }}
- save: True
{% endfor %}
# 允许ping出
allow_ping_OUTPUT:
iptables.append:
- table: filter
- chain: OUTPUT
- jump: ACCEPT
- match: state
- connstate: NEW,RELATED,ESTABLISHED
- protocol: icmp
- comment: "Allow Ping OUT"
- save: True
# 允许ping入
allow_icmp_INPUT:
iptables.append:
- table: filter
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW,ESTABLISHED
- protocol: icmp
- comment: "Allow Ping IN"
- save: True
# 设置INPUT默认策略为DROP
default_to_INPUT:
iptables.set_policy:
- chain: INPUT
- policy: DROP
- save: True
# 设置OUTPUT默认策略为DROP
default_to_OUTPUT:
iptables.set_policy:
- chain: OUTPUT
- policy: DROP
- save: True
# 设置FORWARD默认策略为DROP
default_to_FORWARD:
iptables.set_policy:
- chain: FORWARD
- policy: DROP
- save: True
###### 重启iptables 并保持开机自动加载 ######
iptables-service:
service.running:
- name: iptables
- reload: True
- enable: True
参考:
https://blog.51cto.com/dyc2005/2178969