saltstack pillar设置iptables

/etc/salt/master
注意配置文件每行前边是有空格的

 file_roots:
   base:
     - /srv/salt/base
   dev:
     - /srv/salt/dev
   prod:
     - /srv/salt/prod
 pillar_roots:
   base:
     - /srv/salt/pillar

/srv/salt/pillar/top.sls

base:
  '*':
    - iptables.whitelist
    - iptables.nginx
    - iptables.ntp

/srv/salt/pillar/nginx.sls

open_allow:
  allow_http:
    port: 80
    procto: 'tcp'
  
  allow_https:
    port: 443
    procto: 'tcp'

/srv/salt/pillar/whitelist.sls

white_ips:
   allow_lan1:
      allowip: 192.168.0.0/16
 
   allow_lan2:
      allowip: 172.20.60.1

/srv/salt/pillar/ntp.sls

out_allow:
  ntp_out_allow:
    port: 123
    procto: 'udp'

/srv/salt/base/iptables_init.sls

###### 清空原规则 ######
clear_iptables:
  cmd.run:
  {% if grains['osfinger'] == 'CentOS-6' %}
    - name: service iptables stop && echo >/etc/sysconfig/iptables
  {% elif grains['osfinger'] == 'Ubuntu-16.04' %}
    - name: iptables -F; iptables -X
  {% endif %}

#### 添加白名单ip
{% for fw, rule in pillar['white_ips'].items() %}
{{ fw }}_INPUT:
  iptables.insert:
     - position: 1
     - table: filter
     - chain: INPUT
     - jump: ACCEPT
     - source: {{ rule['allowip'] }}
     - save: True

{{ fw }}_OUTPUT:
  iptables.insert:
     - position: 1
     - table: filter
     - chain: OUTPUT
     - jump: ACCEPT
     - destination: {{ rule['allowip'] }}
     - save: True
{% endfor %}

###### 获取自定义需要开放的服务端口并加入iptables规则中(同时取消状态追踪) ### 如果有对外开放的服务时 ###
{% if 'open_allow' in pillar.keys() %}
{% for eachfw, fw_rule in pillar['open_allow'].items() %}
{{ eachfw }}_INPUT:
  iptables.append:
#     - position: 1
     - table: filter
     - chain: INPUT
     - jump: ACCEPT
     - match: state
     - connstate: NEW,ESTABLISHED
     - protocol: {{ fw_rule['procto'] }}
     - dport: {{ fw_rule['port'] }}
     - save: True

{{ eachfw }}_OUTPUT:
  iptables.append:
#     - position: 1
     - table: filter
     - chain: OUTPUT
     - jump: ACCEPT
     - match: state
     - connstate: ESTABLISHED
     - sport: {{ fw_rule['port'] }}
     - protocol: {{ fw_rule['procto'] }}
     - save: True

{{ eachfw }}_NOTRACK_FROM_OUTPUT:
  iptables.insert:
     - position: 1
     - table: raw
     - chain: OUTPUT
     - jump: NOTRACK
     - match: state
     - connstate: ESTABLISHED
     - sport: {{ fw_rule['port'] }}
     - protocol: {{ fw_rule['procto'] }}
     - save: True

{{ eachfw }}_NOTRACK_TO_OUTPUT:
  iptables.insert:
     - position: 1
     - table: raw
     - chain: OUTPUT
     - jump: NOTRACK
     - match: state
     - connstate: ESTABLISHED
     - dport: {{ fw_rule['port'] }}
     - protocol: {{ fw_rule['procto'] }}
     - save: True

{{ eachfw }}_NOTRACK_FROM_PREROUTING:
  iptables.insert:
     - position: 1
     - table: raw
     - chain: PREROUTING
     - jump: NOTRACK
     - match: state
     - connstate: ESTABLISHED
     - sport: {{ fw_rule['port'] }}
     - protocol: {{ fw_rule['procto'] }}
     - save: True

{{ eachfw }}_NOTRACK_TO_PREROUTING:
  iptables.insert:
     - position: 1
     - table: raw
     - chain: PREROUTING
     - jump: NOTRACK
     - match: state
     - connstate: ESTABLISHED
     - dport: {{ fw_rule['port'] }}
     - protocol: {{ fw_rule['procto'] }}
     - save: True
{% endfor %}
{% endif %}

# 允许访问外网服务
{% for fw, rule in pillar['out_allow'].items() %}
{{ fw }}_INPUT:
  iptables.insert:
     - position: 1
     - table: filter
     - chain: INPUT
     - jump: ACCEPT
     - match: state
     - connstate: ESTABLISHED
     - protocol: {{ rule['procto'] }}
     - sport: {{ rule['port'] }}
     - save: True

{{ fw }}_OUTPUT:
  iptables.insert:
     - position: 1
     - table: filter
     - chain: OUTPUT
     - jump: ACCEPT
     - match: state
     - connstate: NEW,RELATED,ESTABLISHED
     - protocol: {{ rule['procto'] }}
     - dport: {{ rule['port'] }}
     - save: True
{% endfor %}

# 允许ping出
allow_ping_OUTPUT:
  iptables.append:
     - table: filter
     - chain: OUTPUT
     - jump: ACCEPT
     - match: state
     - connstate: NEW,RELATED,ESTABLISHED
     - protocol: icmp
     - comment: "Allow Ping OUT"
     - save: True

# 允许ping入
allow_icmp_INPUT:
  iptables.append:
     - table: filter
     - chain: INPUT
     - jump: ACCEPT
     - match: state
     - connstate: NEW,ESTABLISHED
     - protocol: icmp
     - comment: "Allow Ping IN"
     - save: True

# 设置INPUT默认策略为DROP
default_to_INPUT:
  iptables.set_policy:
    - chain: INPUT
    - policy: DROP
    - save: True

# 设置OUTPUT默认策略为DROP
default_to_OUTPUT:
  iptables.set_policy:
    - chain: OUTPUT
    - policy: DROP
    - save: True

# 设置FORWARD默认策略为DROP
default_to_FORWARD:
  iptables.set_policy:
    - chain: FORWARD
    - policy: DROP
    - save: True

###### 重启iptables 并保持开机自动加载 ######
iptables-service:
  service.running:
    - name: iptables
    - reload: True
    - enable: True

参考：
https://blog.51cto.com/dyc2005/2178969