salt 添加iptables的sls例子

最新推荐文章于 2020-11-17 17:11:13 发布

weixin_33795743

最新推荐文章于 2020-11-17 17:11:13 发布

阅读量79

点赞数

原文链接：http://www.cnblogs.com/LYCong/p/7978204.html

版权

{% for eachfw, fw_rule in pillar['firewall'].iteritems() %}
# Add custom chain
{{ eachfw }}-chain:
  iptables.chain_present:
#    - save : True
    - table: filter
# Custom chain rules
{% if 'allow' in fw_rule %}
# White Lists
{% for each_allow in fw_rule['allow'] %}
{{ eachfw }}_allow_{{ each_allow }}:
  iptables.insert:
    - table: filter
    - chain: {{ eachfw }}-chain
    - position: 1
    - source: {{ each_allow }}
    - jump: ACCEPT
    - require:
      - iptables: {{ eachfw }}-chain
    - require_in:
      - iptables: {{ eachfw }}_deny
    - save: True
{% endfor %}
# Deny all
{{ eachfw }}_deny:
  iptables.append:
    - table: filter
    - chain: {{ eachfw }}-chain
    - jump: DROP
    - save: True

{% elif 'deny' in fw_rule %}
# Black Lists
{% for each_deny in fw_rule['deny'] %}
{{ eachfw }}_deny_{{ each_deny }}:
  iptables.insert:
    - table: filter
    - chain: {{ eachfw }}-chain
    - position: 1
    - source: {{ each_deny }}
    - jump: DROP
    - require:
      - iptables: {{ eachfw }}-chain
    - require_in:
      - iptables: {{ eachfw }}_allow
    - save: True
{% endfor %}
# Accept all
{{ eachfw }}_allow:
  iptables.append:
    - table: filter
    - chain: {{ eachfw }}-chain
    - jump: ACCEPT
    - save: True
{% endif %}

# Export traffic to custom chain
{{ eachfw }}-main:
  iptables.insert:
    - table: filter
    - chain: INPUT
    - position: 1
    - proto: tcp
    - dport: {{ fw_rule['port'] }}
    - jump: {{ eachfw }}-chain
{% endfor %}