saltbox
/
states
2
0
Fork 1
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
383 Commits
2 Branches
0 Tags
844 KiB
 
 
 
 
Tree: de68bfd3e6
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'de68bfd3e6'
${ noResults }
states/fwrules/chains/swarm_ingress.sls

75 lines
2.6 KiB
Raw Blame History

---
include:
- fwrules.ipsets.management
- fwrules.ipsets.minions
{% set chain_name = "DOCKER-USER" %}
{# [ (service, port, transport, sources), ... ] #}
{% set ports = [
("mqtt-tcp", 1883, "tcp", {"ipv4": ["set:management"], "ipv6": ["set:management"]}),
("mqtt-ws", 1884, "tcp", {"ipv4": ["set:management"], "ipv6": ["set:management"]}),
("mqtts-tcp", 4883, "tcp", {"ipv4": ["0.0.0.0/0"], "ipv6": ["::/0"]}),
("mqtts-ws", 4884, "tcp", {"ipv4": ["0.0.0.0/0"], "ipv6": ["::/0"]}),
("portainer-agent", 9001, "tcp", {"ipv4": ["set:minions"], "ipv6": ["set:minions"]}),
("icecast-direct", 9090, "tcp", {"ipv4": ["set:management"], "ipv6": ["set:management"]}),
("unifi-http", 8080, "tcp", {"ipv4": ["0.0.0.0/0"], "ipv6": ["::/0"]}),
("unifi-https", 8443, "tcp", {"ipv4": ["set:management"], "ipv6": ["set:management"]}),
("unifi-portal-http", 8880, "tcp", {"ipv4": ["set:management"], "ipv6": ["set:management"]}),
("unifi-portal-https", 8843, "tcp", {"ipv4": ["set:management"], "ipv6": ["set:management"]}),
("unifi-speed", 6789, "tcp", {"ipv4": ["set:management"], "ipv6": ["set:management"]}),
("unifi-stun", 3478, "udp", {"ipv4": ["set:management"], "ipv6": ["set:management"]}),
] %}
{% for family in ["ipv4", "ipv6"] %}
{{ chain_name }} {{ family }}:
iptables.chain_present:
- name: {{ chain_name }}
- family: {{ family }}
{% for service, port, transport, sources in ports %}
{% set addresses, ipsets = salt["minion_net.split_ips_ipsets"](sources.get(family, [])) %}
{% for ipset in ipsets %}
{% set set_name = "{}-{}".format(ipset, family) %}
{{ chain_name }} {{ family }} {{ transport }} {{ service }} {{ ipset }}:
iptables.insert:
- position: 1
- table: filter
- family: {{ family }}
- chain: {{ chain_name }}
- protocol: {{ transport }}
- match: {{ ["set", transport] | tojson }}
- set: {{ set_name }} src
- dport: {{ port }}
- jump: ACCEPT
- require:
- iptables: {{ chain_name }} {{ family }}
{% endfor %}
{% if addresses %}
{{ chain_name }} {{ family }} {{ transport }} {{ service }} addresses:
iptables.insert:
- position: 1
- table: filter
- family: {{ family }}
- chain: {{ chain_name }}
- protocol: {{ transport }}
- match: {{ transport }}
- source: {{ addresses | join(",") }}
- dport: {{ port }}
- jump: ACCEPT
- require:
- iptables: {{ chain_name }} {{ family }}
{% endif %}
{% endfor %}
{{ chain_name }} {{ family }} default deny:
iptables.append:
- table: filter
- family: {{ family }}
- chain: {{ chain_name }}
- jump: DROP
- require:
- iptables: {{ chain_name }} {{ family }}
{% endfor %}