You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 

200 lines
3.7 KiB

---
{% from tpldir+"/map.jinja" import firewall with context -%}
include:
- base.packages
{% for chain in firewall.get("chains", []) %}
- {{ "fwrules.chains." ~ chain }}
{% endfor %}
v4 input policy:
iptables.set_policy:
- table: filter
- family: ipv4
- chain: INPUT
- policy: {{ firewall.policies.INPUT }}
- require:
- pkg: iptables
v4 forward policy:
iptables.set_policy:
- table: filter
- family: ipv4
- chain: FORWARD
- policy: {{ firewall.policies.FORWARD }}
- require:
- pkg: iptables
v4 output policy:
iptables.set_policy:
- table: filter
- family: ipv4
- chain: OUTPUT
- policy: {{ firewall.policies.OUTPUT }}
- require:
- pkg: iptables
v6 input policy:
iptables.set_policy:
- table: filter
- family: ipv6
- chain: INPUT
- policy: {{ firewall.policies.INPUT }}
- require:
- pkg: iptables
v6 forward policy:
iptables.set_policy:
- table: filter
- family: ipv6
- chain: FORWARD
- policy: {{ firewall.policies.FORWARD }}
- require:
- pkg: iptables
v6 output policy:
iptables.set_policy:
- table: filter
- family: ipv6
- chain: OUTPUT
- policy: {{ firewall.policies.OUTPUT }}
- require:
- pkg: iptables
{% if firewall.options.conntrack %}
v4 conntrack:
iptables.append:
- table: filter
- family: ipv4
- chain: INPUT
- match: [conntrack]
- ctstate: RELATED,ESTABLISHED
- jump: ACCEPT
- require:
- pkg: iptables
v6 conntrack:
iptables.append:
- table: filter
- family: ipv6
- chain: INPUT
- match: [conntrack]
- ctstate: RELATED,ESTABLISHED
- jump: ACCEPT
- require:
- pkg: iptables
{% endif %}
{% if firewall.options.allow_loopback %}
v4 loopback:
iptables.append:
- table: filter
- family: ipv4
- chain: INPUT
- source: "127.0.0.0/8"
- jump: ACCEPT
- require:
- pkg: iptables
v6 loopback:
iptables.append:
- table: filter
- family: ipv6
- chain: INPUT
- source: "::1/128"
- jump: ACCEPT
- require:
- pkg: iptables
{% endif %}
{% if firewall.options.allow_docker %}
v4 docker all:
iptables.append:
- table: filter
- family: ipv4
- chain: INPUT
- in-interface: docker0
- jump: ACCEPT
- require:
- pkg: iptables
v6 docker all:
iptables.append:
- table: filter
- family: ipv6
- chain: INPUT
- in-interface: docker0
- jump: ACCEPT
- require:
- pkg: iptables
{% endif %}
{% if firewall.options.ipv6_ndp %}
{% set _types = [
("router solicit", 133),
("router advertise", 134),
("neighbor solicit", 135),
("neighbor advertise", 136),
] %}
{% for name, num in _types %}
icmpv6 ndp {{ name }}:
iptables.insert:
- table: filter
- family: ipv6
- chain: INPUT
- position: 2
- match: icmpv6
- protocol: ipv6-icmp
- icmpv6-type: {{ num }}
- jump: ACCEPT
- require:
- pkg: iptables
{% endfor %}
{% endif %}
{% set log_drop_action = "append" if firewall.options.log_dropped else "delete" %}
v4 log dropped:
iptables.{{ log_drop_action }}:
- table: filter
- family: ipv4
- chain: INPUT
- jump: LOG
- log-prefix: "IPv=4 "
- require:
- pkg: iptables
v6 log dropped:
iptables.{{ log_drop_action }}:
- table: filter
- family: ipv6
- chain: INPUT
- jump: LOG
- log-prefix: "IPv=6 "
- require:
- pkg: iptables
netfilter-persistent:
service.running:
- name: netfilter-persistent
- enable: true
- require:
- pkg: iptables-persistent
save iptables v4 rules:
module.run:
- iptables.save:
- family: ipv4
- require:
- pkg: iptables-persistent
- unless:
- test -e /etc/iptables/rules.v4
save iptables v6 rules:
module.run:
- iptables.save:
- family: ipv6
- require:
- pkg: iptables-persistent
- unless:
- test -e /etc/iptables/rules.v6