salt.states.iptables¶
Management of iptables¶
This is an iptables-specific module designed to manage Linux firewalls. It is expected that this state module, and other system-specific firewall states, may at some point be deprecated in favor of a more generic firewall state.
httpd:
iptables.append:
- table: filter
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.append:
- table: filter
- chain: INPUT
- jump: ACCEPT
- match:
- state
- comment
- comment: "Allow HTTP"
- connstate: NEW
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.append:
- table: filter
- chain: INPUT
- jump: ACCEPT
- match:
- state
- comment
- comment: "Allow HTTP"
- connstate: NEW
- source: '127.0.0.1'
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
.. Invert Rule
httpd:
iptables.append:
- table: filter
- chain: INPUT
- jump: ACCEPT
- match:
- state
- comment
- comment: "Allow HTTP"
- connstate: NEW
- source: '! 127.0.0.1'
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.append:
- table: filter
- chain: INPUT
- jump: ACCEPT
- match:
- state
- comment
- comment: "Allow HTTP"
- connstate: NEW
- source: 'not 127.0.0.1'
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.append:
- table: filter
- family: ipv6
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.append:
- table: filter
- family: ipv4
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dports:
- 80
- 443
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.insert:
- position: 1
- table: filter
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.insert:
- position: 1
- table: filter
- family: ipv6
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.delete:
- table: filter
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.delete:
- position: 1
- table: filter
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.delete:
- table: filter
- family: ipv6
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
-
salt.states.iptables.append(name, family='ipv4', **kwargs)¶ New in version 0.17.0.
Append a rule to a chain
- name
- A user-defined name to call this rule by in another part of a state or formula. This should not be an actual rule.
- family
- Network family, ipv4 or ipv6.
All other arguments are passed in with the same name as the long option that would normally be used for iptables, with one exception:
--stateis specified as connstate instead of state (not to be confused with ctstate).
-
salt.states.iptables.chain_absent(name, table='filter', family='ipv4')¶ New in version 2014.1.0.
Verify the chain is absent.
- family
- Networking family, either ipv4 or ipv6
-
salt.states.iptables.chain_present(name, table='filter', family='ipv4')¶ New in version 2014.1.0.
Verify the chain is exist.
- name
- A user-defined chain name.
- table
- The table to own the chain.
- family
- Networking family, either ipv4 or ipv6
-
salt.states.iptables.delete(name, family='ipv4', **kwargs)¶ New in version 2014.1.0.
Delete a rule to a chain
- name
- A user-defined name to call this rule by in another part of a state or formula. This should not be an actual rule.
- family
- Networking family, either ipv4 or ipv6
All other arguments are passed in with the same name as the long option that would normally be used for iptables, with one exception:
--stateis specified as connstate instead of state (not to be confused with ctstate).
-
salt.states.iptables.flush(name, family='ipv4', **kwargs)¶ New in version 2014.1.0.
Flush current iptables state
- family
- Networking family, either ipv4 or ipv6
-
salt.states.iptables.insert(name, family='ipv4', **kwargs)¶ New in version 2014.1.0.
Insert a rule into a chain
- name
- A user-defined name to call this rule by in another part of a state or formula. This should not be an actual rule.
- family
- Networking family, either ipv4 or ipv6
All other arguments are passed in with the same name as the long option that would normally be used for iptables, with one exception:
--stateis specified as connstate instead of state (not to be confused with ctstate).
-
salt.states.iptables.set_policy(name, family='ipv4', **kwargs)¶ New in version 2014.1.0.
Sets the default policy for iptables firewall tables
- family
- Networking family, either ipv4 or ipv6
