{"id":19871906,"url":"https://github.com/saltstack-formulas/iptables-formula","last_synced_at":"2025-10-16T01:31:58.424Z","repository":{"id":16626060,"uuid":"19381119","full_name":"saltstack-formulas/iptables-formula","owner":"saltstack-formulas","description":null,"archived":false,"fork":false,"pushed_at":"2025-01-06T23:08:25.000Z","size":297,"stargazers_count":31,"open_issues_count":9,"forks_count":93,"subscribers_count":40,"default_branch":"master","last_synced_at":"2025-03-29T06:03:32.818Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"http://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html","language":"SaltStack","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/saltstack-formulas.png","metadata":{"files":{"readme":"docs/README.rst","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":"AUTHORS.md","dei":null,"publiccode":null,"codemeta":null}},"created_at":"2014-05-02T16:30:32.000Z","updated_at":"2023-06-11T14:13:04.000Z","dependencies_parsed_at":"2025-01-27T16:38:10.999Z","dependency_job_id":"ff939f3f-1499-41e8-a23a-f44e68ebaa8d","html_url":"https://github.com/saltstack-formulas/iptables-formula","commit_stats":null,"previous_names":[],"tags_count":11,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/saltstack-formulas%2Fiptables-formula","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/saltstack-formulas%2Fiptables-formula/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/saltstack-formulas%2Fiptables-formula/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/saltstack-formulas%2Fiptables-formula/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/saltstack-formulas","download_url":"https://codeload.github.com/saltstack-formulas/iptables-formula/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247299831,"owners_count":20916190,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-12T16:13:56.729Z","updated_at":"2025-10-16T01:31:58.343Z","avatar_url":"https://github.com/saltstack-formulas.png","language":"SaltStack","funding_links":[],"categories":[],"sub_categories":[],"readme":".. _readme:\n\niptables\n========\n\n|img_travis| |img_sr|\n\n.. |img_travis| image:: https://travis-ci.com/saltstack-formulas/iptables-formula.svg?branch=master\n :alt: Travis CI Build Status\n :scale: 100%\n :target: https://travis-ci.com/saltstack-formulas/iptables-formula\n.. |img_sr| image:: https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg\n :alt: Semantic Release\n :scale: 100%\n :target: https://github.com/semantic-release/semantic-release\n\nThis formula manages your firewall using iptables with pillar configured rules.\nThanks to the nature of Pillars it is possible to write global and local settings (e.g. enable globally, configure locally)\n\n.. contents:: **Table of Contents**\n\nGeneral notes\n-------------\n\nPull requests are welcome for other platforms (or other improvements ofcourse!)\n\nSee the full `SaltStack Formulas installation and usage instructions\n\u003chttps://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html\u003e`_.\n\nIf you are interested in writing or contributing to formulas, please pay attention to the `Writing Formula Section\n\u003chttps://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html#writing-formulas\u003e`_.\n\nIf you want to use this formula, please pay attention to the ``FORMULA`` file and/or ``git tag``,\nwhich contains the currently released version. This formula is versioned according to `Semantic Versioning \u003chttp://semver.org/\u003e`_.\n\nSee `Formula Versioning Section \u003chttps://docs.saltstack.com/en/latest/topics/development/conventions/formulas.html#versioning\u003e`_ for more details.\n\nContributing to this repo\n-------------------------\n\n**Commit message formatting is significant!!**\n\nPlease see `How to contribute \u003chttps://github.com/saltstack-formulas/.github/blob/master/CONTRIBUTING.rst\u003e`_ for more details.\n\n.. contents::\n :local:\n\nUsage\n-----\n\nDefault usage\n^^^^^^^^^^^^^\nAll the configuration for the firewall is done via the pillar (see the pillar.example file).\n\nEnable globally:\n\n``pillars/firewall.sls``\n\n.. code-block:: yaml\n\n firewall:\n enabled: True\n install: True \n strict: True\n\nAllow SSH:\n\n``pillars/firewall/ssh.sls``\n\n.. code-block:: yaml\n\n firewall:\n services:\n ssh:\n block_nomatch: False\n ips_allow:\n - 192.168.0.0/24\n - 10.0.2.2/32\n\nApply rules to specific interface:\n\n.. code-block:: yaml\n\n firewall:\n services:\n ssh:\n interfaces:\n - eth0\n - eth1\n\nApply rules for multiple protocols:\n\n\n.. code-block:: yaml\n\n firewall:\n services:\n ssh:\n protos:\n - udp\n - tcp\n\nAllow an entire class such as your internal network:\n\n.. code-block:: yaml\n\n whitelist:\n networks:\n ips_allow:\n - 10.0.0.0/8\n\nSalt combines both and effectively enables your firewall and applies the rules.\n\nNotes:\n\n * Setting install to True will install ``iptables`` and ``iptables-persistent`` for you\n * Strict mode means: Deny **everything** except explicitly allowed (use with care!)\n * block_nomatch: With non-strict mode adds in a \"REJECT\" rule below the accept rules, otherwise other traffic to that service is still allowed. Can be defined per-service or globally, defaults to False.\n * Service names can be either port numbers or service names (e.g. ssh, zabbix-agent, http) and are available for viewing/configuring in ``/etc/services``\n * If no ``ips_allow`` stanza is provided for any particular ruleset instead of not adding the rule the addition itself is scoped globally (0.0.0.0/0)\n\nUsing iptables.service\n^^^^^^^^^^^^^^^^^^^^^^\n\nSalt can't merge pillars, so you can only define ``firewall:services`` in once place. With the firewall.service state and stateconf, you can define pillars for different services and include and extend the iptables.service state with the ``parent`` parameter to enable a default firewall configuration with special rules for different services.\n\n``pillars/otherservice.sls``\n\n.. code-block:: yaml\n\n otherservice:\n firewall:\n services:\n http:\n block_nomatch: False\n ips_allow:\n - 0.0.0.0/0\n\n``states/otherservice.sls``\n\n.. code-block:: yaml\n\n #!stateconf yaml . jinja\n \n include:\n - iptables.service\n \n extend:\n iptables.service::sls_params:\n stateconf.set:\n - parent: otherservice\n\nUsing iptables.nat\n^^^^^^^^^^^^^^^^^^\n\nYou can use nat for interface. This is supported for IPv4 alone. IPv6 deployments should not use NAT.\n\n.. code-block:: yaml\n\n # Support nat\n # iptables -t nat -A POSTROUTING -o eth0 -s 192.168.18.0/24 -d 10.20.0.2 -j MASQUERADE\n\n nat:\n eth0:\n rules:\n '192.168.18.0/24':\n - 10.20.0.2\n\nConfigure the firewall using ``tables``\n---------------------------------------\n\nThe state ``iptables.tables`` let's you configure your firewall iterating over pillars\ndefining rules and policies to add to the different tables (filter, mangle, nat) instead of using services.\nThis way, you can configure iptables the *classic way*. Note that you still need to include the ``iptables`` state.\n\nTo enable the 'tables' mode, set:\n\n.. code-block:: yaml\n\n firewall:\n use_tables: True\n\nand then add rules to configure iptables. Check the ``pillar.example``'s *table* section to see some examples.\n\nIPv6 Support\n------------\n\nThis formula supports IPv6 as long as it is activated with the option:\n\n.. code-block:: yaml\n\n firewall:\n ipv6: True\n\nServices and whitelists are supported under the sections ``services_ipv6`` and ``whitelist_ipv6``, as below:\n\n.. code-block:: yaml\n\n services_ipv6:\n ssh:\n block_nomatch: False\n ips_allow:\n - 2a02:2028:773:d01:10a5:f34f:e7ff:f55b/64\n - 2a02:2028:773:d01:1814:28ef:e91b:70b8/64\n whitelist_ipv6:\n networks:\n ips_allow:\n - 2a02:2028:773:d01:1814:28ef:e91b:70b8/64\n\nThese sections are only processed if the ipv6 support is activated.\n\nTesting\n-------\n\nLinux testing is done with ``kitchen-salt``.\n\nRequirements\n^^^^^^^^^^^^\n\n* Ruby\n* Docker\n\n.. code-block:: bash\n\n $ gem install bundler\n $ bundle install\n $ bin/kitchen test [platform]\n\nWhere ``[platform]`` is the platform name defined in ``kitchen.yml``,\ne.g. ``debian-9-2019-2-py3``.\n\n``bin/kitchen converge``\n^^^^^^^^^^^^^^^^^^^^^^^^\n\nCreates the docker instance and runs the ``iptables`` main state, ready for testing.\n\n``bin/kitchen verify``\n^^^^^^^^^^^^^^^^^^^^^^\n\nRuns the ``inspec`` tests on the actual instance.\n\n``bin/kitchen destroy``\n^^^^^^^^^^^^^^^^^^^^^^^\n\nRemoves the docker instance.\n\n``bin/kitchen test``\n^^^^^^^^^^^^^^^^^^^^\n\nRuns all of the stages above in one go: i.e. ``destroy`` + ``converge`` + ``verify`` + ``destroy``.\n\n``bin/kitchen login``\n^^^^^^^^^^^^^^^^^^^^^\n\nGives you SSH access to the instance for manual testing.\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsaltstack-formulas%2Fiptables-formula","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsaltstack-formulas%2Fiptables-formula","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsaltstack-formulas%2Fiptables-formula/lists"}