salt.states.iptables

Management of iptables

This is an iptables-specific module designed to manage Linux firewalls. It is expected that this state module, and other system-specific firewall states, may at some point be deprecated in favor of a more generic firewall state.

httpd:
  iptables.append:
    - table: filter
    - chain: INPUT
    - jump: ACCEPT
    - match: state
    - connstate: NEW
    - dport: 80
    - protocol: tcp
    - sport: 1025:65535
    - save: True

httpd:
  iptables.append:
    - table: filter
    - chain: INPUT
    - jump: ACCEPT
    - match:
        - state
        - comment
    - comment: "Allow HTTP"
    - connstate: NEW
    - dport: 80
    - protocol: tcp
    - sport: 1025:65535
    - save: True

httpd:
  iptables.append:
    - table: filter
    - chain: INPUT
    - jump: ACCEPT
    - match:
        - state
        - comment
    - comment: "Allow HTTP"
    - connstate: NEW
    - source: '127.0.0.1'
    - dport: 80
    - protocol: tcp
    - sport: 1025:65535
    - save: True

.. Invert Rule
httpd:
  iptables.append:
    - table: filter
    - chain: INPUT
    - jump: ACCEPT
    - match:
        - state
        - comment
    - comment: "Allow HTTP"
    - connstate: NEW
    - source: '! 127.0.0.1'
    - dport: 80
    - protocol: tcp
    - sport: 1025:65535
    - save: True

httpd:
  iptables.append:
    - table: filter
    - chain: INPUT
    - jump: ACCEPT
    - match:
        - state
        - comment
    - comment: "Allow HTTP"
    - connstate: NEW
    - source: 'not 127.0.0.1'
    - dport: 80
    - protocol: tcp
    - sport: 1025:65535
    - save: True

httpd:
  iptables.append:
    - table: filter
    - family: ipv6
    - chain: INPUT
    - jump: ACCEPT
    - match: state
    - connstate: NEW
    - dport: 80
    - protocol: tcp
    - sport: 1025:65535
    - save: True

httpd:
  iptables.append:
    - table: filter
    - family: ipv4
    - chain: INPUT
    - jump: ACCEPT
    - match: state
    - connstate: NEW
    - dports:
        - 80
        - 443
    - protocol: tcp
    - sport: 1025:65535
    - save: True

httpd:
  iptables.insert:
    - position: 1
    - table: filter
    - chain: INPUT
    - jump: ACCEPT
    - match: state
    - connstate: NEW
    - dport: 80
    - protocol: tcp
    - sport: 1025:65535
    - save: True

httpd:
  iptables.insert:
    - position: 1
    - table: filter
    - family: ipv6
    - chain: INPUT
    - jump: ACCEPT
    - match: state
    - connstate: NEW
    - dport: 80
    - protocol: tcp
    - sport: 1025:65535
    - save: True

httpd:
  iptables.delete:
    - table: filter
    - chain: INPUT
    - jump: ACCEPT
    - match: state
    - connstate: NEW
    - dport: 80
    - protocol: tcp
    - sport: 1025:65535
    - save: True

httpd:
  iptables.delete:
    - position: 1
    - table: filter
    - chain: INPUT
    - jump: ACCEPT
    - match: state
    - connstate: NEW
    - dport: 80
    - protocol: tcp
    - sport: 1025:65535
    - save: True

httpd:
  iptables.delete:
    - table: filter
    - family: ipv6
    - chain: INPUT
    - jump: ACCEPT
    - match: state
    - connstate: NEW
    - dport: 80
    - protocol: tcp
    - sport: 1025:65535
    - save: True

default to accept:
  iptables.set_policy:
    - chain: INPUT
    - policy: ACCEPT

Note

Whereas iptables will accept -p, --proto[c[o[l]]] as synonyms of --protocol, if --proto appears in an iptables command after the appearance of -m policy, it is interpreted as the --proto option of the policy extension (see the iptables-extensions(8) man page).

Example rules for IPSec policy:

accept_esp_in:
  iptables.append:
    - table: filter
    - chain: INPUT
    - jump: ACCEPT
    - source: 10.20.0.0/24
    - destination: 10.10.0.0/24
    - in-interface: eth0
    - match: policy
    - dir: in
    - pol: ipsec
    - reqid: 1
    - proto: esp
accept_esp_forward_in:
  iptables.append:
    - use:
      - iptables: accept_esp_in
    - chain: FORWARD

accept_esp_out:
  iptables.append:
    - table: filter
    - chain: OUTPUT
    - jump: ACCEPT
    - source: 10.10.0.0/24
    - destination: 10.20.0.0/24
    - out-interface: eth0
    - match: policy
    - dir: out
    - pol: ipsec
    - reqid: 1
    - proto: esp
accept_esp_forward_out:
  iptables.append:
    - use:
      - iptables: accept_esp_out
    - chain: FORWARD

Note

Various functions of the iptables module use the --check option. If the version of iptables on the target system does not include this option, an alternate version of this check will be performed using the output of iptables-save. This may have unintended consequences on legacy releases of iptables.

salt.states.iptables.append(name, table='filter', family='ipv4', **kwargs)

New in version 0.17.0.

Add a rule to the end of the specified chain.

name: A user-defined name to call this rule by in another part of a state or formula. This should not be an actual rule.
table: The table that owns the chain which should be modified
family: Network family, ipv4 or ipv6.

All other arguments are passed in with the same name as the long option that would normally be used for iptables, with one exception: --state is specified as connstate instead of state (not to be confused with ctstate).

Jump options that doesn't take arguments should be passed in with an empty string.

salt.states.iptables.chain_absent(name, table='filter', family='ipv4')

New in version 2014.1.0.

Verify the chain is absent.

table: The table to remove the chain from
family: Networking family, either ipv4 or ipv6

salt.states.iptables.chain_present(name, table='filter', family='ipv4')

New in version 2014.1.0.

Verify the chain is exist.

name: A user-defined chain name.
table: The table to own the chain.
family: Networking family, either ipv4 or ipv6

salt.states.iptables.delete(name, table='filter', family='ipv4', **kwargs)

New in version 2014.1.0.

Delete a rule to a chain

name: A user-defined name to call this rule by in another part of a state or formula. This should not be an actual rule.
table: The table that owns the chain that should be modified
family: Networking family, either ipv4 or ipv6

Jump options that doesn't take arguments should be passed in with an empty string.

salt.states.iptables.flush(name, table='filter', family='ipv4', **kwargs)

New in version 2014.1.0.

Flush current iptables state

table: The table that owns the chain that should be modified
family: Networking family, either ipv4 or ipv6
chain: The chain to be flushed. All the chains in the table if none is given.

salt.states.iptables.insert(name, table='filter', family='ipv4', **kwargs)

New in version 2014.1.0.

Insert a rule into a chain

name: A user-defined name to call this rule by in another part of a state or formula. This should not be an actual rule.
table: The table that owns the chain that should be modified
family: Networking family, either ipv4 or ipv6
position: The numerical representation of where the rule should be inserted into the chain. Note that -1 is not a supported position value.

Jump options that doesn't take arguments should be passed in with an empty string.

salt.states.iptables.mod_aggregate(low, chunks, running)

The mod_aggregate function which looks up all rules in the available low chunks and merges them into a single rules ref in the present low data

salt.states.iptables.set_policy(name, table='filter', family='ipv4', **kwargs)

New in version 2014.1.0.

Sets the default policy for iptables firewall tables

table: The table that owns the chain that should be modified
family: Networking family, either ipv4 or ipv6
policy: The requested table policy

© 2021 SaltStack.
Licensed under the Apache License, Version 2.0.
https://docs.saltproject.io/en/latest/ref/states/all/salt.states.iptables.html