{% import 'globals.jinja' as globals %} # Required packages and helpers # ----------------------------- ipset_package: pkg.installed: - name: ipset /etc/iptables/ipset-save.sh: file.managed: - source: salt://firewall/files/ipset-save.sh - mode: 555 - makedirs: True /etc/network/if-pre-up.d/restore-iptables: file.managed: - source: salt://firewall/files/restore-iptables - mode: 555 do_ipset_save: cmd.run: - name: /etc/iptables/ipset-save.sh - onchanges: - pkg: ipset_package - file: /etc/iptables/ipset-save.sh # IP Sets # ------- # Backend server private IP addresses. ipset_backend_private_ips: ipset.set_present: - require: - pkg: ipset_package - onchanges_in: - cmd: do_ipset_save - set_type: bitmap:ip - range: 192.168.128.0/17 # Ensure we always include the admin server IP(s). ipset_backend_admin_ip_entries: ipset.present: - require: - ipset: ipset_backend_private_ips - onchanges_in: - cmd: do_ipset_save - set_name: ipset_backend_private_ips - entry: {% for ip in globals.admin_ip_addresses %} - {{ ip }} {% endfor %} include: - firewall.backend_private_ip_entries # Publically accessible TCP ports. ipset_public_tcp_ports: ipset.set_present: - require: - pkg: ipset_package - onchanges_in: - cmd: do_ipset_save - set_type: bitmap:port - range: 0-65535 # Always include SSH access. ipset_public_tcp_port_entries: ipset.present: - require: - ipset: ipset_public_tcp_ports - onchanges_in: - cmd: do_ipset_save - set_name: ipset_public_tcp_ports - entry: - '22' # Publically accessible UDP ports. ipset_public_udp_ports: ipset.set_present: - require: - pkg: ipset_package - onchanges_in: - cmd: do_ipset_save - set_type: bitmap:port - range: 0-65535 # Default Policies # ---------------- iptables_policy_input: iptables.set_policy: - save: True - chain: INPUT - policy: DROP # Prerouting rules # ---------------- # These are used to bypass connection tracking on input as it is unnecessary. iptables_prerouting_localhost: iptables.append: - save: True - table: raw - chain: PREROUTING - jump: NOTRACK - in-interface: lo iptables_prerouting_backend_private_ips: iptables.append: - require: - iptables: iptables_prerouting_localhost - ipset: ipset_backend_private_ips - save: True - table: raw - chain: PREROUTING - jump: NOTRACK - in-interface: eth0 - match-set: ipset_backend_private_ips src,dst iptables_prerouting_public_tcp_ports: iptables.append: - require: - iptables: iptables_prerouting_backend_private_ips - ipset: ipset_public_tcp_ports - save: True - table: raw - chain: PREROUTING - jump: NOTRACK - in-interface: eth0 - proto: tcp - match-set: ipset_public_tcp_ports dst iptables_prerouting_public_udp_ports: iptables.append: - require: - iptables: iptables_prerouting_public_tcp_ports - ipset: ipset_public_udp_ports - save: True - table: raw - chain: PREROUTING - jump: NOTRACK - in-interface: eth0 - proto: udp - match-set: ipset_public_udp_ports dst iptables_prerouting_icmp: iptables.append: - require: - iptables: iptables_prerouting_public_udp_ports - save: True - table: raw - chain: PREROUTING - jump: NOTRACK - in-interface: eth0 - proto: icmp # Input rules # ----------- iptables_input_localhost: iptables.append: - save: True - table: filter - chain: INPUT - jump: ACCEPT - in-interface: lo iptables_input_backend_private_ips: iptables.append: - require: - iptables: iptables_input_localhost - ipset: ipset_backend_private_ips - save: True - table: filter - chain: INPUT - jump: ACCEPT - in-interface: eth0 - match-set: ipset_backend_private_ips src,dst iptables_input_public_tcp_ports: iptables.append: - require: - iptables: iptables_input_backend_private_ips - ipset: ipset_public_tcp_ports - save: True - table: filter - chain: INPUT - jump: ACCEPT - in-interface: eth0 - proto: tcp - match-set: ipset_public_tcp_ports dst iptables_input_public_udp_ports: iptables.append: - require: - iptables: iptables_input_public_tcp_ports - ipset: ipset_public_udp_ports - save: True - table: filter - chain: INPUT - jump: ACCEPT - in-interface: eth0 - proto: udp - match-set: ipset_public_udp_ports dst iptables_input_icmp: iptables.append: - require: - iptables: iptables_input_public_udp_ports - save: True - table: filter - chain: INPUT - jump: ACCEPT - in-interface: eth0 - proto: icmp - match: limit - limit: 3/second - limit-burst: 3 iptables_input_established: iptables.append: - require: - iptables: iptables_input_icmp - save: True - table: filter - chain: INPUT - jump: ACCEPT - in-interface: eth0 - match: conntrack - ctstate: ESTABLISHED,RELATED # Output Rules # ------------ # These are used to bypass connection tracking on output where it is # unnecessary. iptables_output_localhost: iptables.append: - save: True - table: raw - chain: OUTPUT - jump: NOTRACK - out-interface: lo iptables_output_backend_private_ips: iptables.append: - require: - iptables: iptables_output_localhost - ipset: ipset_backend_private_ips - save: True - table: raw - chain: OUTPUT - jump: NOTRACK - out-interface: eth0 - match-set: ipset_backend_private_ips src,dst iptables_output_public_tcp_ports: iptables.append: - require: - iptables: iptables_output_backend_private_ips - ipset: ipset_public_tcp_ports - save: True - table: raw - chain: OUTPUT - jump: NOTRACK - out-interface: eth0 - proto: tcp - match-set: ipset_public_tcp_ports src iptables_output_public_udp_ports: iptables.append: - require: - iptables: iptables_output_public_tcp_ports - ipset: ipset_public_udp_ports - save: True - table: raw - chain: OUTPUT - jump: NOTRACK - out-interface: eth0 - proto: udp - match-set: ipset_public_udp_ports src iptables_output_icmp: iptables.append: - require: - iptables: iptables_output_public_udp_ports - save: True - table: raw - chain: OUTPUT - jump: NOTRACK - out-interface: eth0 - proto: icmp