deployment
/
salt


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293
							{% import 'globals.jinja' as globals %}

# Required packages and helpers
# -----------------------------
ipset_package:
  pkg.installed:
    - name: ipset

/etc/iptables/ipset-save.sh:
  file.managed:
    - source: salt://firewall/files/ipset-save.sh
    - mode: 555
    - makedirs: True

/etc/network/if-pre-up.d/restore-iptables:
  file.managed:
    - source: salt://firewall/files/restore-iptables
    - mode: 555

do_ipset_save:
  cmd.run:
    - name: /etc/iptables/ipset-save.sh
    - onchanges:
      - pkg: ipset_package
      - file: /etc/iptables/ipset-save.sh

# IP Sets
# -------

# Backend server private IP addresses.
ipset_backend_private_ips:
  ipset.set_present:
    - require:
      - pkg: ipset_package
    - onchanges_in:
      - cmd: do_ipset_save
    - set_type: bitmap:ip
    - range: 192.168.128.0/17

# Ensure we always include the admin server IP(s).
ipset_backend_admin_ip_entries:
  ipset.present:
    - require:
      - ipset: ipset_backend_private_ips
    - onchanges_in:
      - cmd: do_ipset_save
    - set_name: ipset_backend_private_ips
    - entry:
{% for ip in globals.admin_ip_addresses %}
      - {{ ip }}
{% endfor %}

include:
  - firewall.backend_private_ip_entries

# Publically accessible TCP ports.
ipset_public_tcp_ports:
  ipset.set_present:
    - require:
      - pkg: ipset_package
    - onchanges_in:
      - cmd: do_ipset_save
    - set_type: bitmap:port
    - range: 0-65535

# Always include SSH access.
ipset_public_tcp_port_entries:
  ipset.present:
    - require:
      - ipset: ipset_public_tcp_ports
    - onchanges_in:
      - cmd: do_ipset_save
    - set_name: ipset_public_tcp_ports
    - entry:
      - '22'

# Publically accessible UDP ports.
ipset_public_udp_ports:
  ipset.set_present:
    - require:
      - pkg: ipset_package
    - onchanges_in:
      - cmd: do_ipset_save
    - set_type: bitmap:port
    - range: 0-65535

# Default Policies
# ----------------

iptables_policy_input:
  iptables.set_policy:
    - save: True
    - chain: INPUT
    - policy: DROP

# Prerouting rules
# ----------------
# These are used to bypass connection tracking on input as it is unnecessary.

iptables_prerouting_localhost:
  iptables.append:
    - save: True
    - table: raw
    - chain: PREROUTING
    - jump: NOTRACK
    - in-interface: lo

iptables_prerouting_backend_private_ips:
  iptables.append:
    - require:
      - iptables: iptables_prerouting_localhost
      - ipset: ipset_backend_private_ips
    - save: True
    - table: raw
    - chain: PREROUTING
    - jump: NOTRACK
    - in-interface: eth0
    - match-set: ipset_backend_private_ips src,dst

iptables_prerouting_public_tcp_ports:
  iptables.append:
    - require:
      - iptables: iptables_prerouting_backend_private_ips
      - ipset: ipset_public_tcp_ports
    - save: True
    - table: raw
    - chain: PREROUTING
    - jump: NOTRACK
    - in-interface: eth0
    - proto: tcp
    - match-set: ipset_public_tcp_ports dst

iptables_prerouting_public_udp_ports:
  iptables.append:
    - require:
      - iptables: iptables_prerouting_public_tcp_ports
      - ipset: ipset_public_udp_ports
    - save: True
    - table: raw
    - chain: PREROUTING
    - jump: NOTRACK
    - in-interface: eth0
    - proto: udp
    - match-set: ipset_public_udp_ports dst

iptables_prerouting_icmp:
  iptables.append:
    - require:
      - iptables: iptables_prerouting_public_udp_ports
    - save: True
    - table: raw
    - chain: PREROUTING
    - jump: NOTRACK
    - in-interface: eth0
    - proto: icmp

# Input rules
# -----------

iptables_input_localhost:
  iptables.append:
    - save: True
    - table: filter
    - chain: INPUT
    - jump: ACCEPT
    - in-interface: lo

iptables_input_backend_private_ips:
  iptables.append:
    - require:
      - iptables: iptables_input_localhost
      - ipset: ipset_backend_private_ips
    - save: True
    - table: filter
    - chain: INPUT
    - jump: ACCEPT
    - in-interface: eth0
    - match-set: ipset_backend_private_ips src,dst

iptables_input_public_tcp_ports:
  iptables.append:
    - require:
      - iptables: iptables_input_backend_private_ips
      - ipset: ipset_public_tcp_ports
    - save: True
    - table: filter
    - chain: INPUT
    - jump: ACCEPT
    - in-interface: eth0
    - proto: tcp
    - match-set: ipset_public_tcp_ports dst

iptables_input_public_udp_ports:
  iptables.append:
    - require:
      - iptables: iptables_input_public_tcp_ports
      - ipset: ipset_public_udp_ports
    - save: True
    - table: filter
    - chain: INPUT
    - jump: ACCEPT
    - in-interface: eth0
    - proto: udp
    - match-set: ipset_public_udp_ports dst

iptables_input_icmp:
  iptables.append:
    - require:
      - iptables: iptables_input_public_udp_ports
    - save: True
    - table: filter
    - chain: INPUT
    - jump: ACCEPT
    - in-interface: eth0
    - proto: icmp
    - match: limit
    - limit: 3/second
    - limit-burst: 3

iptables_input_established:
  iptables.append:
    - require:
      - iptables: iptables_input_icmp
    - save: True
    - table: filter
    - chain: INPUT
    - jump: ACCEPT
    - in-interface: eth0
    - match: conntrack
    - ctstate: ESTABLISHED,RELATED

# Output Rules
# ------------
# These are used to bypass connection tracking on output where it is
# unnecessary.

iptables_output_localhost:
  iptables.append:
    - save: True
    - table: raw
    - chain: OUTPUT
    - jump: NOTRACK
    - out-interface: lo

iptables_output_backend_private_ips:
  iptables.append:
    - require:
      - iptables: iptables_output_localhost
      - ipset: ipset_backend_private_ips
    - save: True
    - table: raw
    - chain: OUTPUT
    - jump: NOTRACK
    - out-interface: eth0
    - match-set: ipset_backend_private_ips src,dst

iptables_output_public_tcp_ports:
  iptables.append:
    - require:
      - iptables: iptables_output_backend_private_ips
      - ipset: ipset_public_tcp_ports
    - save: True
    - table: raw
    - chain: OUTPUT
    - jump: NOTRACK
    - out-interface: eth0
    - proto: tcp
    - match-set: ipset_public_tcp_ports src

iptables_output_public_udp_ports:
  iptables.append:
    - require:
      - iptables: iptables_output_public_tcp_ports
      - ipset: ipset_public_udp_ports
    - save: True
    - table: raw
    - chain: OUTPUT
    - jump: NOTRACK
    - out-interface: eth0
    - proto: udp 
    - match-set: ipset_public_udp_ports src

iptables_output_icmp:
  iptables.append:
    - require:
      - iptables: iptables_output_public_udp_ports
    - save: True
    - table: raw
    - chain: OUTPUT
    - jump: NOTRACK
    - out-interface: eth0
    - proto: icmp