{% for eachfw, fw_rule in pillar['firewall'].iteritems() %}
# Add custom chain
{{ eachfw }}-chain:
iptables.chain_present:
# - save : True
- table: filter
# Custom chain rules
{% if 'allow' in fw_rule %}
# White Lists
{% for each_allow in fw_rule['allow'] %}
{{ eachfw }}_allow_{{ each_allow }}:
iptables.insert:
- table: filter
- chain: {{ eachfw }}-chain
- position: 1
- source: {{ each_allow }}
- jump: ACCEPT
- require:
- iptables: {{ eachfw }}-chain
- require_in:
- iptables: {{ eachfw }}_deny
- save: True
{% endfor %}
# Deny all
{{ eachfw }}_deny:
iptables.append:
- table: filter
- chain: {{ eachfw }}-chain
- jump: DROP
- save: True
{% elif 'deny' in fw_rule %}
# Black Lists
{% for each_deny in fw_rule['deny'] %}
{{ eachfw }}_deny_{{ each_deny }}:
iptables.insert:
- table: filter
- chain: {{ eachfw }}-chain
- position: 1
- source: {{ each_deny }}
- jump: DROP
- require:
- iptables: {{ eachfw }}-chain
- require_in:
- iptables: {{ eachfw }}_allow
- save: True
{% endfor %}
# Accept all
{{ eachfw }}_allow:
iptables.append:
- table: filter
- chain: {{ eachfw }}-chain
- jump: ACCEPT
- save: True
{% endif %}
# Export traffic to custom chain
{{ eachfw }}-main:
iptables.insert:
- table: filter
- chain: INPUT
- position: 1
- proto: tcp
- dport: {{ fw_rule['port'] }}
- jump: {{ eachfw }}-chain
{% endfor %}
忘记在哪看的的了,只有文件,先保留,