Support for iptables
The following options can be set in the minion config, grains, pillar, or master config. The configuration is read using config.get
.
iptables.save_filters
: List of REGEX strings to FILTER OUT matching lines
This is useful for filtering out chains, rules, etc that you do not wish to persist, such as ephemeral Docker rules.
The default is to not filter out anything.
iptables.save_filters: - "-j CATTLE_PREROUTING" - "-j DOCKER" - "-A POSTROUTING" - "-A CATTLE_POSTROUTING" - "-A FORWARD"
Append a rule to the specified table/chain.
CLI Example:
salt '*' iptables.append filter INPUT \ rule='-m state --state RELATED,ESTABLISHED -j ACCEPT' IPv6: salt '*' iptables.append filter INPUT \ rule='-m state --state RELATED,ESTABLISHED -j ACCEPT' \ family=ipv6
Build a well-formatted iptables rule based on kwargs. A table and chain are not required, unless full is True.
If full is True, then table, chain and command are required. command may be specified as either a short option ('I') or a long option (--insert). This will return the iptables command, exactly as it would be used from the command line.
If a position is required (as with -I or -D), it may be specified as position. This will only be useful if full is True.
If state is passed, it will be ignored, use connstate. If connstate is passed in, it will automatically be changed to state.
To pass in jump options that doesn't take arguments, pass in an empty string.
Note
Whereas iptables will accept -p
, --proto[c[o[l]]]
as synonyms of --protocol
, if --proto
appears in an iptables command after the appearance of -m policy
, it is interpreted as the --proto
option of the policy extension (see the iptables-extensions(8) man page).
CLI Examples:
salt '*' iptables.build_rule match=state \ connstate=RELATED,ESTABLISHED jump=ACCEPT salt '*' iptables.build_rule filter INPUT command=I position=3 \ full=True match=state connstate=RELATED,ESTABLISHED jump=ACCEPT salt '*' iptables.build_rule filter INPUT command=A \ full=True match=state connstate=RELATED,ESTABLISHED \ source='127.0.0.1' jump=ACCEPT .. Invert Rules salt '*' iptables.build_rule filter INPUT command=A \ full=True match=state connstate=RELATED,ESTABLISHED \ source='!127.0.0.1' jump=ACCEPT salt '*' iptables.build_rule filter INPUT command=A \ full=True match=state connstate=RELATED,ESTABLISHED \ destination='not 127.0.0.1' jump=ACCEPT IPv6: salt '*' iptables.build_rule match=state \ connstate=RELATED,ESTABLISHED jump=ACCEPT \ family=ipv6 salt '*' iptables.build_rule filter INPUT command=I position=3 \ full=True match=state connstate=RELATED,ESTABLISHED jump=ACCEPT \ family=ipv6
Check for the existence of a rule in the table and chain
CLI Example:
salt '*' iptables.check filter INPUT \ rule='-m state --state RELATED,ESTABLISHED -j ACCEPT' IPv6: salt '*' iptables.check filter INPUT \ rule='-m state --state RELATED,ESTABLISHED -j ACCEPT' \ family=ipv6
New in version 2014.1.0.
Check for the existence of a chain in the table
CLI Example:
salt '*' iptables.check_chain filter INPUT IPv6: salt '*' iptables.check_chain filter INPUT family=ipv6
CLI Examples:
salt '*' iptables.delete filter INPUT position=3 salt '*' iptables.delete filter INPUT \ rule='-m state --state RELATED,ESTABLISHED -j ACCEPT' IPv6: salt '*' iptables.delete filter INPUT position=3 family=ipv6 salt '*' iptables.delete filter INPUT \ rule='-m state --state RELATED,ESTABLISHED -j ACCEPT' \ family=ipv6
New in version 2014.1.0.
Delete custom chain to the specified table.
CLI Example:
salt '*' iptables.delete_chain filter CUSTOM_CHAIN IPv6: salt '*' iptables.delete_chain filter CUSTOM_CHAIN family=ipv6
Flush the chain in the specified table, flush all chains in the specified table if not specified chain.
CLI Example:
salt '*' iptables.flush filter INPUT IPv6: salt '*' iptables.flush filter INPUT family=ipv6
Return the current policy for the specified table/chain
CLI Example:
salt '*' iptables.get_policy filter INPUT IPv6: salt '*' iptables.get_policy filter INPUT family=ipv6
Return a data structure of the current, in-memory rules
CLI Example:
salt '*' iptables.get_rules IPv6: salt '*' iptables.get_rules family=ipv6
Return the current policy for the specified table/chain
CLI Examples:
salt '*' iptables.get_saved_policy filter INPUT salt '*' iptables.get_saved_policy filter INPUT \ conf_file=/etc/iptables.saved IPv6: salt '*' iptables.get_saved_policy filter INPUT family=ipv6 salt '*' iptables.get_saved_policy filter INPUT \ conf_file=/etc/iptables.saved family=ipv6
Return a data structure of the rules in the conf file
CLI Example:
salt '*' iptables.get_saved_rules IPv6: salt '*' iptables.get_saved_rules family=ipv6
Insert a rule into the specified table/chain, at the specified position.
CLI Examples:
salt '*' iptables.insert filter INPUT position=3 \ rule='-m state --state RELATED,ESTABLISHED -j ACCEPT' IPv6: salt '*' iptables.insert filter INPUT position=3 \ rule='-m state --state RELATED,ESTABLISHED -j ACCEPT' \ family=ipv6
New in version 2014.1.0.
Create new custom chain to the specified table.
CLI Example:
salt '*' iptables.new_chain filter CUSTOM_CHAIN IPv6: salt '*' iptables.new_chain filter CUSTOM_CHAIN family=ipv6
Save the current in-memory rules to disk
CLI Example:
salt '*' iptables.save /etc/sysconfig/iptables IPv6: salt '*' iptables.save /etc/sysconfig/iptables family=ipv6
Set the current policy for the specified table/chain
CLI Example:
salt '*' iptables.set_policy filter INPUT ACCEPT IPv6: salt '*' iptables.set_policy filter INPUT ACCEPT family=ipv6
Return version from iptables --version
CLI Example:
salt '*' iptables.version IPv6: salt '*' iptables.version family=ipv6
© 2019 SaltStack.
Licensed under the Apache License, Version 2.0.
https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.iptables.html