From 3c16218c5a084fa7287b27d9b27c7976cc6471a7 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Thu, 27 Jul 2023 15:45:18 -0400
Subject: [PATCH] map services,pkg,config for firewall state

---
 salt/firewall/init.sls      | 24 +++++++++++++++++++-----
 salt/firewall/ipt.map.jinja | 14 ++++++++++++++
 2 files changed, 33 insertions(+), 5 deletions(-)
 create mode 100644 salt/firewall/ipt.map.jinja

diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls
index 5ab028989..929016e63 100644
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -1,15 +1,29 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls in allowed_states %}
+{%   from 'firewall/ipt.map.jinja' import iptmap %}
+
+install_iptables:
+  pkg.installed:
+    - name: {{ iptmap.iptpkg }}
+
+iptables_persist:
+  pkg.installed:
+    - name: {{ iptmap.persistpkg }}
+
+iptables_service:
+  service.running:
+    - name: {{ iptmap.service }}
+    - enabled: True
 
 create_sysconfig_iptables:
   file.touch:
-    - name: /etc/sysconfig/iptables
+    - name: {{ iptmap.configfile }}
     - makedirs: True
-    - unless: 'ls /etc/sysconfig/iptables'
+    - unless: 'ls {{ iptmap.configfile }}'
 
 iptables_config:
   file.managed:
-    - name: /etc/sysconfig/iptables
+    - name: {{ iptmap.configfile }}
     - source: salt://firewall/iptables.jinja
     - template: jinja
 
@@ -24,11 +38,11 @@ disable_firewalld:
 
 iptables_restore:
   cmd.run:
-    - name: iptables-restore < /etc/sysconfig/iptables
+    - name: iptables-restore < {{ iptmap.configfile }}
     - require:
       - file: iptables_config
     - onlyif:
-      - iptables-restore --test /etc/sysconfig/iptables
+      - iptables-restore --test {{ iptmap.configfile }}
 
 {%   if grains.os_family == 'RedHat' %}
 enable_firewalld:
diff --git a/salt/firewall/ipt.map.jinja b/salt/firewall/ipt.map.jinja
new file mode 100644
index 000000000..245bbac8a
--- /dev/null
+++ b/salt/firewall/ipt.map.jinja
@@ -0,0 +1,14 @@
+{% set iptmap = salt['grains.filter_by']({
+    'Debian': {
+        'service': 'netfilter-persistent',
+        'iptpkg': 'iptables',
+        'persistpkg': 'iptables-persistent',
+        'configfile': '/etc/iptables/rules.v4'
+    },
+    'RedHat': {
+        'service': 'iptables',
+        'iptpkg': 'iptables',
+        'persistpkg': 'iptables-services',
+        'configfile': '/etc/sysconfig/iptables'
+    },
+}) %}