From 4b0980299101c4851d89f033e81deca94df8b79d Mon Sep 17 00:00:00 2001
From: Mike Reeves <luke@geekempire.com>
Date: Mon, 18 Jun 2018 11:21:00 -0400
Subject: [PATCH] Firewall Module - Allow SSH block all the things

---
 salt/firewall/init.sls | 50 +++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 49 insertions(+), 1 deletion(-)

diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls
index e05acfa78..ef969761f 100644
--- a/salt/firewall/init.sls
+++ b/salt/firewall/init.sls
@@ -1 +1,49 @@
-#Init.sls for the firewall module
\ No newline at end of file
+# Keep localhost in the game
+iptables_allow_localhost:
+  iptables.append:
+    - table: filter
+    - chain: INPUT
+    - jump: ACCEPT
+    - source: 127.0.0.1
+    - save: True
+
+# Allow related/established sessions
+iptables_allow_established:
+  iptables.append:
+    - table: filter
+    - chain: INPUT
+    - jump: ACCEPT
+    - match: conntrack
+    - ctstate: 'RELATED,ESTABLISHED'
+    - save: True
+
+# Always allow SSH so we can like log in
+iptables_allow_ssh:
+  iptables.append:
+    - table: filter
+    - chain: INPUT
+    - jump: ACCEPT
+    - dport: 22
+    - proto: tcp
+    - save: True
+
+# I like pings
+iptables_allow_pings:
+  iptables.append:
+    - table: filter
+    - chain: INPUT
+    - jump: ACCEPT
+    - proto: icmp
+    - save: True
+
+# Set the policy to deny everything unless defined
+enable_reject_policy:
+  iptables.set_policy:
+    - table: filter
+    - chain: INPUT
+    - policy: DROP
+    - require:
+      - firewall: iptables_allow_localhost
+      - firewall: iptables_allow_established
+      - firewall: iptables_allow_ssh
+      - firewall: iptables_allow_pings
\ No newline at end of file