Firewall Module - Allow SSH block all the things

salt/firewall/init.sls

@@ -1 +1,49 @@
-#Init.sls for the firewall module
+# Keep localhost in the game
+iptables_allow_localhost:
+  iptables.append:
+    - table: filter
+    - chain: INPUT
+    - jump: ACCEPT
+    - source: 127.0.0.1
+    - save: True
+
+# Allow related/established sessions
+iptables_allow_established:
+  iptables.append:
+    - table: filter
+    - chain: INPUT
+    - jump: ACCEPT
+    - match: conntrack
+    - ctstate: 'RELATED,ESTABLISHED'
+    - save: True
+
+# Always allow SSH so we can like log in
+iptables_allow_ssh:
+  iptables.append:
+    - table: filter
+    - chain: INPUT
+    - jump: ACCEPT
+    - dport: 22
+    - proto: tcp
+    - save: True
+
+# I like pings
+iptables_allow_pings:
+  iptables.append:
+    - table: filter
+    - chain: INPUT
+    - jump: ACCEPT
+    - proto: icmp
+    - save: True
+
+# Set the policy to deny everything unless defined
+enable_reject_policy:
+  iptables.set_policy:
+    - table: filter
+    - chain: INPUT
+    - policy: DROP
+    - require:
+      - firewall: iptables_allow_localhost
+      - firewall: iptables_allow_established
+      - firewall: iptables_allow_ssh
+      - firewall: iptables_allow_pings