Changes to iptables.jinja

2025-12-07 01:32:47 +01:00 · 2023-01-09 14:59:55 -05:00
parent d4c6834cd0
commit 5058210bbb
1 changed files with 0 additions and 234 deletions
--- a/salt/firewall/iptables.jinja
+++ b/salt/firewall/iptables.jinja
@@ -2,48 +2,15 @@
 {% from 'firewall/containers.map.jinja' import NODE_CONTAINERS -%}
 {% from 'firewall/map.jinja' import hostgroups with context -%}
 {% from 'firewall/map.jinja' import assigned_hostgroups with context -%}
 # Generated by iptables-save v1.4.21 on Wed Jan  4 15:23:09 2023
 *nat
 :PREROUTING ACCEPT [0:0]
 :INPUT ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
 :DOCKER - [0:0]
 :OUTPUT_direct - [0:0]
 :POSTROUTING_ZONES - [0:0]
 :POSTROUTING_ZONES_SOURCE - [0:0]
 :POSTROUTING_direct - [0:0]
 :POST_docker - [0:0]
 :POST_docker_allow - [0:0]
 :POST_docker_deny - [0:0]
 :POST_docker_log - [0:0]
 :POST_public - [0:0]
 :POST_public_allow - [0:0]
 :POST_public_deny - [0:0]
 :POST_public_log - [0:0]
 :PREROUTING_ZONES - [0:0]
 :PREROUTING_ZONES_SOURCE - [0:0]
 :PREROUTING_direct - [0:0]
 :PRE_docker - [0:0]
 :PRE_docker_allow - [0:0]
 :PRE_docker_deny - [0:0]
 :PRE_docker_log - [0:0]
 :PRE_public - [0:0]
 :PRE_public_allow - [0:0]
 :PRE_public_deny - [0:0]
 :PRE_public_log - [0:0]
 -A PREROUTING -j PREROUTING_direct
 -A PREROUTING -j PREROUTING_ZONES_SOURCE
 -A PREROUTING -j PREROUTING_ZONES
 -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
 -A OUTPUT -j OUTPUT_direct
 -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
 -A POSTROUTING -s {{DOCKER.sosrange}} ! -o sosbridge -j MASQUERADE
 -A POSTROUTING -j POSTROUTING_direct
 -A POSTROUTING -j POSTROUTING_ZONES_SOURCE
 -A POSTROUTING -j POSTROUTING_ZONES
 {%- for container in NODE_CONTAINERS %}
 {%-   if DOCKER.containers[container].ports is defined %}
 {%-     for port, proto in DOCKER.containers[container].ports.items() %}
@@ -60,119 +27,7 @@
 {%-   endif %}
 {%- endfor %}
 -A POSTROUTING_ZONES -o sosbridge -g POST_docker
 -A POSTROUTING_ZONES -o bond0 -g POST_public
 -A POSTROUTING_ZONES -o eth1 -g POST_public
 -A POSTROUTING_ZONES -o eth0 -g POST_public
 -A POSTROUTING_ZONES -g POST_public
 -A POST_docker -j POST_docker_log
 -A POST_docker -j POST_docker_deny
 -A POST_docker -j POST_docker_allow
 -A POST_public -j POST_public_log
 -A POST_public -j POST_public_deny
 -A POST_public -j POST_public_allow
 -A PREROUTING_ZONES -i sosbridge -g PRE_docker
 -A PREROUTING_ZONES -i bond0 -g PRE_public
 -A PREROUTING_ZONES -i eth1 -g PRE_public
 -A PREROUTING_ZONES -i eth0 -g PRE_public
 -A PREROUTING_ZONES -g PRE_public
 -A PRE_docker -j PRE_docker_log
 -A PRE_docker -j PRE_docker_deny
 -A PRE_docker -j PRE_docker_allow
 -A PRE_public -j PRE_public_log
 -A PRE_public -j PRE_public_deny
 -A PRE_public -j PRE_public_allow
 COMMIT
 # Completed on Wed Jan  4 15:23:09 2023
 # Generated by iptables-save v1.4.21 on Wed Jan  4 15:23:09 2023
 *mangle
 :PREROUTING ACCEPT [0:0]
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
 :FORWARD_direct - [0:0]
 :INPUT_direct - [0:0]
 :OUTPUT_direct - [0:0]
 :POSTROUTING_direct - [0:0]
 :PREROUTING_ZONES - [0:0]
 :PREROUTING_ZONES_SOURCE - [0:0]
 :PREROUTING_direct - [0:0]
 :PRE_docker - [0:0]
 :PRE_docker_allow - [0:0]
 :PRE_docker_deny - [0:0]
 :PRE_docker_log - [0:0]
 :PRE_public - [0:0]
 :PRE_public_allow - [0:0]
 :PRE_public_deny - [0:0]
 :PRE_public_log - [0:0]
 -A PREROUTING -j PREROUTING_direct
 -A PREROUTING -j PREROUTING_ZONES_SOURCE
 -A PREROUTING -j PREROUTING_ZONES
 -A INPUT -j INPUT_direct
 -A FORWARD -j FORWARD_direct
 -A OUTPUT -j OUTPUT_direct
 -A POSTROUTING -j POSTROUTING_direct
 -A PREROUTING_ZONES -i sosbridge -g PRE_docker
 -A PREROUTING_ZONES -i bond0 -g PRE_public
 -A PREROUTING_ZONES -i eth1 -g PRE_public
 -A PREROUTING_ZONES -i eth0 -g PRE_public
 -A PREROUTING_ZONES -g PRE_public
 -A PRE_docker -j PRE_docker_log
 -A PRE_docker -j PRE_docker_deny
 -A PRE_docker -j PRE_docker_allow
 -A PRE_public -j PRE_public_log
 -A PRE_public -j PRE_public_deny
 -A PRE_public -j PRE_public_allow
 COMMIT
 # Completed on Wed Jan  4 15:23:09 2023
 # Generated by iptables-save v1.4.21 on Wed Jan  4 15:23:09 2023
 *security
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :FORWARD_direct - [0:0]
 :INPUT_direct - [0:0]
 :OUTPUT_direct - [0:0]
 -A INPUT -j INPUT_direct
 -A FORWARD -j FORWARD_direct
 -A OUTPUT -j OUTPUT_direct
 COMMIT
 # Completed on Wed Jan  4 15:23:09 2023
 # Generated by iptables-save v1.4.21 on Wed Jan  4 15:23:09 2023
 *raw
 :PREROUTING ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :OUTPUT_direct - [0:0]
 :PREROUTING_ZONES - [0:0]
 :PREROUTING_ZONES_SOURCE - [0:0]
 :PREROUTING_direct - [0:0]
 :PRE_docker - [0:0]
 :PRE_docker_allow - [0:0]
 :PRE_docker_deny - [0:0]
 :PRE_docker_log - [0:0]
 :PRE_public - [0:0]
 :PRE_public_allow - [0:0]
 :PRE_public_deny - [0:0]
 :PRE_public_log - [0:0]
 -A PREROUTING -j PREROUTING_direct
 -A PREROUTING -j PREROUTING_ZONES_SOURCE
 -A PREROUTING -j PREROUTING_ZONES
 -A OUTPUT -j OUTPUT_direct
 -A PREROUTING_ZONES -i sosbridge -g PRE_docker
 -A PREROUTING_ZONES -i bond0 -g PRE_public
 -A PREROUTING_ZONES -i eth1 -g PRE_public
 -A PREROUTING_ZONES -i eth0 -g PRE_public
 -A PREROUTING_ZONES -g PRE_public
 -A PRE_docker -j PRE_docker_log
 -A PRE_docker -j PRE_docker_deny
 -A PRE_docker -j PRE_docker_allow
 -A PRE_public -j PRE_public_log
 -A PRE_public -j PRE_public_deny
 -A PRE_public -j PRE_public_allow
 COMMIT
 # Completed on Wed Jan  4 15:23:09 2023
 # Generated by iptables-save v1.4.21 on Wed Jan  4 15:23:09 2023
 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD DROP [0:0]
@@ -181,40 +36,7 @@ COMMIT
 :DOCKER-ISOLATION-STAGE-1 - [0:0]
 :DOCKER-ISOLATION-STAGE-2 - [0:0]
 :DOCKER-USER - [0:0]
 :FORWARD_IN_ZONES - [0:0]
 :FORWARD_IN_ZONES_SOURCE - [0:0]
 :FORWARD_OUT_ZONES - [0:0]
 :FORWARD_OUT_ZONES_SOURCE - [0:0]
 :FORWARD_direct - [0:0]
 :FWDI_docker - [0:0]
 :FWDI_docker_allow - [0:0]
 :FWDI_docker_deny - [0:0]
 :FWDI_docker_log - [0:0]
 :FWDI_public - [0:0]
 :FWDI_public_allow - [0:0]
 :FWDI_public_deny - [0:0]
 :FWDI_public_log - [0:0]
 :FWDO_docker - [0:0]
 :FWDO_docker_allow - [0:0]
 :FWDO_docker_deny - [0:0]
 :FWDO_docker_log - [0:0]
 :FWDO_public - [0:0]
 :FWDO_public_allow - [0:0]
 :FWDO_public_deny - [0:0]
 :FWDO_public_log - [0:0]
 :INPUT_ZONES - [0:0]
 :INPUT_ZONES_SOURCE - [0:0]
 :INPUT_direct - [0:0]
 :IN_docker - [0:0]
 :IN_docker_allow - [0:0]
 :IN_docker_deny - [0:0]
 :IN_docker_log - [0:0]
 :IN_public - [0:0]
 :IN_public_allow - [0:0]
 :IN_public_deny - [0:0]
 :IN_public_log - [0:0]
 :LOGGING - [0:0]
 :OUTPUT_direct - [0:0]
 {%- set count = namespace(value=0) %}
 {%- for chain, hg in assigned_hostgroups.chain.items() %}
@@ -237,12 +59,7 @@ COMMIT
 {%- endfor %}
 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -i lo -j ACCEPT
 -A INPUT -j INPUT_direct
 -A INPUT -j INPUT_ZONES_SOURCE
 -A INPUT -j INPUT_ZONES
 -A INPUT -m conntrack --ctstate INVALID -j DROP
 -A INPUT -j REJECT --reject-with icmp-host-prohibited
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -j LOGGING
 -A FORWARD -j DOCKER-USER
@@ -252,16 +69,6 @@ COMMIT
 -A FORWARD -i sosbridge ! -o sosbridge -j ACCEPT
 -A FORWARD -i sosbridge -o sosbridge -j ACCEPT
 -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -i lo -j ACCEPT
 -A FORWARD -j FORWARD_direct
 -A FORWARD -j FORWARD_IN_ZONES_SOURCE
 -A FORWARD -j FORWARD_IN_ZONES
 -A FORWARD -j FORWARD_OUT_ZONES_SOURCE
 -A FORWARD -j FORWARD_OUT_ZONES
 -A FORWARD -m conntrack --ctstate INVALID -j DROP
 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
 -A OUTPUT -o lo -j ACCEPT
 -A OUTPUT -j OUTPUT_direct
 -A OUTPUT -p icmp -m icmp --icmp-type 14 -j DROP
 {%- for container in NODE_CONTAINERS %}
@@ -277,48 +84,7 @@ COMMIT
 -A DOCKER-ISOLATION-STAGE-2 -o sosbridge -j DROP
 -A DOCKER-ISOLATION-STAGE-2 -j RETURN
 -A DOCKER-USER ! -i sosbridge -o sosbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A DOCKER-USER ! -i sosbridge -o sosbridge -j LOGGING
 -A DOCKER-USER -j RETURN
 -A FORWARD_IN_ZONES -i sosbridge -g FWDI_docker
 -A FORWARD_IN_ZONES -i bond0 -g FWDI_public
 -A FORWARD_IN_ZONES -i eth1 -g FWDI_public
 -A FORWARD_IN_ZONES -i eth0 -g FWDI_public
 -A FORWARD_IN_ZONES -g FWDI_public
 -A FORWARD_OUT_ZONES -o sosbridge -g FWDO_docker
 -A FORWARD_OUT_ZONES -o bond0 -g FWDO_public
 -A FORWARD_OUT_ZONES -o eth1 -g FWDO_public
 -A FORWARD_OUT_ZONES -o eth0 -g FWDO_public
 -A FORWARD_OUT_ZONES -g FWDO_public
 -A FWDI_docker -j FWDI_docker_log
 -A FWDI_docker -j FWDI_docker_deny
 -A FWDI_docker -j FWDI_docker_allow
 -A FWDI_docker -j ACCEPT
 -A FWDI_public -j FWDI_public_log
 -A FWDI_public -j FWDI_public_deny
 -A FWDI_public -j FWDI_public_allow
 -A FWDI_public -p icmp -j ACCEPT
 -A FWDO_docker -j FWDO_docker_log
 -A FWDO_docker -j FWDO_docker_deny
 -A FWDO_docker -j FWDO_docker_allow
 -A FWDO_docker -j ACCEPT
 -A FWDO_public -j FWDO_public_log
 -A FWDO_public -j FWDO_public_deny
 -A FWDO_public -j FWDO_public_allow
 -A INPUT_ZONES -i sosbridge -g IN_docker
 -A INPUT_ZONES -i bond0 -g IN_public
 -A INPUT_ZONES -i eth1 -g IN_public
 -A INPUT_ZONES -i eth0 -g IN_public
 -A INPUT_ZONES -g IN_public
 -A IN_docker -j IN_docker_log
 -A IN_docker -j IN_docker_deny
 -A IN_docker -j IN_docker_allow
 -A IN_docker -j ACCEPT
 -A IN_public -j IN_public_log
 -A IN_public -j IN_public_deny
 -A IN_public -j IN_public_allow
 -A IN_public -p icmp -j ACCEPT
 -A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
 -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-dropped: "
 -A LOGGING -j DROP
 COMMIT
 # Completed on Wed Jan  4 15:23:09 2023