From 3c16218c5a084fa7287b27d9b27c7976cc6471a7 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 27 Jul 2023 15:45:18 -0400 Subject: [PATCH 1/4] map services,pkg,config for firewall state --- salt/firewall/init.sls | 24 +++++++++++++++++++----- salt/firewall/ipt.map.jinja | 14 ++++++++++++++ 2 files changed, 33 insertions(+), 5 deletions(-) create mode 100644 salt/firewall/ipt.map.jinja diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls index 5ab028989..929016e63 100644 --- a/salt/firewall/init.sls +++ b/salt/firewall/init.sls @@ -1,15 +1,29 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'firewall/ipt.map.jinja' import iptmap %} + +install_iptables: + pkg.installed: + - name: {{ iptmap.iptpkg }} + +iptables_persist: + pkg.installed: + - name: {{ iptmap.persistpkg }} + +iptables_service: + service.running: + - name: {{ iptmap.service }} + - enabled: True create_sysconfig_iptables: file.touch: - - name: /etc/sysconfig/iptables + - name: {{ iptmap.configfile }} - makedirs: True - - unless: 'ls /etc/sysconfig/iptables' + - unless: 'ls {{ iptmap.configfile }}' iptables_config: file.managed: - - name: /etc/sysconfig/iptables + - name: {{ iptmap.configfile }} - source: salt://firewall/iptables.jinja - template: jinja @@ -24,11 +38,11 @@ disable_firewalld: iptables_restore: cmd.run: - - name: iptables-restore < /etc/sysconfig/iptables + - name: iptables-restore < {{ iptmap.configfile }} - require: - file: iptables_config - onlyif: - - iptables-restore --test /etc/sysconfig/iptables + - iptables-restore --test {{ iptmap.configfile }} {% if grains.os_family == 'RedHat' %} enable_firewalld: diff --git a/salt/firewall/ipt.map.jinja b/salt/firewall/ipt.map.jinja new file mode 100644 index 000000000..245bbac8a --- /dev/null +++ b/salt/firewall/ipt.map.jinja @@ -0,0 +1,14 @@ +{% set iptmap = salt['grains.filter_by']({ + 'Debian': { + 'service': 'netfilter-persistent', + 'iptpkg': 'iptables', + 'persistpkg': 'iptables-persistent', + 'configfile': '/etc/iptables/rules.v4' + }, + 'RedHat': { + 'service': 'iptables', + 'iptpkg': 'iptables', + 'persistpkg': 'iptables-services', + 'configfile': '/etc/sysconfig/iptables' + }, +}) %} From 54080c42fe9902e7b29f244df4c7b34aa0ece5af Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 27 Jul 2023 17:01:19 -0400 Subject: [PATCH 2/4] enable, not enabled --- salt/firewall/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/firewall/init.sls b/salt/firewall/init.sls index 929016e63..cf7ae01a6 100644 --- a/salt/firewall/init.sls +++ b/salt/firewall/init.sls @@ -13,7 +13,7 @@ iptables_persist: iptables_service: service.running: - name: {{ iptmap.service }} - - enabled: True + - enable: True create_sysconfig_iptables: file.touch: From 3a22ef8e86b518640670ff338aa111fadac47b38 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 28 Jul 2023 08:40:32 -0400 Subject: [PATCH 3/4] change iptables package name for redhat fam --- salt/firewall/ipt.map.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/firewall/ipt.map.jinja b/salt/firewall/ipt.map.jinja index 245bbac8a..8559f9a08 100644 --- a/salt/firewall/ipt.map.jinja +++ b/salt/firewall/ipt.map.jinja @@ -7,7 +7,7 @@ }, 'RedHat': { 'service': 'iptables', - 'iptpkg': 'iptables', + 'iptpkg': 'iptables-nft', 'persistpkg': 'iptables-services', 'configfile': '/etc/sysconfig/iptables' }, From 4c8373452d10c558687844e680ca84221175644b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 28 Jul 2023 11:35:34 -0400 Subject: [PATCH 4/4] change to iptables-nft-services --- salt/firewall/ipt.map.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/firewall/ipt.map.jinja b/salt/firewall/ipt.map.jinja index 8559f9a08..629c1bdd8 100644 --- a/salt/firewall/ipt.map.jinja +++ b/salt/firewall/ipt.map.jinja @@ -8,7 +8,7 @@ 'RedHat': { 'service': 'iptables', 'iptpkg': 'iptables-nft', - 'persistpkg': 'iptables-services', + 'persistpkg': 'iptables-nft-services', 'configfile': '/etc/sysconfig/iptables' }, }) %}