Firewall Module - Its Working

salt/firewall/init.sls

@@ -1,4 +1,4 @@
-# Default Rules for everyone
+# Firewall Magic
 
 # Keep localhost in the game
 iptables_allow_localhost:
@@ -38,28 +38,59 @@ iptables_allow_pings:
     - proto: icmp
     - save: True
 
-# Set the policy to deny everything unless defined
-enable_reject_policy:
-  iptables.set_policy:
+# Create the chain for logging
+iptables_LOGGING_limit:
+  iptables.append:
+    - table: filter
+    - chain: LOGGING
+    - match: limit
+    - jump: LOG
+    - limit: 2/min
+    - log-level: 4
+    - log-prefix: "IPTables-dropped: "
+
+# Make the input policy send stuff that doesn't match to be logged and dropped
+iptables_log_input_drops:
+  iptables.append:
     - table: filter
     - chain: INPUT
-    - policy: DROP
-    - require:
-      - iptables: iptables_allow_localhost
-      - iptables: iptables_allow_established
-      - iptables: iptables_allow_ssh
-      - iptables: iptables_allow_pings
+    - jump: LOGGING
+    - save: True
+
+# Set the policy to deny everything unless defined
+#enable_reject_policy:
+#  iptables.set_policy:
+#    - table: filter
+#    - chain: INPUT
+#    - policy: DROP
+#    - require:
+#      - iptables: iptables_allow_localhost
+#      - iptables: iptables_allow_established
+#      - iptables: iptables_allow_ssh
+#      - iptables: iptables_allow_pings
 
 # Enable global DOCKER-USER block rule
 enable_docker_user_fw_policy:
   iptables.insert:
     - table: filter
     - chain: DOCKER-USER
-    - jump: DROP
+    - jump: LOGGING
     - in-interface: '!docker0'
     - out-interface: docker0
     - position: 1
-    - save: true
+    - save: True
+
+enable_docker_user_established:
+  iptables.insert:
+    - table: filter
+    - chain: DOCKER-USER
+    - jump: ACCEPT
+    - in-interface: '!docker0'
+    - out-interface: docker0
+    - position: 1
+    - save: True
+    - match: conntrack
+    - ctstate: 'RELATED,ESTABLISHED'
 
 # Rules if you are a Master
 {% if grains['role'] == 'so-master' %}
@@ -68,23 +99,25 @@ enable_docker_user_fw_policy:
 {% for ip in pillar.get('minions')  %}
 
 enable_salt_minions_4505_{{ip}}:
-  iptables.append:
+  iptables.insert:
     - table: filter
     - chain: INPUT
     - jump: ACCEPT
     - proto: tcp
     - source: {{ ip }}
     - dport: 4505
+    - position: 1
     - save: True
 
 enable_salt_minions_4506_{{ip}}:
-  iptables.append:
+  iptables.insert:
     - table: filter
     - chain: INPUT
     - jump: ACCEPT
     - proto: tcp
     - source: {{ ip }}
     - dport: 4506
+    - position: 1
     - save: True
 
 enable_salt_minions_5000_{{ip}}:
@@ -159,4 +192,12 @@ enable_standard_beats_5044_{{ip}}:
 
 # Rules if you are a Warm Node
 
-# Some Fixer upper type rules
+# Some Fixer upper type rules
+# Drop it like it's hot
+# Make the input policy send stuff that doesn't match to be logged and dropped
+iptables_drop_all_the_things:
+  iptables.append:
+    - table: filter
+    - chain: LOGGING
+    - jump: DROP
+    - save: True

salt/master/files/registry/config.yml

@@ -21,4 +21,4 @@ health:
     threshold: 3
 proxy:
   remoteurl: https://registry-1.docker.io
-  
+