CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-08 02:02:50 +01:00
Code Issues Packages Projects Releases Wiki Activity

add chain to iptables state - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/641

Browse Source
This commit is contained in:
m0duspwnens
2020-06-09 13:30:24 -04:00
parent 721f2682ac
commit accb3d536d
11 changed files with 394 additions and 1004 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
salt/firewall/init.sls
View File

@@ -136,30 +136,34 @@ enable_fleetnode_beats_5644_{{FLEET_NODE_IP}}:
{% endif %}
{% for hostgroup, portgroups in assigned_hostgroups.role[role].hostgroups.items() %}
{% for action in ['insert', 'delete' ] %}
{% if hostgroups[hostgroup].ips[action] %}
{% for ip in hostgroups[hostgroup].ips[action] %}
{% for portgroup in portgroups.portgroups %}
{% for proto, ports in portgroup.items() %}
{% for port in ports %}
{% for chain, hg in assigned_hostgroups.role[role].chain.items() %}
{% for hostgroup, portgroups in assigned_hostgroups.role[role].chain[chain].hostgroups.items() %}
{% for action in ['insert', 'delete' ] %}
{% if hostgroups[hostgroup].ips[action] %}
{% for ip in hostgroups[hostgroup].ips[action] %}
{% for portgroup in portgroups.portgroups %}
{% for proto, ports in portgroup.items() %}
{% for port in ports %}
{{action}}_{{hostgroup}}_{{ip}}_{{port}}_{{proto}}:
{{action}}_{{chain}}_{{hostgroup}}_{{ip}}_{{port}}_{{proto}}:
iptables.{{action}}:
- table: filter
- chain: DOCKER-USER
- chain: {{ chain }}
- jump: ACCEPT
- proto: {{ proto }}
- source: {{ ip }}
- dport: {{ port }}
{% if action == 'insert' %}
- position: 1
{% endif %}
- save: True
{% endfor %}
{% endfor %}
{% endfor %}
{% endfor %}
{% endfor %}
{% endif %}
{% endif %}
{% endfor %}
{% endfor %}
{% endfor %}