You are viewing docs from a branch that is no longer active. You might want to view docs for the 2015.8.x release instead.

salt.modules.iptables¶

Support for iptables

salt.modules.iptables.append(table='filter', chain=None, rule=None, family='ipv4')¶

Append a rule to the specified table/chain.

This function accepts a rule in a standard iptables command format,: starting with the chain. Trying to force users to adapt to a new method of creating rules would be irritating at best, and we already have a parser that can handle it.

CLI Example:

salt '*' iptables.append filter INPUT \
    rule='-m state --state RELATED,ESTABLISHED -j ACCEPT'

IPv6:
salt '*' iptables.append filter INPUT \
    rule='-m state --state RELATED,ESTABLISHED -j ACCEPT' \
    family=ipv6

salt.modules.iptables.build_rule(table=None, chain=None, command=None, position='', full=None, family='ipv4', **kwargs)¶

Build a well-formatted iptables rule based on kwargs. Long options must be used (--jump instead of -j) because they will have the -- added to them. A table and chain are not required, unless full is True.

If full is True, then table, chain and command are required. command may be specified as either a short option ('I') or a long option (--insert). This will return the iptables command, exactly as it would be used from the command line.

If a position is required (as with -I or -D), it may be specified as position. This will only be useful if full is True.

If connstate is passed in, it will automatically be changed to state.

CLI Examples:

salt '*' iptables.build_rule match=state \
    connstate=RELATED,ESTABLISHED jump=ACCEPT

salt '*' iptables.build_rule filter INPUT command=I position=3 \
    full=True match=state state=RELATED,ESTABLISHED jump=ACCEPT

salt '*' iptables.build_rule filter INPUT command=A \
    full=True match=state state=RELATED,ESTABLISHED \
    source='127.0.0.1' jump=ACCEPT

.. Invert Rules
salt '*' iptables.build_rule filter INPUT command=A \
    full=True match=state state=RELATED,ESTABLISHED \
    source='! 127.0.0.1' jump=ACCEPT

salt '*' iptables.build_rule filter INPUT command=A \
    full=True match=state state=RELATED,ESTABLISHED \
    destination='not 127.0.0.1' jump=ACCEPT

IPv6:
salt '*' iptables.build_rule match=state \
    connstate=RELATED,ESTABLISHED jump=ACCEPT \
    family=ipv6
salt '*' iptables.build_rule filter INPUT command=I position=3 \
    full=True match=state state=RELATED,ESTABLISHED jump=ACCEPT \
    family=ipv6

salt.modules.iptables.check(table='filter', chain=None, rule=None, family='ipv4')¶

Check for the existence of a rule in the table and chain

This function accepts a rule in a standard iptables command format,: starting with the chain. Trying to force users to adapt to a new method of creating rules would be irritating at best, and we already have a parser that can handle it.

CLI Example:

salt '*' iptables.check filter INPUT \
    rule='-m state --state RELATED,ESTABLISHED -j ACCEPT'

IPv6:
salt '*' iptables.check filter INPUT \
    rule='-m state --state RELATED,ESTABLISHED -j ACCEPT' \
    family=ipv6

salt.modules.iptables.check_chain(table='filter', chain=None, family='ipv4')¶

New in version 2014.1.0.

Check for the existence of a chain in the table

CLI Example:

salt '*' iptables.check_chain filter INPUT

IPv6:
salt '*' iptables.check_chain filter INPUT family=ipv6

salt.modules.iptables.delete(table, chain=None, position=None, rule=None, family='ipv4')¶

Delete a rule from the specified table/chain, specifying either the rule: in its entirety, or the rule's position in the chain.
This function accepts a rule in a standard iptables command format,: starting with the chain. Trying to force users to adapt to a new method of creating rules would be irritating at best, and we already have a parser that can handle it.

CLI Examples:

salt '*' iptables.delete filter INPUT position=3
salt '*' iptables.delete filter INPUT \
    rule='-m state --state RELATED,ESTABLISHED -j ACCEPT'

IPv6:
salt '*' iptables.delete filter INPUT position=3 family=ipv6
salt '*' iptables.delete filter INPUT \
    rule='-m state --state RELATED,ESTABLISHED -j ACCEPT' \
    family=ipv6

salt.modules.iptables.delete_chain(table='filter', chain=None, family='ipv4')¶

New in version 2014.1.0.

Delete custom chain to the specified table.

CLI Example:

salt '*' iptables.delete_chain filter CUSTOM_CHAIN

IPv6:
salt '*' iptables.delete_chain filter CUSTOM_CHAIN family=ipv6

salt.modules.iptables.flush(table='filter', chain='', family='ipv4')¶

Flush the chain in the specified table, flush all chains in the specified table if not specified chain.

CLI Example:

salt '*' iptables.flush filter INPUT

IPv6:
salt '*' iptables.flush filter INPUT family=ipv6

salt.modules.iptables.get_policy(table='filter', chain=None, family='ipv4')¶

Return the current policy for the specified table/chain

CLI Example:

salt '*' iptables.get_policy filter INPUT

IPv6:
salt '*' iptables.get_policy filter INPUT family=ipv6

salt.modules.iptables.get_rules(family='ipv4')¶

Return a data structure of the current, in-memory rules

CLI Example:

salt '*' iptables.get_rules

IPv6:
salt '*' iptables.get_rules family=ipv6

salt.modules.iptables.get_saved_policy(table='filter', chain=None, conf_file=None, family='ipv4')¶

Return the current policy for the specified table/chain

CLI Examples:

salt '*' iptables.get_saved_policy filter INPUT
salt '*' iptables.get_saved_policy filter INPUT \
    conf_file=/etc/iptables.saved

IPv6:
salt '*' iptables.get_saved_policy filter INPUT family=ipv6
salt '*' iptables.get_saved_policy filter INPUT \
    conf_file=/etc/iptables.saved family=ipv6

salt.modules.iptables.get_saved_rules(conf_file=None, family='ipv4')¶

Return a data structure of the rules in the conf file

CLI Example:

salt '*' iptables.get_saved_rules

IPv6:
salt '*' iptables.get_saved_rules family=ipv6

salt.modules.iptables.insert(table='filter', chain=None, position=None, rule=None, family='ipv4')¶

Insert a rule into the specified table/chain, at the specified position.

This function accepts a rule in a standard iptables command format,: starting with the chain. Trying to force users to adapt to a new method of creating rules would be irritating at best, and we already have a parser that can handle it.
If the position specified is a negative number, then the insert will be: performed counting from the end of the list. For instance, a position of -1 will insert the rule as the second to last rule. To insert a rule in the last position, use the append function instead.

CLI Examples:

salt '*' iptables.insert filter INPUT position=3 \
    rule='-m state --state RELATED,ESTABLISHED -j ACCEPT'

IPv6:
salt '*' iptables.insert filter INPUT position=3 \
    rule='-m state --state RELATED,ESTABLISHED -j ACCEPT' \
    family=ipv6

salt.modules.iptables.new_chain(table='filter', chain=None, family='ipv4')¶

New in version 2014.1.0.

Create new custom chain to the specified table.

CLI Example:

salt '*' iptables.new_chain filter CUSTOM_CHAIN

IPv6:
salt '*' iptables.new_chain filter CUSTOM_CHAIN family=ipv6

salt.modules.iptables.save(filename=None, family='ipv4')¶

Save the current in-memory rules to disk

CLI Example:

salt '*' iptables.save /etc/sysconfig/iptables

IPv6:
salt '*' iptables.save /etc/sysconfig/iptables family=ipv6

salt.modules.iptables.set_policy(table='filter', chain=None, policy=None, family='ipv4')¶

Set the current policy for the specified table/chain

CLI Example:

salt '*' iptables.set_policy filter INPUT ACCEPT

IPv6:
salt '*' iptables.set_policy filter INPUT ACCEPT family=ipv6

salt.modules.iptables.version(family='ipv4')¶

Return version from iptables --version

CLI Example:

salt '*' iptables.version

IPv6:
salt '*' iptables.version family=ipv6

You are viewing docs for an inactive release, 2014.7.6. Switch to docs for the latest stable release, 2015.8.x, or to a recent doc build from the develop branch.

saltstack.com