Support for iptables
salt.modules.iptables.
append
(table='filter', chain=None, rule=None, family='ipv4')¶Append a rule to the specified table/chain.
CLI Example:
salt '*' iptables.append filter INPUT \
rule='-m state --state RELATED,ESTABLISHED -j ACCEPT'
IPv6:
salt '*' iptables.append filter INPUT \
rule='-m state --state RELATED,ESTABLISHED -j ACCEPT' \
family=ipv6
salt.modules.iptables.
build_rule
(table=None, chain=None, command=None, position='', full=None, family='ipv4', **kwargs)¶Build a well-formatted iptables rule based on kwargs. Long options must be used (--jump instead of -j) because they will have the -- added to them. A table and chain are not required, unless full is True.
If full is True, then table, chain and command are required. command may be specified as either a short option ('I') or a long option (--insert). This will return the iptables command, exactly as it would be used from the command line.
If a position is required (as with -I or -D), it may be specified as position. This will only be useful if full is True.
If connstate is passed in, it will automatically be changed to state.
CLI Examples:
salt '*' iptables.build_rule match=state \
connstate=RELATED,ESTABLISHED jump=ACCEPT
salt '*' iptables.build_rule filter INPUT command=I position=3 \
full=True match=state state=RELATED,ESTABLISHED jump=ACCEPT
salt '*' iptables.build_rule filter INPUT command=A \
full=True match=state state=RELATED,ESTABLISHED \
source='127.0.0.1' jump=ACCEPT
.. Invert Rules
salt '*' iptables.build_rule filter INPUT command=A \
full=True match=state state=RELATED,ESTABLISHED \
source='! 127.0.0.1' jump=ACCEPT
salt '*' iptables.build_rule filter INPUT command=A \
full=True match=state state=RELATED,ESTABLISHED \
destination='not 127.0.0.1' jump=ACCEPT
IPv6:
salt '*' iptables.build_rule match=state \
connstate=RELATED,ESTABLISHED jump=ACCEPT \
family=ipv6
salt '*' iptables.build_rule filter INPUT command=I position=3 \
full=True match=state state=RELATED,ESTABLISHED jump=ACCEPT \
family=ipv6
salt.modules.iptables.
check
(table='filter', chain=None, rule=None, family='ipv4')¶Check for the existence of a rule in the table and chain
CLI Example:
salt '*' iptables.check filter INPUT \
rule='-m state --state RELATED,ESTABLISHED -j ACCEPT'
IPv6:
salt '*' iptables.check filter INPUT \
rule='-m state --state RELATED,ESTABLISHED -j ACCEPT' \
family=ipv6
salt.modules.iptables.
check_chain
(table='filter', chain=None, family='ipv4')¶New in version 2014.1.0.
Check for the existence of a chain in the table
CLI Example:
salt '*' iptables.check_chain filter INPUT
IPv6:
salt '*' iptables.check_chain filter INPUT family=ipv6
salt.modules.iptables.
delete
(table, chain=None, position=None, rule=None, family='ipv4')¶CLI Examples:
salt '*' iptables.delete filter INPUT position=3
salt '*' iptables.delete filter INPUT \
rule='-m state --state RELATED,ESTABLISHED -j ACCEPT'
IPv6:
salt '*' iptables.delete filter INPUT position=3 family=ipv6
salt '*' iptables.delete filter INPUT \
rule='-m state --state RELATED,ESTABLISHED -j ACCEPT' \
family=ipv6
salt.modules.iptables.
delete_chain
(table='filter', chain=None, family='ipv4')¶New in version 2014.1.0.
Delete custom chain to the specified table.
CLI Example:
salt '*' iptables.delete_chain filter CUSTOM_CHAIN
IPv6:
salt '*' iptables.delete_chain filter CUSTOM_CHAIN family=ipv6
salt.modules.iptables.
flush
(table='filter', chain='', family='ipv4')¶Flush the chain in the specified table, flush all chains in the specified table if not specified chain.
CLI Example:
salt '*' iptables.flush filter INPUT
IPv6:
salt '*' iptables.flush filter INPUT family=ipv6
salt.modules.iptables.
get_policy
(table='filter', chain=None, family='ipv4')¶Return the current policy for the specified table/chain
CLI Example:
salt '*' iptables.get_policy filter INPUT
IPv6:
salt '*' iptables.get_policy filter INPUT family=ipv6
salt.modules.iptables.
get_rules
(family='ipv4')¶Return a data structure of the current, in-memory rules
CLI Example:
salt '*' iptables.get_rules
IPv6:
salt '*' iptables.get_rules family=ipv6
salt.modules.iptables.
get_saved_policy
(table='filter', chain=None, conf_file=None, family='ipv4')¶Return the current policy for the specified table/chain
CLI Examples:
salt '*' iptables.get_saved_policy filter INPUT
salt '*' iptables.get_saved_policy filter INPUT \
conf_file=/etc/iptables.saved
IPv6:
salt '*' iptables.get_saved_policy filter INPUT family=ipv6
salt '*' iptables.get_saved_policy filter INPUT \
conf_file=/etc/iptables.saved family=ipv6
salt.modules.iptables.
get_saved_rules
(conf_file=None, family='ipv4')¶Return a data structure of the rules in the conf file
CLI Example:
salt '*' iptables.get_saved_rules
IPv6:
salt '*' iptables.get_saved_rules family=ipv6
salt.modules.iptables.
insert
(table='filter', chain=None, position=None, rule=None, family='ipv4')¶Insert a rule into the specified table/chain, at the specified position.
CLI Examples:
salt '*' iptables.insert filter INPUT position=3 \
rule='-m state --state RELATED,ESTABLISHED -j ACCEPT'
IPv6:
salt '*' iptables.insert filter INPUT position=3 \
rule='-m state --state RELATED,ESTABLISHED -j ACCEPT' \
family=ipv6
salt.modules.iptables.
new_chain
(table='filter', chain=None, family='ipv4')¶New in version 2014.1.0.
Create new custom chain to the specified table.
CLI Example:
salt '*' iptables.new_chain filter CUSTOM_CHAIN
IPv6:
salt '*' iptables.new_chain filter CUSTOM_CHAIN family=ipv6
salt.modules.iptables.
save
(filename=None, family='ipv4')¶Save the current in-memory rules to disk
CLI Example:
salt '*' iptables.save /etc/sysconfig/iptables
IPv6:
salt '*' iptables.save /etc/sysconfig/iptables family=ipv6
salt.modules.iptables.
set_policy
(table='filter', chain=None, policy=None, family='ipv4')¶Set the current policy for the specified table/chain
CLI Example:
salt '*' iptables.set_policy filter INPUT ACCEPT
IPv6:
salt '*' iptables.set_policy filter INPUT ACCEPT family=ipv6
salt.modules.iptables.
version
(family='ipv4')¶Return version from iptables --version
CLI Example:
salt '*' iptables.version
IPv6:
salt '*' iptables.version family=ipv6