salt.modules.iptables

Support for iptables

Configuration Options

The following options can be set in the minion config, minion grains , minion pillar, or master config<configuration-salt-master>.

  • iptables.save_filters: List of REGEX strings to FILTER OUT matching lines

    This is useful for filtering out chains, rules, etc that you do not wish to persist, such as ephemeral Docker rules.

    The default is to not filter out anything.

    iptables.save_filters:
       - "-j CATTLE_PREROUTING"
       - "-j DOCKER"
       - "-A POSTROUTING"
       - "-A CATTLE_POSTROUTING"
       - "-A FORWARD"
    
salt.modules.iptables.append(table='filter', chain=None, rule=None, family='ipv4')

Append a rule to the specified table/chain.

This function accepts a rule in a standard iptables command format,
starting with the chain. Trying to force users to adapt to a new method of creating rules would be irritating at best, and we already have a parser that can handle it.

CLI Example:

salt '*' iptables.append filter INPUT \
    rule='-m state --state RELATED,ESTABLISHED -j ACCEPT'

IPv6:
salt '*' iptables.append filter INPUT \
    rule='-m state --state RELATED,ESTABLISHED -j ACCEPT' \
    family=ipv6
salt.modules.iptables.build_rule(table='filter', chain=None, command=None, position='', full=None, family='ipv4', **kwargs)

Build a well-formatted iptables rule based on kwargs. A table and chain are not required, unless full is True.

If full is True, then table, chain and command are required. command may be specified as either a short option ('I') or a long option (--insert). This will return the iptables command, exactly as it would be used from the command line.

If a position is required (as with -I or -D), it may be specified as position. This will only be useful if full is True.

If connstate is passed in, it will automatically be changed to state.

To pass in jump options that doesn't take arguments, pass in an empty string.

CLI Examples:

salt '*' iptables.build_rule match=state \
    connstate=RELATED,ESTABLISHED jump=ACCEPT

salt '*' iptables.build_rule filter INPUT command=I position=3 \
    full=True match=state state=RELATED,ESTABLISHED jump=ACCEPT

salt '*' iptables.build_rule filter INPUT command=A \
    full=True match=state state=RELATED,ESTABLISHED \
    source='127.0.0.1' jump=ACCEPT

.. Invert Rules
salt '*' iptables.build_rule filter INPUT command=A \
    full=True match=state state=RELATED,ESTABLISHED \
    source='! 127.0.0.1' jump=ACCEPT

salt '*' iptables.build_rule filter INPUT command=A \
    full=True match=state state=RELATED,ESTABLISHED \
    destination='not 127.0.0.1' jump=ACCEPT

IPv6:
salt '*' iptables.build_rule match=state \
    connstate=RELATED,ESTABLISHED jump=ACCEPT \
    family=ipv6
salt '*' iptables.build_rule filter INPUT command=I position=3 \
    full=True match=state state=RELATED,ESTABLISHED jump=ACCEPT \
    family=ipv6
salt.modules.iptables.check(table='filter', chain=None, rule=None, family='ipv4')

Check for the existence of a rule in the table and chain

This function accepts a rule in a standard iptables command format,
starting with the chain. Trying to force users to adapt to a new method of creating rules would be irritating at best, and we already have a parser that can handle it.

CLI Example:

salt '*' iptables.check filter INPUT \
    rule='-m state --state RELATED,ESTABLISHED -j ACCEPT'

IPv6:
salt '*' iptables.check filter INPUT \
    rule='-m state --state RELATED,ESTABLISHED -j ACCEPT' \
    family=ipv6
salt.modules.iptables.check_chain(table='filter', chain=None, family='ipv4')

New in version 2014.1.0.

Check for the existence of a chain in the table

CLI Example:

salt '*' iptables.check_chain filter INPUT

IPv6:
salt '*' iptables.check_chain filter INPUT family=ipv6
salt.modules.iptables.delete(table, chain=None, position=None, rule=None, family='ipv4')
Delete a rule from the specified table/chain, specifying either the rule
in its entirety, or the rule's position in the chain.
This function accepts a rule in a standard iptables command format,
starting with the chain. Trying to force users to adapt to a new method of creating rules would be irritating at best, and we already have a parser that can handle it.

CLI Examples:

salt '*' iptables.delete filter INPUT position=3
salt '*' iptables.delete filter INPUT \
    rule='-m state --state RELATED,ESTABLISHED -j ACCEPT'

IPv6:
salt '*' iptables.delete filter INPUT position=3 family=ipv6
salt '*' iptables.delete filter INPUT \
    rule='-m state --state RELATED,ESTABLISHED -j ACCEPT' \
    family=ipv6
salt.modules.iptables.delete_chain(table='filter', chain=None, family='ipv4')

New in version 2014.1.0.

Delete custom chain to the specified table.

CLI Example:

salt '*' iptables.delete_chain filter CUSTOM_CHAIN

IPv6:
salt '*' iptables.delete_chain filter CUSTOM_CHAIN family=ipv6
salt.modules.iptables.flush(table='filter', chain='', family='ipv4')

Flush the chain in the specified table, flush all chains in the specified table if not specified chain.

CLI Example:

salt '*' iptables.flush filter INPUT

IPv6:
salt '*' iptables.flush filter INPUT family=ipv6
salt.modules.iptables.get_policy(table='filter', chain=None, family='ipv4')

Return the current policy for the specified table/chain

CLI Example:

salt '*' iptables.get_policy filter INPUT

IPv6:
salt '*' iptables.get_policy filter INPUT family=ipv6
salt.modules.iptables.get_rules(family='ipv4')

Return a data structure of the current, in-memory rules

CLI Example:

salt '*' iptables.get_rules

IPv6:
salt '*' iptables.get_rules family=ipv6
salt.modules.iptables.get_saved_policy(table='filter', chain=None, conf_file=None, family='ipv4')

Return the current policy for the specified table/chain

CLI Examples:

salt '*' iptables.get_saved_policy filter INPUT
salt '*' iptables.get_saved_policy filter INPUT \
    conf_file=/etc/iptables.saved

IPv6:
salt '*' iptables.get_saved_policy filter INPUT family=ipv6
salt '*' iptables.get_saved_policy filter INPUT \
    conf_file=/etc/iptables.saved family=ipv6
salt.modules.iptables.get_saved_rules(conf_file=None, family='ipv4')

Return a data structure of the rules in the conf file

CLI Example:

salt '*' iptables.get_saved_rules

IPv6:
salt '*' iptables.get_saved_rules family=ipv6
salt.modules.iptables.insert(table='filter', chain=None, position=None, rule=None, family='ipv4')

Insert a rule into the specified table/chain, at the specified position.

This function accepts a rule in a standard iptables command format,
starting with the chain. Trying to force users to adapt to a new method of creating rules would be irritating at best, and we already have a parser that can handle it.
If the position specified is a negative number, then the insert will be
performed counting from the end of the list. For instance, a position of -1 will insert the rule as the second to last rule. To insert a rule in the last position, use the append function instead.

CLI Examples:

salt '*' iptables.insert filter INPUT position=3 \
    rule='-m state --state RELATED,ESTABLISHED -j ACCEPT'

IPv6:
salt '*' iptables.insert filter INPUT position=3 \
    rule='-m state --state RELATED,ESTABLISHED -j ACCEPT' \
    family=ipv6
salt.modules.iptables.new_chain(table='filter', chain=None, family='ipv4')

New in version 2014.1.0.

Create new custom chain to the specified table.

CLI Example:

salt '*' iptables.new_chain filter CUSTOM_CHAIN

IPv6:
salt '*' iptables.new_chain filter CUSTOM_CHAIN family=ipv6
salt.modules.iptables.save(filename=None, family='ipv4')

Save the current in-memory rules to disk

CLI Example:

salt '*' iptables.save /etc/sysconfig/iptables

IPv6:
salt '*' iptables.save /etc/sysconfig/iptables family=ipv6
salt.modules.iptables.set_policy(table='filter', chain=None, policy=None, family='ipv4')

Set the current policy for the specified table/chain

CLI Example:

salt '*' iptables.set_policy filter INPUT ACCEPT

IPv6:
salt '*' iptables.set_policy filter INPUT ACCEPT family=ipv6
salt.modules.iptables.version(family='ipv4')

Return version from iptables --version

CLI Example:

salt '*' iptables.version

IPv6:
salt '*' iptables.version family=ipv6