salt.states.iptables¶
Management of iptables¶
This is an iptables-specific module designed to manage Linux firewalls. It is expected that this state module, and other system-specific firewall states, may at some point be deprecated in favor of a more generic firewall state.
httpd:
iptables.append:
- table: filter
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.append:
- table: filter
- chain: INPUT
- jump: ACCEPT
- match:
- state
- comment
- comment: "Allow HTTP"
- connstate: NEW
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.append:
- table: filter
- chain: INPUT
- jump: ACCEPT
- match:
- state
- comment
- comment: "Allow HTTP"
- connstate: NEW
- source: '127.0.0.1'
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
.. Invert Rule
httpd:
iptables.append:
- table: filter
- chain: INPUT
- jump: ACCEPT
- match:
- state
- comment
- comment: "Allow HTTP"
- connstate: NEW
- source: '! 127.0.0.1'
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.append:
- table: filter
- chain: INPUT
- jump: ACCEPT
- match:
- state
- comment
- comment: "Allow HTTP"
- connstate: NEW
- source: 'not 127.0.0.1'
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.append:
- table: filter
- family: ipv6
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.append:
- table: filter
- family: ipv4
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dports:
- 80
- 443
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.insert:
- position: 1
- table: filter
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.insert:
- position: 1
- table: filter
- family: ipv6
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.delete:
- table: filter
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.delete:
- position: 1
- table: filter
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.delete:
- table: filter
- family: ipv6
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
default to accept:
iptables.set_policy:
- chain: INPUT
- policy: ACCEPT
注解
Various functions of the iptables module use the --check option. If
the version of iptables on the target system does not include this
option, an alternate version of this check will be performed using the
output of iptables-save. This may have unintended consequences on legacy
releases of iptables.
-
salt.states.iptables.append(name, table='filter', family='ipv4', **kwargs)¶ 0.17.0 新版功能.
Append a rule to a chain
- name
- A user-defined name to call this rule by in another part of a state or formula. This should not be an actual rule.
- table
- The table that owns the chain which should be modified
- family
- Network family, ipv4 or ipv6.
All other arguments are passed in with the same name as the long option that would normally be used for iptables, with one exception:
--stateis specified as connstate instead of state (not to be confused with ctstate).Jump options that doesn't take arguments should be passed in with an empty string.
-
salt.states.iptables.chain_absent(name, table='filter', family='ipv4')¶ 2014.1.0 新版功能.
Verify the chain is absent.
- table
- The table to remove the chain from
- family
- Networking family, either ipv4 or ipv6
-
salt.states.iptables.chain_present(name, table='filter', family='ipv4')¶ 2014.1.0 新版功能.
Verify the chain is exist.
- name
- A user-defined chain name.
- table
- The table to own the chain.
- family
- Networking family, either ipv4 or ipv6
-
salt.states.iptables.delete(name, table='filter', family='ipv4', **kwargs)¶ 2014.1.0 新版功能.
Delete a rule to a chain
- name
- A user-defined name to call this rule by in another part of a state or formula. This should not be an actual rule.
- table
- The table that owns the chain that should be modified
- family
- Networking family, either ipv4 or ipv6
All other arguments are passed in with the same name as the long option that would normally be used for iptables, with one exception:
--stateis specified as connstate instead of state (not to be confused with ctstate).Jump options that doesn't take arguments should be passed in with an empty string.
-
salt.states.iptables.flush(name, table='filter', family='ipv4', **kwargs)¶ 2014.1.0 新版功能.
Flush current iptables state
- table
- The table that owns the chain that should be modified
- family
- Networking family, either ipv4 or ipv6
-
salt.states.iptables.insert(name, table='filter', family='ipv4', **kwargs)¶ 2014.1.0 新版功能.
Insert a rule into a chain
- name
- A user-defined name to call this rule by in another part of a state or formula. This should not be an actual rule.
- table
- The table that owns the chain that should be modified
- family
- Networking family, either ipv4 or ipv6
All other arguments are passed in with the same name as the long option that would normally be used for iptables, with one exception:
--stateis specified as connstate instead of state (not to be confused with ctstate).Jump options that doesn't take arguments should be passed in with an empty string.
-
salt.states.iptables.mod_aggregate(low, chunks, running)¶ The mod_aggregate function which looks up all rules in the available low chunks and merges them into a single rules ref in the present low data
-
salt.states.iptables.set_policy(name, table='filter', family='ipv4', **kwargs)¶ 2014.1.0 新版功能.
Sets the default policy for iptables firewall tables
- table
- The table that owns the chain that should be modified
- family
- Networking family, either ipv4 or ipv6
- policy
- The requested table policy
Version 2016.3.0-182-gbed98d8
