salt 添加iptables的sls例子 

{% for eachfw, fw_rule in pillar['firewall'].iteritems() %}
# Add custom chain
{{ eachfw }}-chain:
  iptables.chain_present:
#    - save : True
    - table: filter
# Custom chain rules
{% if 'allow' in fw_rule %}
# White Lists
{% for each_allow in fw_rule['allow'] %}
{{ eachfw }}_allow_{{ each_allow }}:
  iptables.insert:
    - table: filter
    - chain: {{ eachfw }}-chain
    - position: 1
    - source: {{ each_allow }}
    - jump: ACCEPT
    - require:
      - iptables: {{ eachfw }}-chain
    - require_in:
      - iptables: {{ eachfw }}_deny
    - save: True
{% endfor %}
# Deny all
{{ eachfw }}_deny:
  iptables.append:
    - table: filter
    - chain: {{ eachfw }}-chain
    - jump: DROP
    - save: True

{% elif 'deny' in fw_rule %}
# Black Lists
{% for each_deny in fw_rule['deny'] %}
{{ eachfw }}_deny_{{ each_deny }}:
  iptables.insert:
    - table: filter
    - chain: {{ eachfw }}-chain
    - position: 1
    - source: {{ each_deny }}
    - jump: DROP
    - require:
      - iptables: {{ eachfw }}-chain
    - require_in:
      - iptables: {{ eachfw }}_allow
    - save: True
{% endfor %}
# Accept all
{{ eachfw }}_allow:
  iptables.append:
    - table: filter
    - chain: {{ eachfw }}-chain
    - jump: ACCEPT
    - save: True
{% endif %}

# Export traffic to custom chain
{{ eachfw }}-main:
  iptables.insert:
    - table: filter
    - chain: INPUT
    - position: 1
    - proto: tcp
    - dport: {{ fw_rule['port'] }}
    - jump: {{ eachfw }}-chain
{% endfor %}

忘记在哪看的的了,只有文件,先保留,

posted @ 2017-12-04 17:37  LYCong  阅读(386)  评论(0编辑  收藏  举报