saltstack pillar设置iptables

/etc/salt/master
注意配置文件每行前边是有空格的

 file_roots:base:- /srv/salt/basedev:- /srv/salt/devprod:- /srv/salt/prodpillar_roots:base:- /srv/salt/pillar

/srv/salt/pillar/top.sls

base:'*':- iptables.whitelist- iptables.nginx- iptables.ntp

/srv/salt/pillar/nginx.sls

open_allow:allow_http:port: 80procto: 'tcp'allow_https:port: 443procto: 'tcp'

/srv/salt/pillar/whitelist.sls

white_ips:allow_lan1:allowip: 192.168.0.0/16allow_lan2:allowip: 172.20.60.1

/srv/salt/pillar/ntp.sls

out_allow:ntp_out_allow:port: 123procto: 'udp'

/srv/salt/base/iptables_init.sls

###### 清空原规则 ######
clear_iptables:cmd.run:{% if grains['osfinger'] == 'CentOS-6' %}- name: service iptables stop && echo >/etc/sysconfig/iptables{% elif grains['osfinger'] == 'Ubuntu-16.04' %}- name: iptables -F; iptables -X{% endif %}#### 添加白名单ip
{% for fw, rule in pillar['white_ips'].items() %}
{{ fw }}_INPUT:iptables.insert:- position: 1- table: filter- chain: INPUT- jump: ACCEPT- source: {{ rule['allowip'] }}- save: True{{ fw }}_OUTPUT:iptables.insert:- position: 1- table: filter- chain: OUTPUT- jump: ACCEPT- destination: {{ rule['allowip'] }}- save: True
{% endfor %}###### 获取自定义需要开放的服务端口并加入iptables规则中(同时取消状态追踪) ### 如果有对外开放的服务时 ###
{% if 'open_allow' in pillar.keys() %}
{% for eachfw, fw_rule in pillar['open_allow'].items() %}
{{ eachfw }}_INPUT:iptables.append:
#     - position: 1- table: filter- chain: INPUT- jump: ACCEPT- match: state- connstate: NEW,ESTABLISHED- protocol: {{ fw_rule['procto'] }}- dport: {{ fw_rule['port'] }}- save: True{{ eachfw }}_OUTPUT:iptables.append:
#     - position: 1- table: filter- chain: OUTPUT- jump: ACCEPT- match: state- connstate: ESTABLISHED- sport: {{ fw_rule['port'] }}- protocol: {{ fw_rule['procto'] }}- save: True{{ eachfw }}_NOTRACK_FROM_OUTPUT:iptables.insert:- position: 1- table: raw- chain: OUTPUT- jump: NOTRACK- match: state- connstate: ESTABLISHED- sport: {{ fw_rule['port'] }}- protocol: {{ fw_rule['procto'] }}- save: True{{ eachfw }}_NOTRACK_TO_OUTPUT:iptables.insert:- position: 1- table: raw- chain: OUTPUT- jump: NOTRACK- match: state- connstate: ESTABLISHED- dport: {{ fw_rule['port'] }}- protocol: {{ fw_rule['procto'] }}- save: True{{ eachfw }}_NOTRACK_FROM_PREROUTING:iptables.insert:- position: 1- table: raw- chain: PREROUTING- jump: NOTRACK- match: state- connstate: ESTABLISHED- sport: {{ fw_rule['port'] }}- protocol: {{ fw_rule['procto'] }}- save: True{{ eachfw }}_NOTRACK_TO_PREROUTING:iptables.insert:- position: 1- table: raw- chain: PREROUTING- jump: NOTRACK- match: state- connstate: ESTABLISHED- dport: {{ fw_rule['port'] }}- protocol: {{ fw_rule['procto'] }}- save: True
{% endfor %}
{% endif %}# 允许访问外网服务
{% for fw, rule in pillar['out_allow'].items() %}
{{ fw }}_INPUT:iptables.insert:- position: 1- table: filter- chain: INPUT- jump: ACCEPT- match: state- connstate: ESTABLISHED- protocol: {{ rule['procto'] }}- sport: {{ rule['port'] }}- save: True{{ fw }}_OUTPUT:iptables.insert:- position: 1- table: filter- chain: OUTPUT- jump: ACCEPT- match: state- connstate: NEW,RELATED,ESTABLISHED- protocol: {{ rule['procto'] }}- dport: {{ rule['port'] }}- save: True
{% endfor %}# 允许ping出
allow_ping_OUTPUT:iptables.append:- table: filter- chain: OUTPUT- jump: ACCEPT- match: state- connstate: NEW,RELATED,ESTABLISHED- protocol: icmp- comment: "Allow Ping OUT"- save: True# 允许ping入
allow_icmp_INPUT:iptables.append:- table: filter- chain: INPUT- jump: ACCEPT- match: state- connstate: NEW,ESTABLISHED- protocol: icmp- comment: "Allow Ping IN"- save: True# 设置INPUT默认策略为DROP
default_to_INPUT:iptables.set_policy:- chain: INPUT- policy: DROP- save: True# 设置OUTPUT默认策略为DROP
default_to_OUTPUT:iptables.set_policy:- chain: OUTPUT- policy: DROP- save: True# 设置FORWARD默认策略为DROP
default_to_FORWARD:iptables.set_policy:- chain: FORWARD- policy: DROP- save: True###### 重启iptables 并保持开机自动加载 ######
iptables-service:service.running:- name: iptables- reload: True- enable: True

参考：
https://blog.51cto.com/dyc2005/2178969

saltstack pillar设置iptables相关推荐

eve-ng ubuntu 20.04 设置iptables
eve-ng ubuntu 20.04 设置iptables 一.设置方法 1.建立iptables规则开机加载脚本 2.建立iptables规则关机/重启保存脚本 3.添加可执行权限 4.保存当前i ...
使用ipset设置iptables（黑/白）名单
目录使用ipset设置iptables(黑/白)名单一.ipset原理二.ipset安装 1.ipset工具安装 2.启动ipset,并设置开机自启三.ipset的基本使用四.设置iptab ...
saltstack pillar
1.关于Pillar Pillar: 存储位置:Master端数据类型:动态数据数据采集更新方式:在Master端定义,指定给对应的Minion,可以用saltutil.refresh_pilla ...
用Php设置Iptables,如何使用CSF添加自定义iptables规则
CSF(configserver firewall)是一种基于iptables的防火墙,为实现iptables规则提供了更简单的方法.有时我们需要添加一些特定的规则(例如,CSF未涵盖的IPtable ...
linux系统中查看己设置iptables规则
1.iptables -L 查看filter表的iptables规则,包括所有的链.filter表包含INPUT.OUTPUT.FORWARD三个规则链. 说明:-L是--list的简写,作用是列出规 ...
linux限制指定ip禁止访问指定端口,linux设置iptables禁止某个IP访问
1. 查看本机关于IPTABLES的设置情况 # iptables -L -n 2. 清除原有规则 # iptables -F 清除预设表filter中的所有规则链的规则 # iptables -X ...
4G卡的linux机器充当路由器(Ubuntu16 设置iptables NAT ）
当你在户外.移动环境的局域网内,有了一台linux的小工控机,它能上外网,往往是通过4g SIM卡上网,那么如果你想让其它机器,借助它上网,那么只要这台4g卡机器还有一块内置的以太网卡,就可以达到目的 ...
linux设置iptables防火墙
centos7没有iptables防火墙了用的是firewall防火墙 1 安装iptables作为防火墙(企业用) yum install iptables-services #通过yum ins ...
linux拒绝一个ip访问,linux设置iptables禁止某个IP访问
1. 查看本机关于IPTABLES的设置情况 # iptables -L -n 2. 清除原有规则 # iptables -F 清除预设表filter中的所有规则链的规则 # iptables -X ...

saltstack pillar设置iptables

saltstack pillar设置iptables相关推荐

最新文章

热门文章