From 0abdc6556367b8ce47198dc80f8add91bd53f247 Mon Sep 17 00:00:00 2001 From: "David J. M. Karlsen" Date: Wed, 23 Apr 2014 09:11:02 +0200 Subject: [PATCH 01/16] manage iptables along with service --- openssh/init.sls | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/openssh/init.sls b/openssh/init.sls index 6d447fe..98741a7 100644 --- a/openssh/init.sls +++ b/openssh/init.sls @@ -8,3 +8,13 @@ openssh: - name: {{ openssh.service }} - require: - pkg: {{ openssh.server }} + iptables.insert: + - position: 0 + - protocol: tcp + - dport: 22 + - table: filter + - chain: INPUT + - jump: ACCEPT + - match: state + - connstate: NEW, ESTABLISHED + - save: True From 1fda731e4023cec14cb278473909dc78ec264d49 Mon Sep 17 00:00:00 2001 From: "David J. M. Karlsen" Date: Wed, 23 Apr 2014 09:27:06 +0200 Subject: [PATCH 02/16] reorder and cleanup --- openssh/init.sls | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/openssh/init.sls b/openssh/init.sls index 98741a7..15ec947 100644 --- a/openssh/init.sls +++ b/openssh/init.sls @@ -9,12 +9,11 @@ openssh: - require: - pkg: {{ openssh.server }} iptables.insert: - - position: 0 - - protocol: tcp - - dport: 22 - table: filter - chain: INPUT + - protocol: tcp + - dport: 22 - jump: ACCEPT - match: state - - connstate: NEW, ESTABLISHED + - connstate: NEW,ESTABLISHED - save: True From 911e58f7c3a04eab0bb24aa22bd5e32ea77466b6 Mon Sep 17 00:00:00 2001 From: "David J. M. Karlsen" Date: Wed, 23 Apr 2014 14:33:47 +0200 Subject: [PATCH 03/16] position is obligatory afaik --- openssh/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/openssh/init.sls b/openssh/init.sls index 15ec947..84a4f3f 100644 --- a/openssh/init.sls +++ b/openssh/init.sls @@ -11,6 +11,7 @@ openssh: iptables.insert: - table: filter - chain: INPUT + - position: 0 - protocol: tcp - dport: 22 - jump: ACCEPT From 247717e141d2fc4c865c594409effcec8486f503 Mon Sep 17 00:00:00 2001 From: "David J. M. Karlsen" Date: Wed, 23 Apr 2014 14:39:01 +0200 Subject: [PATCH 04/16] reorder --- openssh/init.sls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openssh/init.sls b/openssh/init.sls index 84a4f3f..750b700 100644 --- a/openssh/init.sls +++ b/openssh/init.sls @@ -11,10 +11,10 @@ openssh: iptables.insert: - table: filter - chain: INPUT - - position: 0 + - position: 1 - protocol: tcp - dport: 22 - - jump: ACCEPT - match: state - connstate: NEW,ESTABLISHED + - jump: ACCEPT - save: True From cf4014ccf715d9ef729bead464f6c87fdcdf7400 Mon Sep 17 00:00:00 2001 From: "David J. M. Karlsen" Date: Wed, 23 Apr 2014 14:52:24 +0200 Subject: [PATCH 05/16] fix config? --- openssh/init.sls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/openssh/init.sls b/openssh/init.sls index 750b700..aeb7369 100644 --- a/openssh/init.sls +++ b/openssh/init.sls @@ -12,9 +12,9 @@ openssh: - table: filter - chain: INPUT - position: 1 - - protocol: tcp - - dport: 22 - match: state - connstate: NEW,ESTABLISHED + - dport: 22 + - proto: tcp - jump: ACCEPT - save: True From 757bd12ca7d8938b4e32a47c5fcf87eea6c550d4 Mon Sep 17 00:00:00 2001 From: "David J. M. Karlsen" Date: Wed, 23 Apr 2014 16:13:10 +0200 Subject: [PATCH 06/16] will this work? --- openssh/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssh/init.sls b/openssh/init.sls index aeb7369..4e475d8 100644 --- a/openssh/init.sls +++ b/openssh/init.sls @@ -11,7 +11,7 @@ openssh: iptables.insert: - table: filter - chain: INPUT - - position: 1 + - position: 0 - match: state - connstate: NEW,ESTABLISHED - dport: 22 From 1972c41b7417bdd33d19b8e5c71278ddd405d582 Mon Sep 17 00:00:00 2001 From: "David J. M. Karlsen" Date: Wed, 23 Apr 2014 16:54:47 +0200 Subject: [PATCH 07/16] Revert "will this work?" This reverts commit 757bd12ca7d8938b4e32a47c5fcf87eea6c550d4. --- openssh/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssh/init.sls b/openssh/init.sls index 4e475d8..aeb7369 100644 --- a/openssh/init.sls +++ b/openssh/init.sls @@ -11,7 +11,7 @@ openssh: iptables.insert: - table: filter - chain: INPUT - - position: 0 + - position: 1 - match: state - connstate: NEW,ESTABLISHED - dport: 22 From 8702781e3f712a009559d3d0793e05d2fa51394c Mon Sep 17 00:00:00 2001 From: "David J. M. Karlsen" Date: Thu, 24 Apr 2014 08:00:25 +0200 Subject: [PATCH 08/16] move out in separate state file --- openssh/init.sls | 10 ---------- openssh/iptables-input.sls | 12 ++++++++++++ 2 files changed, 12 insertions(+), 10 deletions(-) create mode 100644 openssh/iptables-input.sls diff --git a/openssh/init.sls b/openssh/init.sls index aeb7369..6d447fe 100644 --- a/openssh/init.sls +++ b/openssh/init.sls @@ -8,13 +8,3 @@ openssh: - name: {{ openssh.service }} - require: - pkg: {{ openssh.server }} - iptables.insert: - - table: filter - - chain: INPUT - - position: 1 - - match: state - - connstate: NEW,ESTABLISHED - - dport: 22 - - proto: tcp - - jump: ACCEPT - - save: True diff --git a/openssh/iptables-input.sls b/openssh/iptables-input.sls new file mode 100644 index 0000000..d8414f2 --- /dev/null +++ b/openssh/iptables-input.sls @@ -0,0 +1,12 @@ +sshd.iptables.input: + iptables.insert: + - table: filter + - chain: INPUT + - position: 1 + - match: state + - connstate: NEW,ESTABLISHED + - dport: 22 + - proto: tcp + - jump: ACCEPT + - save: True + From c8986d34b85680d5de60f67f545b494449ec216e Mon Sep 17 00:00:00 2001 From: "David J. M. Karlsen" Date: Thu, 24 Apr 2014 08:24:53 +0200 Subject: [PATCH 09/16] try to pillarize the port --- openssh/iptables-input.sls | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/openssh/iptables-input.sls b/openssh/iptables-input.sls index d8414f2..fc03540 100644 --- a/openssh/iptables-input.sls +++ b/openssh/iptables-input.sls @@ -1,3 +1,7 @@ +{% from "openssh/map.jinja" import openssh with context %} +{% set openssh_pillar = pillar.get('openssh', {}) %} +{% set listen_port = openssh_pillar.get('listen_port', '22') %} + sshd.iptables.input: iptables.insert: - table: filter @@ -5,7 +9,7 @@ sshd.iptables.input: - position: 1 - match: state - connstate: NEW,ESTABLISHED - - dport: 22 + - dport: {{ listen_port }} - proto: tcp - jump: ACCEPT - save: True From ca8b6da771581d8566f8bcb6a5f3f8102425864f Mon Sep 17 00:00:00 2001 From: "David J. M. Karlsen" Date: Thu, 24 Apr 2014 08:55:05 +0200 Subject: [PATCH 10/16] try this --- openssh/iptables-input.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssh/iptables-input.sls b/openssh/iptables-input.sls index fc03540..f7944cf 100644 --- a/openssh/iptables-input.sls +++ b/openssh/iptables-input.sls @@ -1,6 +1,6 @@ {% from "openssh/map.jinja" import openssh with context %} {% set openssh_pillar = pillar.get('openssh', {}) %} -{% set listen_port = openssh_pillar.get('listen_port', '22') %} +{% set listen_port = salt['pillar.get']('openssh:listen_port', 22) %} sshd.iptables.input: iptables.insert: From 7ec208cba5475d2e379fc6bc8fd498fdde3974c2 Mon Sep 17 00:00:00 2001 From: "David J. M. Karlsen" Date: Thu, 24 Apr 2014 09:07:40 +0200 Subject: [PATCH 11/16] will this work? --- openssh/iptables-input.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssh/iptables-input.sls b/openssh/iptables-input.sls index f7944cf..4385ee6 100644 --- a/openssh/iptables-input.sls +++ b/openssh/iptables-input.sls @@ -1,6 +1,6 @@ {% from "openssh/map.jinja" import openssh with context %} {% set openssh_pillar = pillar.get('openssh', {}) %} -{% set listen_port = salt['pillar.get']('openssh:listen_port', 22) %} +{% set listen_port = salt['pillar.get']('openssh:listen_port', '22') %} sshd.iptables.input: iptables.insert: From 764d4204d1901675423ee0f4ff87ac81df999d73 Mon Sep 17 00:00:00 2001 From: "David J. M. Karlsen" Date: Thu, 24 Apr 2014 09:17:54 +0200 Subject: [PATCH 12/16] restructure a little --- openssh/iptables-input.sls | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/openssh/iptables-input.sls b/openssh/iptables-input.sls index 4385ee6..c78c178 100644 --- a/openssh/iptables-input.sls +++ b/openssh/iptables-input.sls @@ -2,10 +2,21 @@ {% set openssh_pillar = pillar.get('openssh', {}) %} {% set listen_port = salt['pillar.get']('openssh:listen_port', '22') %} +sshd.iptables.chain: + iptables.chain_present: + - name: sshd_input + +#ideally this should be flushed in case the port changes so it will not accumulate ports: sshd.iptables.input: iptables.insert: - table: filter - chain: INPUT + - jump: sshd_input + +sshd.iptables.input: + iptables.insert: + - table: filter + - chain: sshd_input - position: 1 - match: state - connstate: NEW,ESTABLISHED From eaa5a5cd263b2148d67710d3bb588ec3c5847720 Mon Sep 17 00:00:00 2001 From: "David J. M. Karlsen" Date: Thu, 24 Apr 2014 09:46:53 +0200 Subject: [PATCH 13/16] fix conflicting id --- openssh/iptables-input.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/openssh/iptables-input.sls b/openssh/iptables-input.sls index c78c178..3fb7fa2 100644 --- a/openssh/iptables-input.sls +++ b/openssh/iptables-input.sls @@ -13,7 +13,7 @@ sshd.iptables.input: - chain: INPUT - jump: sshd_input -sshd.iptables.input: +sshd.iptables.listenrule: iptables.insert: - table: filter - chain: sshd_input From aaf319fb11fc67d985a7e91145e3c24cbe3be9e3 Mon Sep 17 00:00:00 2001 From: "David J. M. Karlsen" Date: Thu, 24 Apr 2014 10:56:58 +0200 Subject: [PATCH 14/16] need to define position --- openssh/iptables-input.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/openssh/iptables-input.sls b/openssh/iptables-input.sls index 3fb7fa2..11daeb1 100644 --- a/openssh/iptables-input.sls +++ b/openssh/iptables-input.sls @@ -10,6 +10,7 @@ sshd.iptables.chain: sshd.iptables.input: iptables.insert: - table: filter + - position: 1 - chain: INPUT - jump: sshd_input From 697e5ebe418f72e614d4c623920b68bd74acfbd8 Mon Sep 17 00:00:00 2001 From: "David J. M. Karlsen" Date: Thu, 24 Apr 2014 11:05:08 +0200 Subject: [PATCH 15/16] remove this - has no function and will fail if no pillar for openssh present --- openssh/iptables-input.sls | 1 - 1 file changed, 1 deletion(-) diff --git a/openssh/iptables-input.sls b/openssh/iptables-input.sls index 11daeb1..2a1c146 100644 --- a/openssh/iptables-input.sls +++ b/openssh/iptables-input.sls @@ -1,5 +1,4 @@ {% from "openssh/map.jinja" import openssh with context %} -{% set openssh_pillar = pillar.get('openssh', {}) %} {% set listen_port = salt['pillar.get']('openssh:listen_port', '22') %} sshd.iptables.chain: From 680e7fb191f9e29af74dcbae5b3b76dd569b2625 Mon Sep 17 00:00:00 2001 From: "David J. M. Karlsen" Date: Thu, 24 Apr 2014 11:13:13 +0200 Subject: [PATCH 16/16] add TODO --- openssh/iptables-input.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/openssh/iptables-input.sls b/openssh/iptables-input.sls index 2a1c146..8dac146 100644 --- a/openssh/iptables-input.sls +++ b/openssh/iptables-input.sls @@ -25,3 +25,4 @@ sshd.iptables.listenrule: - jump: ACCEPT - save: True +#TODO: Should persist rules or depend on iptables-persistent or something, so that rules will be present after a boot