diff --git a/firewalld/direct.sls b/firewalld/direct.sls new file mode 100644 index 0000000..21e8f24 --- /dev/null +++ b/firewalld/direct.sls @@ -0,0 +1,28 @@ +# == State: firewalld.direct + +{% from "firewalld/map.jinja" import firewalld with context %} + + +# == Define: firewalld.direct +# +# This defines a configuration for permanent direct chains, +# rules and passtthroughs, see firewalld.direct (5) man page. + +{%- if firewalld.get('direct', False) %} +/etc/firewalld/direct.xml: + file: + - managed + - name: /etc/firewalld/direct.xml + - user: root + - group: root + - mode: "0644" + - source: salt://firewalld/files/direct.xml + - template: jinja + - require: + - pkg: package_firewalld # make sure package is installed + - file: directory_firewalld + - listen_in: + - module: service_firewalld # restart service + - context: + direct: {{ firewalld.direct|json }} +{%- endif %} diff --git a/firewalld/files/direct.xml b/firewalld/files/direct.xml new file mode 100644 index 0000000..97c4077 --- /dev/null +++ b/firewalld/files/direct.xml @@ -0,0 +1,18 @@ + + + {%- if 'chain' in direct %} + {%- for k, v in direct.chain.items() %} + + {%- endfor %} + {%- endif %} + {%- if 'rule' in direct %} + {%- for k, v in direct.rule.items() %} + {{v.args}} + {%- endfor %} + {%- endif %} + {%- if 'passthrough' in direct %} + {%- for k, v in direct.passthrough.items() %} + {{v.args}} + {%- endfor %} + {%- endif %} + diff --git a/firewalld/init.sls b/firewalld/init.sls index ea8b0cb..180ec7c 100644 --- a/firewalld/init.sls +++ b/firewalld/init.sls @@ -11,6 +11,7 @@ include: - firewalld.ipsets - firewalld.services - firewalld.zones + - firewalld.direct # iptables service that comes with rhel/centos iptables: diff --git a/pillar.example.sls b/pillar.example.sls index 6b74136..b1705ed 100644 --- a/pillar.example.sls +++ b/pillar.example.sls @@ -89,3 +89,21 @@ firewalld: - comment: vsftpd port: 21 protocol: tcp + + direct: + chain: + MYCHAIN: + ipv: ipv4 + table: raw + rule: + INTERNETACCESS: + ipv: ipv4 + table: filter + chain: FORWARD + priority: "0" + args: "-i iintern -o iextern -s 192.168.1.0/24 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT" + passthrough: + MYPASSTHROUGH: + ipv: ipv4 + args: "-t raw -A MYCHAIN -j DROP" +