.\" Man page generated from reStructuredText. . . .nr rst2man-indent-level 0 . .de1 rstReportMargin \\$1 \\n[an-margin] level \\n[rst2man-indent-level] level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] - \\n[rst2man-indent0] \\n[rst2man-indent1] \\n[rst2man-indent2] .. .de1 INDENT .\" .rstReportMargin pre: . RS \\$1 . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] . nr rst2man-indent-level +1 .\" .rstReportMargin post: .. .de UNINDENT . RE .\" indent \\n[an-margin] .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] .nr rst2man-indent-level -1 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. .TH "CDIST-TYPE__IPTABLES_RULE" "7" "Sep 26, 2023" "7.0.0" "cdist" .SH NAME .sp cdist\-type__iptables_rule \- Deploy iptable rulesets .SH DESCRIPTION .sp This cdist type allows you to manage iptable rules in a distribution independent manner. .sp See \fBcdist\-type__iptables_apply\fP(7) for the execution order of these rules. It will be executed automaticly to apply all rules non\-volaite. .SH REQUIRED PARAMETERS .INDENT 0.0 .TP .B rule The rule to apply. Essentially an iptables command line without iptables in front of it. .UNINDENT .SH OPTIONAL PARAMETERS .INDENT 0.0 .TP .B state \(aqpresent\(aq or \(aqabsent\(aq, defaults to \(aqpresent\(aq .UNINDENT .SH BOOLEAN PARAMETERS .sp All rules without any of these parameters will be treated like \fB\-\-v4\fP because of backward compatibility. .INDENT 0.0 .TP .B v4 Explicitly set it as rule for IPv4. If IPv6 is set, too, it will be threaten like \fB\-\-all\fP\&. Will be the default if nothing else is set. .TP .B v6 Explicitly set it as rule for IPv6. If IPv4 is set, too, it will be threaten like \fB\-\-all\fP\&. .TP .B all Set the rule for both IPv4 and IPv6. It will be saved separately from the other rules. .UNINDENT .SH EXAMPLES .INDENT 0.0 .INDENT 3.5 .sp .EX # Deploy some policies __iptables_rule policy\-in \-\-rule \(dq\-P INPUT DROP\(dq __iptables_rule policy\-out \-\-rule \(dq\-P OUTPUT ACCEPT\(dq __iptables_rule policy\-fwd \-\-rule \(dq\-P FORWARD DROP\(dq # The usual established rule __iptables_rule established \-\-rule \(dq\-A INPUT \-m state \-\-state RELATED,ESTABLISHED \-j ACCEPT\(dq # Some service rules __iptables_rule http \-\-rule \(dq\-A INPUT \-p tcp \-\-dport 80 \-j ACCEPT\(dq __iptables_rule ssh \-\-rule \(dq\-A INPUT \-p tcp \-\-dport 22 \-j ACCEPT\(dq __iptables_rule https \-\-rule \(dq\-A INPUT \-p tcp \-\-dport 443 \-j ACCEPT\(dq # Ensure some rules are not present anymore __iptables_rule munin \-\-rule \(dq\-A INPUT \-p tcp \-\-dport 4949 \-j ACCEPT\(dq \e \-\-state absent # IPv4\-only rule for ICMPv4 __iptables_rule icmp\-v4 \-\-v4 \-\-rule \(dq\-A INPUT \-p icmp \-j ACCEPT\(dq # IPv6\-only rule for ICMPv6 __iptables_rule icmp\-v6 \-\-v6 \-\-rule \(dq\-A INPUT \-p icmpv6 \-j ACCEPT\(dq # doing something for the dual stack __iptables_rule fwd\-eth0\-eth1 \-\-v4 \-\-v6 \-\-rule \(dq\-A INPUT \-i eth0 \-o eth1 \-j ACCEPT\(dq __iptables_rule fwd\-eth1\-eth0 \-\-all \-\-rule \(dq\-A \-o eth1 \-i eth0 \-m state \-\-state RELATED,ESTABLISHED \-j ACCEPT\(dq .EE .UNINDENT .UNINDENT .SH SEE ALSO .sp \fBcdist\-type__iptables_apply\fP(7), \fBiptables\fP(8) .SH AUTHORS .sp Nico Schottelius <\fI\%nico\-cdist\-\-@\-\-schottelius.org\fP> Matthias Stecher <\fI\%matthiasstecher\-\-@\-\-gmx.de\fP> .SH COPYING .sp Copyright (C) 2013 Nico Schottelius. Copyright (C) 2020 Matthias Stecher. You can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. .SH COPYRIGHT ungleich GmbH 2021 .\" Generated by docutils manpage writer. .