I’m trying to configure a flexible iptables management solution with SaltStack, but I find it harder than I thought it would be.
My main requirement: to be able to have a pillar where I keep a list of IPs, which should be whitelisted for SSH access on all minions. This list of IPs will of course change every now and then: some IPs get added, some IPs are removed. The problem that I’m facing is with the removed IPs – when I remove them from the pillar file, SaltStack doesn’t remove the actual whitelisting from the minions.
The only workaround I could find, was to create a new key named “removed-ips” and whenever I want to remove an IP, I would add it there. The second for loop will then remove it. Of course, this is a really nasty workaround, is there a better way of doing it?
Where rules.jinja generates the ruleset from pillar. The benefit of this method is that it does the Right Thing when pillar rules are removed, without requiring a flush (i.e. a change) on every highstate. The downside is that it won’t notice and revert manual changes to the firewall from the local machine.
I have a formula using the technique here. Ignore the readme note about compatibility issues, it works fine on current salt. Or did last time I checked.