--- /dev/null
+glocker chain:
+ iptables.chain_present:
+ - name: glocker
+ - table: filter
+
+accept glocker-except:
+ iptables.insert:
+ - table: filter
+ - chain: glocker
+ - jump: ACCEPT
+ - match-set: glocker-except dst
+ - position: 1
+
+allow uid 40000-50000:
+ iptables.insert:
+ - table: filter
+ - chain: glocker
+ - jump: ACCEPT
+ - match: owner
+ - uid-owner: 40000-50000
+ - position: 2
+
+reject glocker:
+ iptables.insert:
+ - table: filter
+ - chain: glocker
+ - jump: REJECT
+ - reject-with: icmp-port-unreachable
+ - match-set: glocker dst
+ - position: 3
+
+jump to glocker:
+ iptables.insert:
+ - table: filter
+ - chain: OUTPUT
+ - jump: glocker
+ - position: 1
+
+glocker cron job:
+ file.managed:
+ - name: /etc/cron.hourly/glocker
+ - source: salt://glocker/files/cronjob
+ - user: root
+ - group: root
+ - mode: 750
+
+ensure allowed_hosts file exists:
+ file.touch:
+ - name: /etc/glocker/allowed_hosts
+ - makedirs: True