Agenda: iptables.txt

File iptables.txt, 2.8 KB (added by Patrick Okui, 6 years ago)

Line
1	# perfSONAR Toolkit Firewall Config v1.0
2
3	*filter
4	:INPUT ACCEPT [0:0]
5	:FORWARD ACCEPT [0:0]
6	:OUTPUT ACCEPT [0:0]
7
8	# convenience for logging things we want to specifically deny
9	#-N DENYLOG
10	#-A DENYLOG -j LOG --log-prefix DENIED_HOST:
11	#-A DENYLOG -j DROP
12	#-A INPUT -j DENYLOG -s <someipORnetwork>
13
14	# Allow Loopback
15	-A INPUT -i lo -j ACCEPT
16	-A OUTPUT -o lo -j ACCEPT
17
18	# Accept existing and related connections
19	-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
20
21	# Incoming SSH - TCP Port 22
22	-A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 22 -j ACCEPT
23
24	# SSH Throttling (Uncomment to enable)
25	#-A INPUT -p tcp --dport 22 --syn -m limit --limit 1/m --limit-burst 3 -j ACCEPT
26	#-A INPUT -p tcp --dport 22 --syn -j DROP
27
28	# DHCPv6
29	-A INPUT -m state --state NEW -m udp -p udp --dport 546 --sport 547 -j ACCEPT
30
31	:perfSONAR - [0:0]
32
33	# Accept ICMP
34	-A perfSONAR -p icmp --icmp-type any -j ACCEPT
35
36	# =-=-=-=-=-=- Core perfSONAR Services =-=-=-=-=-=-
37
38	# Incoming Web (esmond and Toolkit GUI) - TCP Ports 80 and 443
39	-A perfSONAR -m tcp -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
40	-A perfSONAR -m tcp -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
41
42	# Incoming NTP - UDP Port 123
43	-A perfSONAR -p udp --dport 123 -m udp -j ACCEPT
44
45	# =-=-=-=-=-=- perfSONAR Measurement Tools =-=-=-=-=-=-
46
47	# UDP Traceroute (Incoming)
48	-A perfSONAR -m udp -p udp --dport 33434:33634 -j ACCEPT
49
50	# NPAD Control (Incoming)
51	-A perfSONAR -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 8000 -j ACCEPT
52
53	# NPAD Test (Incoming)
54	-A perfSONAR -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 8001:8020 -j ACCEPT
55
56	# Flash crossdomain (for NDT)
57	-A perfSONAR -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 843 -j ACCEPT
58
59	# NDT Control (Incoming)
60	-A perfSONAR -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 7123 -j ACCEPT
61
62	# NDT Test (Incoming)
63	-A perfSONAR -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 3001:3003 -j ACCEPT
64
65	# OWAMP Control (Incoming)
66	-A perfSONAR -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 861 -j ACCEPT
67
68	# OWAMP Test (Incoming)
69	-A perfSONAR -m udp -p udp --dport 8760:9960 -j ACCEPT
70
71	# BWCTL Control (Incoming)
72	-A perfSONAR -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 4823 -j ACCEPT
73
74	# BWCTL Peer (Incoming, TCP and UDP)
75	-A perfSONAR -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 6001:6200 -j ACCEPT
76	-A perfSONAR -m udp -p udp --dport 6001:6200 -j ACCEPT
77
78	# BWCTL Test (Incoming, TCP and UDP)
79	-A perfSONAR -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 5000:5900 -j ACCEPT
80	-A perfSONAR -m udp -p udp --dport 5000:5900 -j ACCEPT
81	-A perfSONAR -j RETURN
82	-A INPUT -j perfSONAR
83
84
85	# log before we drop whatever is left.
86	# -A INPUT -j LOG --log-prefix DROPPED_PACKET:
87
88	# Drop the rest
89	-A INPUT -j REJECT
90	-A FORWARD -j REJECT
91
92	COMMIT