1 | # perfSONAR Toolkit Firewall Config v1.0 |
---|
2 | |
---|
3 | *filter |
---|
4 | :INPUT ACCEPT [0:0] |
---|
5 | :FORWARD ACCEPT [0:0] |
---|
6 | :OUTPUT ACCEPT [0:0] |
---|
7 | |
---|
8 | # convenience for logging things we want to specifically deny |
---|
9 | #-N DENYLOG |
---|
10 | #-A DENYLOG -j LOG --log-prefix DENIED_HOST: |
---|
11 | #-A DENYLOG -j DROP |
---|
12 | #-A INPUT -j DENYLOG -s <someipORnetwork> |
---|
13 | |
---|
14 | # Allow Loopback |
---|
15 | -A INPUT -i lo -j ACCEPT |
---|
16 | -A OUTPUT -o lo -j ACCEPT |
---|
17 | |
---|
18 | # Accept existing and related connections |
---|
19 | -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
---|
20 | |
---|
21 | # Incoming SSH - TCP Port 22 |
---|
22 | -A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 22 -j ACCEPT |
---|
23 | |
---|
24 | # SSH Throttling (Uncomment to enable) |
---|
25 | #-A INPUT -p tcp --dport 22 --syn -m limit --limit 1/m --limit-burst 3 -j ACCEPT |
---|
26 | #-A INPUT -p tcp --dport 22 --syn -j DROP |
---|
27 | |
---|
28 | # DHCPv6 |
---|
29 | -A INPUT -m state --state NEW -m udp -p udp --dport 546 --sport 547 -j ACCEPT |
---|
30 | |
---|
31 | :perfSONAR - [0:0] |
---|
32 | |
---|
33 | # Accept ICMP |
---|
34 | -A perfSONAR -p icmp --icmp-type any -j ACCEPT |
---|
35 | |
---|
36 | # =-=-=-=-=-=- Core perfSONAR Services =-=-=-=-=-=- |
---|
37 | |
---|
38 | # Incoming Web (esmond and Toolkit GUI) - TCP Ports 80 and 443 |
---|
39 | -A perfSONAR -m tcp -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT |
---|
40 | -A perfSONAR -m tcp -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT |
---|
41 | |
---|
42 | # Incoming NTP - UDP Port 123 |
---|
43 | -A perfSONAR -p udp --dport 123 -m udp -j ACCEPT |
---|
44 | |
---|
45 | # =-=-=-=-=-=- perfSONAR Measurement Tools =-=-=-=-=-=- |
---|
46 | |
---|
47 | # UDP Traceroute (Incoming) |
---|
48 | -A perfSONAR -m udp -p udp --dport 33434:33634 -j ACCEPT |
---|
49 | |
---|
50 | # NPAD Control (Incoming) |
---|
51 | -A perfSONAR -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 8000 -j ACCEPT |
---|
52 | |
---|
53 | # NPAD Test (Incoming) |
---|
54 | -A perfSONAR -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 8001:8020 -j ACCEPT |
---|
55 | |
---|
56 | # Flash crossdomain (for NDT) |
---|
57 | -A perfSONAR -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 843 -j ACCEPT |
---|
58 | |
---|
59 | # NDT Control (Incoming) |
---|
60 | -A perfSONAR -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 7123 -j ACCEPT |
---|
61 | |
---|
62 | # NDT Test (Incoming) |
---|
63 | -A perfSONAR -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 3001:3003 -j ACCEPT |
---|
64 | |
---|
65 | # OWAMP Control (Incoming) |
---|
66 | -A perfSONAR -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 861 -j ACCEPT |
---|
67 | |
---|
68 | # OWAMP Test (Incoming) |
---|
69 | -A perfSONAR -m udp -p udp --dport 8760:9960 -j ACCEPT |
---|
70 | |
---|
71 | # BWCTL Control (Incoming) |
---|
72 | -A perfSONAR -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 4823 -j ACCEPT |
---|
73 | |
---|
74 | # BWCTL Peer (Incoming, TCP and UDP) |
---|
75 | -A perfSONAR -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 6001:6200 -j ACCEPT |
---|
76 | -A perfSONAR -m udp -p udp --dport 6001:6200 -j ACCEPT |
---|
77 | |
---|
78 | # BWCTL Test (Incoming, TCP and UDP) |
---|
79 | -A perfSONAR -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 5000:5900 -j ACCEPT |
---|
80 | -A perfSONAR -m udp -p udp --dport 5000:5900 -j ACCEPT |
---|
81 | -A perfSONAR -j RETURN |
---|
82 | -A INPUT -j perfSONAR |
---|
83 | |
---|
84 | |
---|
85 | # log before we drop whatever is left. |
---|
86 | # -A INPUT -j LOG --log-prefix DROPPED_PACKET: |
---|
87 | |
---|
88 | # Drop the rest |
---|
89 | -A INPUT -j REJECT |
---|
90 | -A FORWARD -j REJECT |
---|
91 | |
---|
92 | COMMIT |
---|