# perfSONAR Toolkit Firewall Config v1.0

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# convenience for logging things we want to specifically deny
#-N DENYLOG
#-A DENYLOG -j LOG --log-prefix DENIED_HOST:
#-A DENYLOG -j DROP
#-A INPUT -j DENYLOG -s <someipORnetwork>

# Allow Loopback
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# Accept existing and related connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Incoming SSH - TCP Port 22
-A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 22 -j ACCEPT

# SSH Throttling (Uncomment to enable)
#-A INPUT -p tcp --dport 22 --syn -m limit --limit 1/m --limit-burst 3 -j ACCEPT
#-A INPUT -p tcp --dport 22 --syn -j DROP

# DHCPv6
-A INPUT -m state --state NEW -m udp -p udp --dport 546 --sport 547 -j ACCEPT

:perfSONAR - [0:0]

# Accept ICMP
-A perfSONAR -p icmp --icmp-type any -j ACCEPT

# =-=-=-=-=-=- Core perfSONAR Services =-=-=-=-=-=-

# Incoming Web (esmond and Toolkit GUI) - TCP Ports 80 and 443
-A perfSONAR -m tcp -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A perfSONAR -m tcp -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

# Incoming NTP - UDP Port 123
-A perfSONAR -p udp --dport 123 -m udp -j ACCEPT

# =-=-=-=-=-=- perfSONAR Measurement Tools =-=-=-=-=-=-

# UDP Traceroute (Incoming)
-A perfSONAR -m udp -p udp --dport 33434:33634 -j ACCEPT

# NPAD Control (Incoming)
-A perfSONAR -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 8000 -j ACCEPT

# NPAD Test (Incoming)
-A perfSONAR -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 8001:8020 -j ACCEPT

# Flash crossdomain (for NDT)
-A perfSONAR -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 843 -j ACCEPT

# NDT Control (Incoming)
-A perfSONAR -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 7123 -j ACCEPT

# NDT Test (Incoming)
-A perfSONAR -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 3001:3003 -j ACCEPT

# OWAMP Control (Incoming)
-A perfSONAR -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 861 -j ACCEPT

# OWAMP Test (Incoming)
-A perfSONAR -m udp -p udp --dport 8760:9960 -j ACCEPT

# BWCTL Control (Incoming)
-A perfSONAR -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 4823 -j ACCEPT

# BWCTL Peer (Incoming, TCP and UDP)
-A perfSONAR -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 6001:6200 -j ACCEPT
-A perfSONAR -m udp -p udp --dport 6001:6200 -j ACCEPT

# BWCTL Test (Incoming, TCP and UDP)
-A perfSONAR -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 5000:5900 -j ACCEPT
-A perfSONAR -m udp -p udp --dport 5000:5900 -j ACCEPT
-A perfSONAR -j RETURN
-A INPUT -j perfSONAR


# log before we drop whatever is left.
# -A INPUT -j LOG --log-prefix DROPPED_PACKET:

# Drop the rest
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT