iptables.erb
1.24 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
### FILTER RULES ###
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp --icmp-type 3/4 -j ACCEPT
-A INPUT -p icmp --icmp-type 3/3 -j ACCEPT
-A INPUT -p icmp --icmp-type 3/1 -j ACCEPT
-A INPUT -p icmp --icmp-type 4 -j ACCEPT
-A INPUT -p icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp --icmp-type 12 -j ACCEPT
<% if node['config'] && node['config']['munin_master'] %>
# allow ping between the peers
<% node['peers'].each do |hostname,ip| %>
-A INPUT -s <%= ip %> -p icmp --icmp-type 8 -j ACCEPT
<% end %>
<% end %>
-A INPUT -i lo -j ACCEPT
# Everybody need to accept SSH from integration
-A INPUT -s <%= node['peers']['integration'] %> -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Everybody needs to accept munin connections from munin master
<% if node['config'] && node['config']['munin_master'] %>
-A INPUT -s <%= node['config']['munin_master'] %> -p tcp -m state --state NEW --dport 4949 -j ACCEPT
<% end %>
<%= node['firewall'] %>
<%= render 'iptables-filter.erb' %>
-A INPUT -j LOG --log-prefix "Firewall INPUT: "
-A INPUT -j DROP
-A FORWARD -j LOG --log-prefix "Firewall FORWARD: "
-A FORWARD -j DROP
COMMIT
*nat
<%= render 'iptables-nat.erb' %>
COMMIT