### FILTER RULES ###

*filter

:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p icmp --icmp-type 3/4 -j ACCEPT
-A INPUT -p icmp --icmp-type 3/3 -j ACCEPT
-A INPUT -p icmp --icmp-type 3/1 -j ACCEPT
-A INPUT -p icmp --icmp-type 4 -j ACCEPT
-A INPUT -p icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp --icmp-type 12 -j ACCEPT

<% if node['config'] && node['config']['munin_master'] %>
# allow ping between the peers
<% node['peers'].each do |hostname,ip| %>
-A INPUT -s <%= ip %> -p icmp --icmp-type 8 -j ACCEPT
<% end %>
<% end %>

-A INPUT -i lo -j ACCEPT

# Everybody need to accept SSH from integration
-A INPUT -s <%= node['peers']['integration'] %> -p tcp -m state --state NEW --dport 22 -j ACCEPT

# Everybody needs to accept munin connections from munin master
<% if node['config'] && node['config']['munin_master'] %>
-A INPUT -s <%= node['config']['munin_master'] %> -p tcp -m state --state NEW --dport 4949 -j ACCEPT
<% end %>

<%= node['firewall'] %>
<%= render 'iptables-filter.erb' %>

-A INPUT -j LOG --log-prefix "Firewall INPUT: "
-A INPUT -j DROP
-A FORWARD -j LOG --log-prefix "Firewall FORWARD: "
-A FORWARD -j DROP

COMMIT


*nat
<%= render 'iptables-nat.erb' %>
COMMIT