[vagrant-mail.git] / test-vagrant-salt / salt / gateway / iptables.rules

# Gateway firewall configuration
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# Trust local loopback
-A INPUT -i lo -j ACCEPT

# Drop invalid packets
-A INPUT -m conntrack --ctstate INVALID -j DROP

# Accept everything on ICMP
-4 -A INPUT -p icmp -j ACCEPT
-6 -A INPUT -p ipv6-icmp -j ACCEPT

# Drop DHCP requests but accept answers
-4 -A INPUT -p udp -m udp --sport 68 --dport 67 -j DROP
-4 -A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT

-A INPUT -p tcp -m tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Accept SSH, SMTP
-A INPUT -p tcp -m multiport --dports 22,25 -j ACCEPT

# Accept DNS, NTP
-A INPUT -p udp -m multiport --dports 53,123 -j ACCEPT

# Log and drop
-A INPUT -m limit --limit 1/sec --limit-burst 1000 -j LOG --log-prefix "[IN DROP] "

# Forwarding rules between private network (eth1) and public one (eth0)
# Forward pings
-4 -A FORWARD -p icmp -j ACCEPT
-6 -A FORWARD -p ipv6-icmp -j ACCEPT

# Forward HTTP, HTTPS
-4 -A FORWARD -i eth1 -o eth0 -s 192.168.33.0/24 -p tcp -m multiport --dports 80,443 -j ACCEPT
-4 -A FORWARD -i eth0 -o eth1 -d 192.168.33.0/24 -p tcp -m multiport --sports 80,443 -j ACCEPT

# Log dropped packets
-A FORWARD -m limit --limit 1/sec --limit-burst 1000 -j LOG --log-prefix "[FWD DROP] "
COMMIT

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# NAT the external interface when forwarding from the private network
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
Commit	Line	Data
04cecf73	1	# Gateway firewall configuration
8de79ad0 NI	2	*filter
	3	:INPUT DROP [0:0]
	4	:FORWARD DROP [0:0]
	5	:OUTPUT ACCEPT [0:0]
	6
	7	# Trust local loopback
	8	-A INPUT -i lo -j ACCEPT
	9
	10	# Drop invalid packets
	11	-A INPUT -m conntrack --ctstate INVALID -j DROP
	12
	13	# Accept everything on ICMP
	14	-4 -A INPUT -p icmp -j ACCEPT
	15	-6 -A INPUT -p ipv6-icmp -j ACCEPT
	16
	17	# Drop DHCP requests but accept answers
	18	-4 -A INPUT -p udp -m udp --sport 68 --dport 67 -j DROP
	19	-4 -A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
	20
	21	-A INPUT -p tcp -m tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	22	-A INPUT -p udp -m udp -m conntrack --ctstate ESTABLISHED -j ACCEPT
	23
	24	# Accept SSH, SMTP
	25	-A INPUT -p tcp -m multiport --dports 22,25 -j ACCEPT
	26
	27	# Accept DNS, NTP
	28	-A INPUT -p udp -m multiport --dports 53,123 -j ACCEPT
	29
	30	# Log and drop
	31	-A INPUT -m limit --limit 1/sec --limit-burst 1000 -j LOG --log-prefix "[IN DROP] "
	32
	33	# Forwarding rules between private network (eth1) and public one (eth0)
	34	# Forward pings
	35	-4 -A FORWARD -p icmp -j ACCEPT
	36	-6 -A FORWARD -p ipv6-icmp -j ACCEPT
	37
	38	# Forward HTTP, HTTPS
	39	-4 -A FORWARD -i eth1 -o eth0 -s 192.168.33.0/24 -p tcp -m multiport --dports 80,443 -j ACCEPT
	40	-4 -A FORWARD -i eth0 -o eth1 -d 192.168.33.0/24 -p tcp -m multiport --sports 80,443 -j ACCEPT
04cecf73 NI	41
	42	# Log dropped packets
	43	-A FORWARD -m limit --limit 1/sec --limit-burst 1000 -j LOG --log-prefix "[FWD DROP] "
8de79ad0 NI	44	COMMIT
	45
	46	*nat
	47	:PREROUTING ACCEPT [0:0]
	48	:INPUT ACCEPT [0:0]
	49	:OUTPUT ACCEPT [0:0]
	50	:POSTROUTING ACCEPT [0:0]
	51	# NAT the external interface when forwarding from the private network
	52	-A POSTROUTING -o eth0 -j MASQUERADE
	53	COMMIT