Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

iptables rules on outside interfaces #255

Closed
rowlandm opened this issue Aug 4, 2017 · 1 comment
Closed

iptables rules on outside interfaces #255

rowlandm opened this issue Aug 4, 2017 · 1 comment

Comments

@rowlandm
Copy link

rowlandm commented Aug 4, 2017

Hi there,

We were using these scripts as a base and our sysadmin found out that:

Both GVL and the Galaxy server use ubuntu 14.04.5 LTS, Trusty
Both don't have iptables rules on outside interfaces.

I have attached a copy of our iptables that is specific for our configuration just in case you wanted it. Ours is a special Galaxy use case so it's not suitable as is.

Hope this helps.

Rowland.
rules.v4.txt
@drosofff
Copy link
Member

drosofff commented Dec 4, 2017

@rowlandm
I am copying the content of your rules.v4.txt bellow and closing the issue.
Thank you very much !

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
COMMIT



*filter
# Allow all outgoing, but drop incoming and forwarding packets by default
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# Custom Docker chains
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]


# Custom per-protocol chains
:UDP - [0:0]
:TCP - [0:0]
:ICMP - [0:0]

# Acceptable Docker traffic
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION -j RETURN


# Acceptable UDP traffic


# Acceptable TCP traffic
-A TCP -p tcp --dport 22 -j ACCEPT
#-A TCP -p tcp --dport 80 -j ACCEPT
#-A TCP -p tcp --dport 443 -j ACCEPT
#http
-A TCP -s 203.101.227.3     -p tcp --dport 80 -j ACCEPT  
-A TCP -s 45.113.232.155    -p tcp --dport 80 -j ACCEPT  
-A TCP -s 43.240.97.231     -p tcp --dport 80 -j ACCEPT  
-A TCP -s 43.240.96.62      -p tcp --dport 80 -j ACCEPT  
-A TCP -s 115.146.86.78     -p tcp --dport 80 -j ACCEPT  
-A TCP -s 203.101.226.197   -p tcp --dport 80 -j ACCEPT  
-A TCP -s 115.146.88.148    -p tcp --dport 80 -j ACCEPT  
-A TCP -s 203.101.234.122   -p tcp --dport 80 -j ACCEPT  
#https
-A TCP -s 203.101.227.3     -p tcp --dport 443 -j ACCEPT  
-A TCP -s 45.113.232.155    -p tcp --dport 443 -j ACCEPT  
-A TCP -s 43.240.97.231     -p tcp --dport 443 -j ACCEPT  
-A TCP -s 43.240.96.62      -p tcp --dport 443 -j ACCEPT  
-A TCP -s 115.146.86.78     -p tcp --dport 443 -j ACCEPT  
-A TCP -s 203.101.226.197   -p tcp --dport 443 -j ACCEPT  
-A TCP -s 115.146.88.148    -p tcp --dport 443 -j ACCEPT  
-A TCP -s 203.101.234.122   -p tcp --dport 443 -j ACCEPT  
#rowland
-A TCP -s 220.237.12.233    -p tcp --dport 443 -j ACCEPT
-A TCP -s 220.237.12.233    -p tcp --dport 80  -j ACCEPT
#Isha
-A TCP -s 61.68.224.97    -p tcp --dport 443 -j ACCEPT
-A TCP -s 61.68.224.97    -p tcp --dport 80  -j ACCEPT
#steve
-A TCP -s 60.241.107.11    -p tcp --dport 443 -j ACCEPT
-A TCP -s 60.241.107.11    -p tcp --dport 80  -j ACCEPT

# Acceptable ICMP traffic
-A INPUT -p icmp -j ACCEPT

# Boilerplate acceptance policy
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT

# Drop invalid packets
-A INPUT -m conntrack --ctstate INVALID -j DROP

# Pass traffic to protocol-specific chains
## Only allow new connections (established and related should already be handled)
## For TCP, additionally only allow new SYN packets since that is the only valid
## method for establishing a new TCP connection
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
#-A INPUT -p icmp -m conntrack --ctstate NEW -j ICMP

# Reject anything that's fallen through to this point
## Try to be protocol-specific w/ rejection message
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable

# Commit the changes
COMMIT

*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

*security
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

@drosofff drosofff closed this as completed Dec 4, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rowlandm @drosofff