Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Update README.md

example ruleset
  • Loading branch information...
commit 0b4f154f67b7b742dcad288425f2954b8e920b53 1 parent 7c7691f
Andrei Subbota numbata authored

Showing 1 changed file with 57 additions and 0 deletions. Show diff stats Hide diff stats

  1. +57 0 README.md
57 README.md
Source Rendered
@@ -25,6 +25,63 @@ The following platforms are supported by this cookbook, meaning that the recipes
25 25
26 26 Write `iptables` rule fragments and place them in `/etc/iptables.d`. Running this script will assemble them in order and reset the firewall rules.
27 27
  28 +## Example
  29 +
  30 +For example, we have three rule-file:
  31 +
  32 +`/etc/iptables.d/vagrant`
  33 +
  34 + # Vagrant boxes forwarding rules for public static ip
  35 +
  36 + *filter
  37 + # Vagrand boxes forwarding ports
  38 + -A FORWARD -p tcp -d 192.168.5.10 --dport 80 -j ACCEPT
  39 + -A FORWARD -p tcp -d 192.168.5.10 --dport 22 -j ACCEPT
  40 +
  41 + *nat
  42 + # Nat all traffic to vagrant boxes
  43 + -A PREROUTING -d 192.168.25.2 -p tcp -j DNAT --to-destination 192.168.5.10
  44 + -A POSTROUTING -j MASQUERADE
  45 + COMMIT
  46 +
  47 +`/etc/iptables.d/all_icmp`
  48 +
  49 + # ICMP
  50 + -A FWR -p icmp -j ACCEP
  51 +
  52 +`/etc/iptables.d/all_estabilished`
  53 +
  54 + # Any established connection is money
  55 + -A FWR -m state --state RELATED,ESTABLISHED -j ACCEPT
  56 +
  57 +They are produce `/etc/iptables/general`
  58 +
  59 + *filter
  60 + :INPUT ACCEPT [0,0]
  61 + :FORWARD ACCEPT [0,0]
  62 + :OUTPUT ACCEPT [0,0]
  63 + :FWR -
  64 + # Any established connection is money
  65 + -A FWR -m state --state RELATED,ESTABLISHED -j ACCEPT
  66 + # ICMP
  67 + -A FWR -p icmp -j ACCEPT
  68 + # Vagrant boxes forwarding rules for public static ip
  69 +
  70 + # Vagrand boxes forwarding ports
  71 + -A FORWARD -p tcp -d 192.168.5.10 --dport 80 -j ACCEPT
  72 + -A FORWARD -p tcp -d 192.168.5.10 --dport 22 -j ACCEPT
  73 +
  74 + COMMIT
  75 + *nat
  76 + :PREROUTING ACCEPT [0,0]
  77 + :POSTROUTING ACCEPT [0,0]
  78 + :OUTPUT ACCEPT [0,0]
  79 + # Nat all traffic to vagrant boxes
  80 + -A PREROUTING -d 192.168.25.2 -p tcp -j DNAT --to-destination 192.168.5.10
  81 + -A POSTROUTING -j MASQUERADE
  82 +
  83 + COMMIT
  84 +
28 85
29 86 ## Contributing
30 87

0 comments on commit 0b4f154

Please sign in to comment.
Something went wrong with that request. Please try again.