forked from texastwister/OpenRHCE
-
Notifications
You must be signed in to change notification settings - Fork 0
/
firewall_example.txt
119 lines (113 loc) · 5.04 KB
/
firewall_example.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
# Structure of chains:
#
# Filter chains: service-chain -j address-chain
# Service chain: proto port [modifiers] -j address-chain
# Address chain: -s [IP-address][IP-address-range] -j ACCEPT
#
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
#
# Allow everything from loopback*
#
-A INPUT -i lo+ -j ACCEPT
#
# Allow everything from private interfaces
#
-A INPUT -i eth1+ -j ACCEPT
# ------------------------------------------
# Access list chain 'bill-Net-CDE-Support'
# ------------------------------------------
:bill-Net-CDE-Support - [0:0]
-A bill-Net-CDE-Support -s 128.83.93.0/24 -j ACCEPT
# ------------------------------------------
# Access list chain 'bill-Net-Bill'
# ------------------------------------------
:bill-Net-Bill - [0:0]
-A bill-Net-Bill -s 127.21.5.141 -j ACCEPT
-A bill-Net-Bill -s 127.21.5.142 -j ACCEPT
-A bill-Net-Bill -s 127.21.5.134 -j ACCEPT
-A bill-Net-Bill -s 126.54.4.125 -j ACCEPT
# ------------------------------------------
# Access list chain 'bill-Net-CDE-Monitoring'
# ------------------------------------------
:bill-Net-CDE-Monitoring - [0:0]
-A bill-Net-CDE-Monitoring -s 126.25.45.123 -j ACCEPT
-A bill-Net-CDE-Monitoring -s 126.25.45.124 -j ACCEPT
-A bill-Net-CDE-Monitoring -s 156.25.23.123 -j ACCEPT
# ------------------------------------------
# Access list chain 'bill-Net-EFG'
# ------------------------------------------
:bill-Net-EFG - [0:0]
-A bill-Net-EFG -s 143.25.45.123/27 -j ACCEPT
-A bill-Net-EFG -s 144.55.45.156/25 -j ACCEPT
-A bill-Net-EFG -s 129.53.24.135/27 -j ACCEPT
-A bill-Net-EFG -s 123.56.45.156/27 -j ACCEPT
-A bill-Net-EFG -s 173.45.48.157/27 -j ACCEPT
# ------------------------------------------
# Access list chain 'bill-Net-ABC-Service'
# ------------------------------------------
:bill-Net-ABC-Service - [0:0]
-A bill-Net-ABC-Service -s 135.45.164.123/25 -j ACCEPT
-A bill-Net-ABC-Service -s 124.35.136.135/26 -j ACCEPT
-A bill-Net-ABC-Service -s 146.65.448.113/27 -j ACCEPT
# ------------------------------------------
# Access list chain 'bill-Net-ABC-Staff'
# ------------------------------------------
:bill-Net-ABC-Staff - [0:0]
-A bill-Net-ABC-Staff -s 146.128.46.128/26 -j ACCEPT
-A bill-Net-ABC-Staff -s 171.45.128.234/26 -j ACCEPT
# ------------------------------------------
# Access list chain 'bill-Net-CDE-Storage'
# ------------------------------------------
:bill-Net-CDE-Storage - [0:0]
-A bill-Net-CDE-Storage -s 144.12.56.128 -j ACCEPT
# ------------------------------------------
# Service chain 'bill-eth0'
# ------------------------------------------
:bill-eth0 - [0:0]
-A bill-eth0 -p tcp -m multiport --destination-ports 57050,57051,57052,57053,57054,57055 -j bill-Net-ABC-Service
-A bill-eth0 -p tcp -m multiport --destination-ports 57050,57051,57052,57053,57054,57055 -j bill-Net-CDE-Support
-A bill-eth0 -p tcp -m multiport --destination-ports 57050,57051,57052,57053,57054,57055 -j bill-Net-Bill
-A bill-eth0 -p tcp -m multiport --source-ports sunrpc,nfs -j bill-Net-CDE-Storage
-A bill-eth0 -p icmp --icmp-type echo-request -j bill-Net-ABC-Service
-A bill-eth0 -p icmp --icmp-type echo-reply -j bill-Net-ABC-Service
-A bill-eth0 -p icmp --icmp-type destination-unreachable -j bill-Net-ABC-Service
-A bill-eth0 -p icmp --icmp-type time-exceeded -j bill-Net-ABC-Service
-A bill-eth0 -p icmp --icmp-type echo-request -j bill-Net-ABC-Staff
-A bill-eth0 -p icmp --icmp-type echo-reply -j bill-Net-ABC-Staff
-A bill-eth0 -p icmp --icmp-type destination-unreachable -j bill-Net-ABC-Staff
-A bill-eth0 -p icmp --icmp-type time-exceeded -j bill-Net-ABC-Staff
-A bill-eth0 -p icmp --icmp-type echo-request -j bill-Net-CDE-Support
-A bill-eth0 -p icmp --icmp-type echo-reply -j bill-Net-CDE-Support
-A bill-eth0 -p icmp --icmp-type destination-unreachable -j bill-Net-CDE-Support
-A bill-eth0 -p icmp --icmp-type time-exceeded -j bill-Net-CDE-Support
-A bill-eth0 -p icmp --icmp-type echo-request -j bill-Net-CDE-Monitoring
-A bill-eth0 -p icmp --icmp-type echo-reply -j bill-Net-CDE-Monitoring
-A bill-eth0 -p icmp --icmp-type destination-unreachable -j bill-Net-CDE-Monitoring
-A bill-eth0 -p icmp --icmp-type time-exceeded -j bill-Net-CDE-Monitoring
-A bill-eth0 -p icmp --icmp-type echo-request -j bill-Net-EFG
-A bill-eth0 -p icmp --icmp-type echo-reply -j bill-Net-EFG
-A bill-eth0 -p icmp --icmp-type destination-unreachable -j bill-Net-EFG
-A bill-eth0 -p icmp --icmp-type time-exceeded -j bill-Net-EFG
-A bill-eth0 -p tcp -m multiport --destination-ports 1159,4889 -j bill-Net-Bill
-A bill-eth0 -p tcp --destination-port 22 -j bill-Net-ABC-Service
-A bill-eth0 -p tcp --destination-port 22 -j bill-Net-ABC-Staff
-A bill-eth0 -p tcp --destination-port 22 -j bill-Net-CDE-Support
-A bill-eth0 -p tcp --destination-port 22 -j bill-Net-CDE-Monitoring
-A bill-eth0 -p tcp --destination-port 22 -j bill-Net-EFG
# ------------------------------------------
# Attach rules to interface 'eth0'
# ------------------------------------------
-A INPUT -i eth0+ -j bill-eth0
#
# Accept packets for established connections
#
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Run all others down the ground wire
#
-A INPUT -j DROP
COMMIT
#