-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathiptables.j2
40 lines (40 loc) · 1016 Bytes
/
iptables.j2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
{{ nat }}
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:closed - [0:0]
:filtered - [0:0]
:local - [0:0]
:open - [0:0]
:family - [0:0]
:sshguard - [0:0]
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j local
-A INPUT -s 192.168.0.0/16 -j family
-A INPUT -s 172.17.0.0/24 -j family
-A INPUT -s 172.18.0.0/24 -j family
{{ other_ip_entry }}
{% for ip in ips %}
-A INPUT -s {{ ip }}/32 -j family
{% endfor %}
{% for port in ports %}
-A INPUT -p tcp -m tcp --dport {{ port }} -j open
{% endfor %}
-A INPUT -p tcp -m tcp --dport 22 -j sshguard
-A INPUT -p tcp -m tcp --dport 22 -j open
-A INPUT -p tcp -m tcp -j closed
-A INPUT -p udp --dport 53 -j open
-A INPUT -p udp -j filtered
{{ fw }}
-A closed -p tcp -j REJECT --reject-with tcp-reset
-A family -j ACCEPT
-A filtered -j DROP
-A local -j ACCEPT
-A open -j ACCEPT
{{ sshguard_blacklist }}
COMMIT