blob: 674ed7c965ccb4d2491072345c56828a1e022747 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
|
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
ct state invalid counter drop comment "drop invalid packets"
ct state established,related counter accept comment "accept related connections"
iif lo counter accept
iif != lo ip daddr 127.0.0.1/8 counter drop
iif != lo ip6 daddr ::1/128 counter drop
ip protocol icmp counter accept
ip6 nexthdr ipv6-icmp counter accept
udp dport domain ip saddr 172.16.0.0/12 counter accept
tcp dport 3000 ip saddr 127.0.0.1/8 counter accept
tcp dport 8000 ip saddr 127.0.0.1/8 counter accept
tcp dport 8384 ip saddr 127.0.0.1/8 counter accept
tcp dport 8080 ip saddr { 127.0.0.1/8, 10.1.0.0/8 } counter accept
tcp dport ssh counter accept
counter
}
chain forward {
type filter hook forward priority 0; policy drop;
ct state established,related counter accept
ip saddr 172.16.0.0/12 ip daddr 0.0.0.0/8 counter accept
ip saddr 172.16.0.0/12 ip daddr 172.16.0.0/12 counter accept
iifname "docker0" oifname "enp5s0" counter accept
iifname "docker0" oifname != "docker0" counter accept
counter
}
chain output {
type filter hook output priority 0; policy drop;
ct state established,related counter accept
icmp type echo-request counter accept
icmp type echo-reply counter accept
iif lo oif lo counter accept
ip saddr 127.0.0.1 ip daddr 127.0.0.1/8 counter accept
udp dport domain counter accept
tcp dport http counter accept
tcp dport https counter accept
tcp dport ssh counter accept
tcp dport bootps counter accept
udp dport bootps counter accept
tcp dport ntp counter accept
udp dport ntp counter accept
tcp dport nntps counter accept
udp dport nntps counter accept
tcp dport submission counter accept
tcp dport imaps counter accept
tcp dport 2222 counter accept
tcp dport hkp counter accept
udp dport hkp counter accept
tcp dport 9100 counter accept
tcp dport git counter accept
udp dport git counter accept
tcp dport rsync counter accept
udp dport rsync counter accept
tcp dport 8000 counter accept
tcp dport http-alt counter accept
tcp dport 8080 counter accept
udp dport openvpn counter accept
tcp dport postgresql counter accept
tcp dport nntps counter accept
udp dport nntps counter accept
tcp dport 5222 counter accept
counter
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority 0;
counter
}
chain postrouting {
type nat hook postrouting priority 100;
ip saddr 172.16.0.0/12 oifname enp5s0 counter masquerade
counter
}
}
table ip6 nat {
chain prerouting {
type nat hook prerouting priority 0;
counter
}
chain postrouting {
type nat hook postrouting priority 100;
ip6 saddr fcdd::/48 oifname enp5s0 counter masquerade
counter
}
}
|