bbfw/src/firewall.d/rules4-example at 0c0882e85114dc937cacb69e5c83e9a00adf4803 · bindle/bbfw · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# /etc/firewall.d/rules4
#
#  Host specific IP Sets for local server
#
#  THIS FILE IS INTENDED TO CONTAIN FIREWALL RULES SPECIFIC TO AN INDIVIDUAL
#  SERVER.
#
#  USE ONE OF THE FOLLOWING FILES FOR GLOBAL RULES:
#     /etc/firewall.d/global.d/ipsets
#     /etc/firewall.d/global.d/rules
#     /etc/firewall.d/global.d/rules4
#     /etc/firewall.d/global.d/rules6
#


#########################
#                       #
#  FILTER Table (IPv4)  #
#                       #
#########################
*filter

## accept SSH connections from RFC1918 addresses
#-A INPUT -p tcp   -s 10.0.0.0/8       --dport ssh   -j ACCEPT
#-A INPUT -p tcp   -s 172.16.0.0/12    --dport ssh   -j ACCEPT
#-A INPUT -p tcp   -s 192.168.0.0/16   --dport ssh   -j ACCEPT

## accept DNS queries from RFC1918 addresses
#-A INPUT -p tcp   -s 10.0.0.0/8       --dport domain   -j ACCEPT
#-A INPUT -p udp   -s 10.0.0.0/8       --dport domain   -j ACCEPT
#-A INPUT -p tcp   -s 172.16.0.0/12    --dport domain   -j ACCEPT
#-A INPUT -p udp   -s 172.16.0.0/12    --dport domain   -j ACCEPT
#-A INPUT -p tcp   -s 192.168.0.0/16   --dport domain   -j ACCEPT
#-A INPUT -p udp   -s 192.168.0.0/16   --dport domain   -j ACCEPT

COMMIT


######################
#                    #
#  NAT Table (IPv4)  #
#                    #
######################
*nat

## prevent NAT for RFC1918 addresses to RFC1918 addresses
#-A POSTROUTING -s 10.0.0.0/8     -d 10.0.0.0/8      -j ACCEPT
#-A POSTROUTING -s 10.0.0.0/8     -d 172.16.0.0/12   -j ACCEPT
#-A POSTROUTING -s 10.0.0.0/8     -d 192.168.0.0/16  -j ACCEPT
#-A POSTROUTING -s 172.16.0.0/12  -d 10.0.0.0/8      -j ACCEPT
#-A POSTROUTING -s 172.16.0.0/12  -d 172.16.0.0/12   -j ACCEPT
#-A POSTROUTING -s 172.16.0.0/12  -d 192.168.0.0/16  -j ACCEPT
#-A POSTROUTING -s 192.168.0.0/16 -d 10.0.0.0/8      -j ACCEPT
#-A POSTROUTING -s 192.168.0.0/16 -d 172.16.0.0/12   -j ACCEPT
#-A POSTROUTING -s 192.168.0.0/16 -d 192.168.0.0/16  -j ACCEPT

## NAT 10.0.0.0/8 and 172.16.0.0/12 to public through 203.0.113.10
#-A POSTROUTING -o ppp0 -s 10.0.0.0/8    -j SNAT --to-source 203.0.113.1
#-A POSTROUTING -o ppp0 -s 172.16.0.0/12 -j SNAT --to-source 203.0.113.1

## NAT 192.168.0.0/16 to public through 203.0.113.192
#-A POSTROUTING -o eth0 -s 192.168.0.0/16  -j SNAT --to-source 203.0.113.2

COMMIT


######################
#                    #
#  RAW Table (IPv4)  #
#                    #
######################
*raw

COMMIT


# end of rules