Created
October 5, 2014 23:06
-
-
Save AvianFlu/f22d4db557cb9d881080 to your computer and use it in GitHub Desktop.
iptables rules for coreOS on DigitalOcea
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| *filter | |
| :INPUT DROP [0:0] | |
| :FORWARD DROP [0:0] | |
| :OUTPUT ACCEPT [0:0] | |
| :Leet-Firewall-1 - [0:0] | |
| # Allow access to Ghost instances over private network | |
| -A INPUT -i eth1 -p tcp -s 10.132.0.0/16,172.17.0.0/16,127.0.0.1 --dport 2368 -j ACCEPT | |
| # Allow private etcd ports | |
| -A INPUT -i eth1 -p tcp -s 10.132.0.0/16,172.17.0.0/16,127.0.0.1 --dport 4001 -j ACCEPT | |
| -A INPUT -i eth1 -p tcp -s 10.132.0.0/16 --dport 7001 -j ACCEPT | |
| # Allow containers access to etcd API | |
| -A INPUT -i docker0 -p tcp -s 172.17.0.0/16 -j ACCEPT | |
| #Sane Firewall rules | |
| -A INPUT -j Leet-Firewall-1 | |
| -A FORWARD -j Leet-Firewall-1 | |
| -A Leet-Firewall-1 -i lo -j ACCEPT | |
| -A Leet-Firewall-1 -p icmp --icmp-type echo-reply -j ACCEPT | |
| -A Leet-Firewall-1 -p icmp --icmp-type destination-unreachable -j ACCEPT | |
| -A Leet-Firewall-1 -p icmp --icmp-type time-exceeded -j ACCEPT | |
| # Accept Pings | |
| -A Leet-Firewall-1 -p icmp --icmp-type echo-request -j ACCEPT | |
| # Accept any established connections | |
| -A Leet-Firewall-1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
| # Accept ssh, http, https - add other tcp traffic ports here | |
| -A Leet-Firewall-1 -m conntrack --ctstate NEW -m multiport -p tcp --dports 22,80,443 -j ACCEPT | |
| #Log and drop everything else | |
| -A Leet-Firewall-1 -j LOG | |
| -A Leet-Firewall-1 -j REJECT --reject-with icmp-host-prohibited | |
| COMMIT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment