-
-
Save SEJeff/4635395 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
domain (ip ip6) { | |
table filter { | |
chain INPUT { | |
policy DROP; | |
# connection tracking | |
mod state state INVALID DROP; | |
mod state state (ESTABLISHED RELATED) ACCEPT; | |
# allow local packet | |
interface lo ACCEPT; | |
# respond to ping | |
proto icmp ACCEPT; | |
# allow SSH connections | |
proto tcp dport ssh ACCEPT; | |
# allow spectrum/snmp queries | |
proto udp dport snmp ACCEPT; | |
{% if salt['pkg.version']('nginx') %} | |
# allow HTTP connections | |
proto tcp dport http ACCEPT; | |
{% endif %} | |
{% if salt['pkg.version']('vsftpd') %} | |
# allow FTP connections | |
proto tcp dport 20 ACCEPT; | |
proto tcp dport 21 ACCEPT; | |
proto tcp dport 64000:64100 ACCEPT; | |
{% endif %} | |
{% if salt['pkg.version']('samba') %} | |
# allow samba connections | |
proto udp dport 137 ACCEPT; | |
proto udp dport 138 ACCEPT; | |
proto tcp dport 139 ACCEPT; | |
{% endif %} | |
{% if salt['pkg.version']('ntp') %} | |
# allow NTP queries | |
proto udp dport 123 ACCEPT; | |
{% endif %} | |
} | |
chain OUTPUT { | |
policy ACCEPT; | |
# connection tracking | |
#mod state state INVALID DROP; | |
mod state state (ESTABLISHED RELATED) ACCEPT; | |
} | |
chain FORWARD { | |
policy DROP; | |
# connection tracking | |
mod state state INVALID DROP; | |
mod state state (ESTABLISHED RELATED) ACCEPT; | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment