Skip to content

Instantly share code, notes, and snippets.

@SEJeff
Forked from anonymous/srv_data_etc_ferm_ferm.conf
Created January 25, 2013 15:45
Show Gist options
  • Save SEJeff/4635395 to your computer and use it in GitHub Desktop.
Save SEJeff/4635395 to your computer and use it in GitHub Desktop.
domain (ip ip6) {
table filter {
chain INPUT {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
# allow local packet
interface lo ACCEPT;
# respond to ping
proto icmp ACCEPT;
# allow SSH connections
proto tcp dport ssh ACCEPT;
# allow spectrum/snmp queries
proto udp dport snmp ACCEPT;
{% if salt['pkg.version']('nginx') %}
# allow HTTP connections
proto tcp dport http ACCEPT;
{% endif %}
{% if salt['pkg.version']('vsftpd') %}
# allow FTP connections
proto tcp dport 20 ACCEPT;
proto tcp dport 21 ACCEPT;
proto tcp dport 64000:64100 ACCEPT;
{% endif %}
{% if salt['pkg.version']('samba') %}
# allow samba connections
proto udp dport 137 ACCEPT;
proto udp dport 138 ACCEPT;
proto tcp dport 139 ACCEPT;
{% endif %}
{% if salt['pkg.version']('ntp') %}
# allow NTP queries
proto udp dport 123 ACCEPT;
{% endif %}
}
chain OUTPUT {
policy ACCEPT;
# connection tracking
#mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
chain FORWARD {
policy DROP;
# connection tracking
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment