carlosmarin/gist:06ac1dd69884d02e90a6

## gistfile1.txt
*nat
# forward port 69 to 6969
-A PREROUTING -p udp -m udp --dport 69 -j DNAT --to-destination 10.4.108.6:6969
COMMIT


*filter
:INPUT DROP [0:0]
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -s 10.4.108.6 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT

# monitors
-A INPUT -s 10.4.126.104 -j ACCEPT

# SAT6
-A INPUT -s 10.6.122.0/24 -p tcp --dport 22 -j ACCEPT

# SAT6 NAC
-A INPUT -s 10.66.0.0/16 -p tcp --dport 22 -j ACCEPT

# NetSec VPN
# DFW

-A INPUT -s 10.5.72.0/23 -p tcp --dport 22 -j ACCEPT
-A INPUT -s 10.5.74.0/23 -p tcp --dport 22 -j ACCEPT

# IAD
  -A INPUT -s 10.4.227.0/24 -p tcp --dport 22 -j ACCEPT

# ORD
-A INPUT -s 10.12.232.0/23 -p tcp --dport 22 -j ACCEPT
-A INPUT -s 10.12.234.0/23 -p tcp --dport 22 -j ACCEPT

# Austin office
-A INPUT -s 10.1.68.0/22 -p tcp --dport 22 -j ACCEPT

# thinlin bastion access
-A INPUT -s 10.7.138.218 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 10.7.138.222 -p tcp -m tcp --dport 22 -j ACCEPT

# GDCI Zabbix servers
-A INPUT -s 10.3.125.101 -j ACCEPT
-A INPUT -s 10.4.125.101 -j ACCEPT
-A INPUT -s 10.7.125.100 -j ACCEPT
-A INPUT -s 10.7.125.101 -j ACCEPT
-A INPUT -s 10.9.125.101 -j ACCEPT
-A INPUT -s 10.11.125.101 -j ACCEPT
-A INPUT -s 10.12.125.101 -j ACCEPT
-A INPUT -s 10.16.125.101 -j ACCEPT

##### fe  #####
# need to change to LB IPs
-A INPUT -s 10.4.108.0/255.255.255.240 -p tcp --dport 80 -j ACCEPT
-A INPUT -s 10.4.108.0/255.255.255.240 -p tcp --dport 8000 -j ACCEPT

# FireEngine TFTP traffic
-A INPUT -p udp --dport 69 -j ACCEPT
-A INPUT -p udp --dport 6969 -j ACCEPT

# Allow all Erlang nodes in the same cluster to communicate with each other
-A INPUT -s 10.4.108.6 -j ACCEPT
-A INPUT -s 10.4.108.8 -j ACCEPT

# arbiter
-A INPUT -s 10.4.90.244 -p tcp --dport 27017 -j ACCEPT
-A INPUT -s 10.4.90.245 -p tcp --dport 27017 -j ACCEPT


##### Backups ####
-A INPUT -s 10.191.192.0/18 -i eth1 -j ACCEPT
-A INPUT -s 10.250.0.0/16 -i eth1 -j ACCEPT
-A INPUT -s 10.251.0.0/16 -i eth1 -j ACCEPT
-A INPUT -s 10.252.0.0/16 -i eth1 -j ACCEPT
-A INPUT -s 10.253.0.0/24 -i eth1 -j ACCEPT
-A INPUT -s 10.226.255.0/24 -i eth1 -j ACCEPT

:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
	*nat
	# forward port 69 to 6969
	-A PREROUTING -p udp -m udp --dport 69 -j DNAT --to-destination 10.4.108.6:6969
	COMMIT


	*filter
	:INPUT DROP [0:0]
	-A INPUT -s 127.0.0.1 -j ACCEPT
	-A INPUT -s 10.4.108.6 -j ACCEPT
	-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	-A INPUT -p icmp -j ACCEPT

	# monitors
	-A INPUT -s 10.4.126.104 -j ACCEPT

	# SAT6
	-A INPUT -s 10.6.122.0/24 -p tcp --dport 22 -j ACCEPT

	# SAT6 NAC
	-A INPUT -s 10.66.0.0/16 -p tcp --dport 22 -j ACCEPT

	# NetSec VPN
	# DFW

	-A INPUT -s 10.5.72.0/23 -p tcp --dport 22 -j ACCEPT
	-A INPUT -s 10.5.74.0/23 -p tcp --dport 22 -j ACCEPT

	# IAD
	-A INPUT -s 10.4.227.0/24 -p tcp --dport 22 -j ACCEPT

	# ORD
	-A INPUT -s 10.12.232.0/23 -p tcp --dport 22 -j ACCEPT
	-A INPUT -s 10.12.234.0/23 -p tcp --dport 22 -j ACCEPT

	# Austin office
	-A INPUT -s 10.1.68.0/22 -p tcp --dport 22 -j ACCEPT

	# thinlin bastion access
	-A INPUT -s 10.7.138.218 -p tcp -m tcp --dport 22 -j ACCEPT
	-A INPUT -s 10.7.138.222 -p tcp -m tcp --dport 22 -j ACCEPT

	# GDCI Zabbix servers
	-A INPUT -s 10.3.125.101 -j ACCEPT
	-A INPUT -s 10.4.125.101 -j ACCEPT
	-A INPUT -s 10.7.125.100 -j ACCEPT
	-A INPUT -s 10.7.125.101 -j ACCEPT
	-A INPUT -s 10.9.125.101 -j ACCEPT
	-A INPUT -s 10.11.125.101 -j ACCEPT
	-A INPUT -s 10.12.125.101 -j ACCEPT
	-A INPUT -s 10.16.125.101 -j ACCEPT

	##### fe #####
	# need to change to LB IPs
	-A INPUT -s 10.4.108.0/255.255.255.240 -p tcp --dport 80 -j ACCEPT
	-A INPUT -s 10.4.108.0/255.255.255.240 -p tcp --dport 8000 -j ACCEPT

	# FireEngine TFTP traffic
	-A INPUT -p udp --dport 69 -j ACCEPT
	-A INPUT -p udp --dport 6969 -j ACCEPT

	# Allow all Erlang nodes in the same cluster to communicate with each other
	-A INPUT -s 10.4.108.6 -j ACCEPT
	-A INPUT -s 10.4.108.8 -j ACCEPT

	# arbiter
	-A INPUT -s 10.4.90.244 -p tcp --dport 27017 -j ACCEPT
	-A INPUT -s 10.4.90.245 -p tcp --dport 27017 -j ACCEPT






	##### Backups ####
	-A INPUT -s 10.191.192.0/18 -i eth1 -j ACCEPT
	-A INPUT -s 10.250.0.0/16 -i eth1 -j ACCEPT
	-A INPUT -s 10.251.0.0/16 -i eth1 -j ACCEPT
	-A INPUT -s 10.252.0.0/16 -i eth1 -j ACCEPT
	-A INPUT -s 10.253.0.0/24 -i eth1 -j ACCEPT
	-A INPUT -s 10.226.255.0/24 -i eth1 -j ACCEPT

	:FORWARD DROP [0:0]
	:OUTPUT ACCEPT [0:0]
	COMMIT