ggeorgaras/iptables.rules

## iptables.rules
#iptables config for gitlab

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#:OUTPUT DROP [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

########################################################################
# OUTBOUND RULES

#allow ping only to public servers
-A OUTPUT -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
#allow all internal network outbound communications
-A OUTPUT -d 192.168.10.0/24 -j ACCEPT
-A OUTPUT -d 10.9.8.0/24 -j ACCEPT
-A OUTPUT -d 192.168.100.1 -j ACCEPT
#Google Public DNS
-A OUTPUT -p udp -d 8.8.8.8 -m state --state NEW -m udp --dport 53 -j ACCEPT
-A OUTPUT -p udp -d 8.8.4.4 -m state --state NEW -m udp --dport 53 -j ACCEPT
#smtps outbound
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT
#system updates
-A OUTPUT -p tcp -m state --state NEW -m multiport --dport 21,80,443 -j ACCEPT
#accept traceroutes
-A OUTPUT -p udp -m state --state NEW -m udp --dport 33434:33523 -j ACCEPT

# END OUTBOUND RULES
########################################################################

########################################################################
# INTERNAL INBOUND NETWORK RULES

#icmp
-A INPUT -p icmp -s 192.168.10.0/24 -j ACCEPT

#GitLab inbound rules
-A INPUT -p tcp -s 192.168.10.0/24 -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT

# END INTERNAL INBOUND NETWORK RULES
########################################################################

########################################################################
# PUBLIC INTERNET RULES

#ssh from everyone in the world
#-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

# END PUBLIC INTERNET RULES
########################################################################

#enable logging for troubleshooting inbound/outbound
#-N LOGGING
#-A LOGGING -p tcp -m limit --limit 2/min -j LOG --log-prefix "iptables DROP: " --log-level 4
#-A LOGGING -j RETURN
#-A OUTPUT -j LOGGING
#-A INPUT -j LOGGING

#block all remaining requests
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
	#iptables config for gitlab

	*filter
	:INPUT ACCEPT [0:0]
	:FORWARD ACCEPT [0:0]
	:OUTPUT ACCEPT [0:0]
	#:OUTPUT DROP [0:0]
	-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
	-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
	-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
	#-A INPUT -p icmp -j ACCEPT
	-A INPUT -i lo -j ACCEPT
	-A OUTPUT -o lo -j ACCEPT

	########################################################################
	# OUTBOUND RULES

	#allow ping only to public servers
	-A OUTPUT -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
	#allow all internal network outbound communications
	-A OUTPUT -d 192.168.10.0/24 -j ACCEPT
	-A OUTPUT -d 10.9.8.0/24 -j ACCEPT
	-A OUTPUT -d 192.168.100.1 -j ACCEPT
	#Google Public DNS
	-A OUTPUT -p udp -d 8.8.8.8 -m state --state NEW -m udp --dport 53 -j ACCEPT
	-A OUTPUT -p udp -d 8.8.4.4 -m state --state NEW -m udp --dport 53 -j ACCEPT
	#smtps outbound
	-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT
	#system updates
	-A OUTPUT -p tcp -m state --state NEW -m multiport --dport 21,80,443 -j ACCEPT
	#accept traceroutes
	-A OUTPUT -p udp -m state --state NEW -m udp --dport 33434:33523 -j ACCEPT

	# END OUTBOUND RULES
	########################################################################

	########################################################################
	# INTERNAL INBOUND NETWORK RULES

	#icmp
	-A INPUT -p icmp -s 192.168.10.0/24 -j ACCEPT

	#GitLab inbound rules
	-A INPUT -p tcp -s 192.168.10.0/24 -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT

	# END INTERNAL INBOUND NETWORK RULES
	########################################################################

	########################################################################
	# PUBLIC INTERNET RULES

	#ssh from everyone in the world
	#-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

	# END PUBLIC INTERNET RULES
	########################################################################

	#enable logging for troubleshooting inbound/outbound
	#-N LOGGING
	#-A LOGGING -p tcp -m limit --limit 2/min -j LOG --log-prefix "iptables DROP: " --log-level 4
	#-A LOGGING -j RETURN
	#-A OUTPUT -j LOGGING
	#-A INPUT -j LOGGING

	#block all remaining requests
	-A INPUT -j REJECT --reject-with icmp-host-prohibited
	-A FORWARD -j REJECT --reject-with icmp-host-prohibited
	COMMIT