hbokh/iptables-save, 20160412 Secret

## iptables-save, 20160412
# Generated by iptables-save v1.4.21 on Tue Apr 12 21:32:35 2016
*nat
:PREROUTING ACCEPT [2056:123247]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [3:228]
:POSTROUTING ACCEPT [34:2100]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.17.0.3:443
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.17.0.3:80
COMMIT
# Completed on Tue Apr 12 21:32:35 2016
# Generated by iptables-save v1.4.21 on Tue Apr 12 21:32:35 2016
*filter
:INPUT DROP [2027:121495]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
:ufw-after-forward - [0:0]
:ufw-after-input - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-before-input - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-output - [0:0]
:ufw-logging-allow - [0:0]
:ufw-logging-deny - [0:0]
:ufw-not-local - [0:0]
:ufw-reject-forward - [0:0]
:ufw-reject-input - [0:0]
:ufw-reject-output - [0:0]
:ufw-skip-to-policy-forward - [0:0]
:ufw-skip-to-policy-input - [0:0]
:ufw-skip-to-policy-output - [0:0]
:ufw-track-forward - [0:0]
:ufw-track-input - [0:0]
:ufw-track-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-user-input - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-output - [0:0]
-A INPUT -j ufw-before-logging-input
-A INPUT -j ufw-before-input
-A INPUT -j ufw-after-input
-A INPUT -j ufw-after-logging-input
-A INPUT -j ufw-reject-input
-A INPUT -j ufw-track-input
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -j ufw-before-logging-forward
-A FORWARD -j ufw-before-forward
-A FORWARD -j ufw-after-forward
-A FORWARD -j ufw-after-logging-forward
-A FORWARD -j ufw-reject-forward
-A FORWARD -j ufw-track-forward
-A OUTPUT -j ufw-before-logging-output
-A OUTPUT -j ufw-before-output
-A OUTPUT -j ufw-after-output
-A OUTPUT -j ufw-after-logging-output
-A OUTPUT -j ufw-reject-output
-A OUTPUT -j ufw-track-output
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER-ISOLATION -j RETURN
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-forward -j ufw-user-forward
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A ufw-before-input -j ufw-not-local
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
-A ufw-before-input -j ufw-user-input
-A ufw-before-output -o lo -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -j ufw-user-output
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP
-A ufw-skip-to-policy-forward -j ACCEPT
-A ufw-skip-to-policy-input -j DROP
-A ufw-skip-to-policy-output -j ACCEPT
-A ufw-track-forward -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-forward -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
-A ufw-user-input -s 91.x.y.z/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-input -s 83.z.y.x/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A ufw-user-input -s 91.x.y.z/32 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A ufw-user-input -s 83.z.y.x/32 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A ufw-user-input -s 83.z.y.x/32 -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A ufw-user-input -s 91.x.y.z/32 -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
-A ufw-user-limit-accept -j ACCEPT
-A ufw-user-logging-forward -j RETURN
-A ufw-user-logging-input -j RETURN
-A ufw-user-logging-output -j RETURN
COMMIT
# Completed on Tue Apr 12 21:32:35 2016
	# Generated by iptables-save v1.4.21 on Tue Apr 12 21:32:35 2016
	*nat
	:PREROUTING ACCEPT [2056:123247]
	:INPUT ACCEPT [0:0]
	:OUTPUT ACCEPT [3:228]
	:POSTROUTING ACCEPT [34:2100]
	:DOCKER - [0:0]
	-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
	-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
	-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
	-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 443 -j MASQUERADE
	-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 80 -j MASQUERADE
	-A DOCKER -i docker0 -j RETURN
	-A DOCKER ! -i docker0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.17.0.3:443
	-A DOCKER ! -i docker0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.17.0.3:80
	COMMIT
	# Completed on Tue Apr 12 21:32:35 2016
	# Generated by iptables-save v1.4.21 on Tue Apr 12 21:32:35 2016
	*filter
	:INPUT DROP [2027:121495]
	:FORWARD ACCEPT [0:0]
	:OUTPUT ACCEPT [0:0]
	:DOCKER - [0:0]
	:DOCKER-ISOLATION - [0:0]
	:ufw-after-forward - [0:0]
	:ufw-after-input - [0:0]
	:ufw-after-logging-forward - [0:0]
	:ufw-after-logging-input - [0:0]
	:ufw-after-logging-output - [0:0]
	:ufw-after-output - [0:0]
	:ufw-before-forward - [0:0]
	:ufw-before-input - [0:0]
	:ufw-before-logging-forward - [0:0]
	:ufw-before-logging-input - [0:0]
	:ufw-before-logging-output - [0:0]
	:ufw-before-output - [0:0]
	:ufw-logging-allow - [0:0]
	:ufw-logging-deny - [0:0]
	:ufw-not-local - [0:0]
	:ufw-reject-forward - [0:0]
	:ufw-reject-input - [0:0]
	:ufw-reject-output - [0:0]
	:ufw-skip-to-policy-forward - [0:0]
	:ufw-skip-to-policy-input - [0:0]
	:ufw-skip-to-policy-output - [0:0]
	:ufw-track-forward - [0:0]
	:ufw-track-input - [0:0]
	:ufw-track-output - [0:0]
	:ufw-user-forward - [0:0]
	:ufw-user-input - [0:0]
	:ufw-user-limit - [0:0]
	:ufw-user-limit-accept - [0:0]
	:ufw-user-logging-forward - [0:0]
	:ufw-user-logging-input - [0:0]
	:ufw-user-logging-output - [0:0]
	:ufw-user-output - [0:0]
	-A INPUT -j ufw-before-logging-input
	-A INPUT -j ufw-before-input
	-A INPUT -j ufw-after-input
	-A INPUT -j ufw-after-logging-input
	-A INPUT -j ufw-reject-input
	-A INPUT -j ufw-track-input
	-A FORWARD -j DOCKER-ISOLATION
	-A FORWARD -o docker0 -j DOCKER
	-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
	-A FORWARD -i docker0 -o docker0 -j ACCEPT
	-A FORWARD -j ufw-before-logging-forward
	-A FORWARD -j ufw-before-forward
	-A FORWARD -j ufw-after-forward
	-A FORWARD -j ufw-after-logging-forward
	-A FORWARD -j ufw-reject-forward
	-A FORWARD -j ufw-track-forward
	-A OUTPUT -j ufw-before-logging-output
	-A OUTPUT -j ufw-before-output
	-A OUTPUT -j ufw-after-output
	-A OUTPUT -j ufw-after-logging-output
	-A OUTPUT -j ufw-reject-output
	-A OUTPUT -j ufw-track-output
	-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 443 -j ACCEPT
	-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT
	-A DOCKER-ISOLATION -j RETURN
	-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input
	-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input
	-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input
	-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input
	-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input
	-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input
	-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input
	-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT
	-A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT
	-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT
	-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT
	-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT
	-A ufw-before-forward -j ufw-user-forward
	-A ufw-before-input -i lo -j ACCEPT
	-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
	-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
	-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT
	-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT
	-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT
	-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT
	-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT
	-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT
	-A ufw-before-input -j ufw-not-local
	-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT
	-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
	-A ufw-before-input -j ufw-user-input
	-A ufw-before-output -o lo -j ACCEPT
	-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
	-A ufw-before-output -j ufw-user-output
	-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
	-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
	-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
	-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
	-A ufw-not-local -j DROP
	-A ufw-skip-to-policy-forward -j ACCEPT
	-A ufw-skip-to-policy-input -j DROP
	-A ufw-skip-to-policy-output -j ACCEPT
	-A ufw-track-forward -p tcp -m conntrack --ctstate NEW -j ACCEPT
	-A ufw-track-forward -p udp -m conntrack --ctstate NEW -j ACCEPT
	-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT
	-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT
	-A ufw-user-input -s 91.x.y.z/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
	-A ufw-user-input -s 83.z.y.x/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
	-A ufw-user-input -s 91.x.y.z/32 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
	-A ufw-user-input -s 83.z.y.x/32 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
	-A ufw-user-input -s 83.z.y.x/32 -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
	-A ufw-user-input -s 91.x.y.z/32 -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
	-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable
	-A ufw-user-limit-accept -j ACCEPT
	-A ufw-user-logging-forward -j RETURN
	-A ufw-user-logging-input -j RETURN
	-A ufw-user-logging-output -j RETURN
	COMMIT
	# Completed on Tue Apr 12 21:32:35 2016