-
-
Save hbokh/769eff76af984a4b0a2a554fa450dded to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Generated by iptables-save v1.4.21 on Tue Apr 12 21:32:35 2016 | |
*nat | |
:PREROUTING ACCEPT [2056:123247] | |
:INPUT ACCEPT [0:0] | |
:OUTPUT ACCEPT [3:228] | |
:POSTROUTING ACCEPT [34:2100] | |
:DOCKER - [0:0] | |
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER | |
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER | |
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE | |
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 443 -j MASQUERADE | |
-A POSTROUTING -s 172.17.0.3/32 -d 172.17.0.3/32 -p tcp -m tcp --dport 80 -j MASQUERADE | |
-A DOCKER -i docker0 -j RETURN | |
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.17.0.3:443 | |
-A DOCKER ! -i docker0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.17.0.3:80 | |
COMMIT | |
# Completed on Tue Apr 12 21:32:35 2016 | |
# Generated by iptables-save v1.4.21 on Tue Apr 12 21:32:35 2016 | |
*filter | |
:INPUT DROP [2027:121495] | |
:FORWARD ACCEPT [0:0] | |
:OUTPUT ACCEPT [0:0] | |
:DOCKER - [0:0] | |
:DOCKER-ISOLATION - [0:0] | |
:ufw-after-forward - [0:0] | |
:ufw-after-input - [0:0] | |
:ufw-after-logging-forward - [0:0] | |
:ufw-after-logging-input - [0:0] | |
:ufw-after-logging-output - [0:0] | |
:ufw-after-output - [0:0] | |
:ufw-before-forward - [0:0] | |
:ufw-before-input - [0:0] | |
:ufw-before-logging-forward - [0:0] | |
:ufw-before-logging-input - [0:0] | |
:ufw-before-logging-output - [0:0] | |
:ufw-before-output - [0:0] | |
:ufw-logging-allow - [0:0] | |
:ufw-logging-deny - [0:0] | |
:ufw-not-local - [0:0] | |
:ufw-reject-forward - [0:0] | |
:ufw-reject-input - [0:0] | |
:ufw-reject-output - [0:0] | |
:ufw-skip-to-policy-forward - [0:0] | |
:ufw-skip-to-policy-input - [0:0] | |
:ufw-skip-to-policy-output - [0:0] | |
:ufw-track-forward - [0:0] | |
:ufw-track-input - [0:0] | |
:ufw-track-output - [0:0] | |
:ufw-user-forward - [0:0] | |
:ufw-user-input - [0:0] | |
:ufw-user-limit - [0:0] | |
:ufw-user-limit-accept - [0:0] | |
:ufw-user-logging-forward - [0:0] | |
:ufw-user-logging-input - [0:0] | |
:ufw-user-logging-output - [0:0] | |
:ufw-user-output - [0:0] | |
-A INPUT -j ufw-before-logging-input | |
-A INPUT -j ufw-before-input | |
-A INPUT -j ufw-after-input | |
-A INPUT -j ufw-after-logging-input | |
-A INPUT -j ufw-reject-input | |
-A INPUT -j ufw-track-input | |
-A FORWARD -j DOCKER-ISOLATION | |
-A FORWARD -o docker0 -j DOCKER | |
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT | |
-A FORWARD -i docker0 -o docker0 -j ACCEPT | |
-A FORWARD -j ufw-before-logging-forward | |
-A FORWARD -j ufw-before-forward | |
-A FORWARD -j ufw-after-forward | |
-A FORWARD -j ufw-after-logging-forward | |
-A FORWARD -j ufw-reject-forward | |
-A FORWARD -j ufw-track-forward | |
-A OUTPUT -j ufw-before-logging-output | |
-A OUTPUT -j ufw-before-output | |
-A OUTPUT -j ufw-after-output | |
-A OUTPUT -j ufw-after-logging-output | |
-A OUTPUT -j ufw-reject-output | |
-A OUTPUT -j ufw-track-output | |
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 443 -j ACCEPT | |
-A DOCKER -d 172.17.0.3/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 80 -j ACCEPT | |
-A DOCKER-ISOLATION -j RETURN | |
-A ufw-after-input -p udp -m udp --dport 137 -j ufw-skip-to-policy-input | |
-A ufw-after-input -p udp -m udp --dport 138 -j ufw-skip-to-policy-input | |
-A ufw-after-input -p tcp -m tcp --dport 139 -j ufw-skip-to-policy-input | |
-A ufw-after-input -p tcp -m tcp --dport 445 -j ufw-skip-to-policy-input | |
-A ufw-after-input -p udp -m udp --dport 67 -j ufw-skip-to-policy-input | |
-A ufw-after-input -p udp -m udp --dport 68 -j ufw-skip-to-policy-input | |
-A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input | |
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
-A ufw-before-forward -p icmp -m icmp --icmp-type 3 -j ACCEPT | |
-A ufw-before-forward -p icmp -m icmp --icmp-type 4 -j ACCEPT | |
-A ufw-before-forward -p icmp -m icmp --icmp-type 11 -j ACCEPT | |
-A ufw-before-forward -p icmp -m icmp --icmp-type 12 -j ACCEPT | |
-A ufw-before-forward -p icmp -m icmp --icmp-type 8 -j ACCEPT | |
-A ufw-before-forward -j ufw-user-forward | |
-A ufw-before-input -i lo -j ACCEPT | |
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny | |
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP | |
-A ufw-before-input -p icmp -m icmp --icmp-type 3 -j ACCEPT | |
-A ufw-before-input -p icmp -m icmp --icmp-type 4 -j ACCEPT | |
-A ufw-before-input -p icmp -m icmp --icmp-type 11 -j ACCEPT | |
-A ufw-before-input -p icmp -m icmp --icmp-type 12 -j ACCEPT | |
-A ufw-before-input -p icmp -m icmp --icmp-type 8 -j ACCEPT | |
-A ufw-before-input -p udp -m udp --sport 67 --dport 68 -j ACCEPT | |
-A ufw-before-input -j ufw-not-local | |
-A ufw-before-input -d 224.0.0.251/32 -p udp -m udp --dport 5353 -j ACCEPT | |
-A ufw-before-input -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT | |
-A ufw-before-input -j ufw-user-input | |
-A ufw-before-output -o lo -j ACCEPT | |
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | |
-A ufw-before-output -j ufw-user-output | |
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN | |
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN | |
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN | |
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny | |
-A ufw-not-local -j DROP | |
-A ufw-skip-to-policy-forward -j ACCEPT | |
-A ufw-skip-to-policy-input -j DROP | |
-A ufw-skip-to-policy-output -j ACCEPT | |
-A ufw-track-forward -p tcp -m conntrack --ctstate NEW -j ACCEPT | |
-A ufw-track-forward -p udp -m conntrack --ctstate NEW -j ACCEPT | |
-A ufw-track-output -p tcp -m conntrack --ctstate NEW -j ACCEPT | |
-A ufw-track-output -p udp -m conntrack --ctstate NEW -j ACCEPT | |
-A ufw-user-input -s 91.x.y.z/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT | |
-A ufw-user-input -s 83.z.y.x/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT | |
-A ufw-user-input -s 91.x.y.z/32 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT | |
-A ufw-user-input -s 83.z.y.x/32 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT | |
-A ufw-user-input -s 83.z.y.x/32 -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT | |
-A ufw-user-input -s 91.x.y.z/32 -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT | |
-A ufw-user-limit -j REJECT --reject-with icmp-port-unreachable | |
-A ufw-user-limit-accept -j ACCEPT | |
-A ufw-user-logging-forward -j RETURN | |
-A ufw-user-logging-input -j RETURN | |
-A ufw-user-logging-output -j RETURN | |
COMMIT | |
# Completed on Tue Apr 12 21:32:35 2016 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment