ryanthegiantlion/createfirewallrules_permissive.sh

## createfirewallrules_permissive.sh
# flush existing rules
iptables -F
ip6tables -F

# ssh rule. always add this first !
# TODO: Consider rate limiting? (e.g http://www.digitalsanctuary.com/tech-blog/debian/using-iptables-to-prevent-ssh-brute-force-attacks.html)
# Still need to read up on implications...
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A OUTPUT -p tcp --sport ssh -j ACCEPT

# allow elasticsearch traffic from these hosts
iptables -A INPUT -s 10.x.x.x -p tcp --dport 9200:9300 -j ACCEPT
iptables -A INPUT -s 10.x.x.x -p tcp --dport 9200:9300 -j ACCEPT
iptables -A INPUT -s 10.x.x.x -p tcp --dport 9200:9300 -j ACCEPT
iptables -A OUTPUT -d 10.x.x.x -p tcp --sport 9200:9300 -j ACCEPT
iptables -A OUTPUT -d 10.x.x.x -p tcp --sport 9200:9300 -j ACCEPT
iptables -A OUTPUT -d 10.x.x.x -p tcp --sport 9200:9300 -j ACCEPT

# allow all on localhost
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# allow host to be pinged
iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow all traffic initiated by this host
iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
ip6tables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT

# drop all other packets
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP
ip6tables -A INPUT -j DROP
ip6tables -A OUTPUT -j DROP
ip6tables -A FORWARD -j DROP
	# flush existing rules
	iptables -F
	ip6tables -F

	# ssh rule. always add this first !
	# TODO: Consider rate limiting? (e.g http://www.digitalsanctuary.com/tech-blog/debian/using-iptables-to-prevent-ssh-brute-force-attacks.html)
	# Still need to read up on implications...
	iptables -A INPUT -p tcp --dport ssh -j ACCEPT
	iptables -A OUTPUT -p tcp --sport ssh -j ACCEPT

	# allow elasticsearch traffic from these hosts
	iptables -A INPUT -s 10.x.x.x -p tcp --dport 9200:9300 -j ACCEPT
	iptables -A INPUT -s 10.x.x.x -p tcp --dport 9200:9300 -j ACCEPT
	iptables -A INPUT -s 10.x.x.x -p tcp --dport 9200:9300 -j ACCEPT
	iptables -A OUTPUT -d 10.x.x.x -p tcp --sport 9200:9300 -j ACCEPT
	iptables -A OUTPUT -d 10.x.x.x -p tcp --sport 9200:9300 -j ACCEPT
	iptables -A OUTPUT -d 10.x.x.x -p tcp --sport 9200:9300 -j ACCEPT

	# allow all on localhost
	iptables -A INPUT -i lo -j ACCEPT
	iptables -A OUTPUT -o lo -j ACCEPT

	# allow host to be pinged
	iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
	iptables -A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT

	# allow all traffic initiated by this host
	iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
	iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
	iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
	ip6tables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
	ip6tables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
	ip6tables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
	ip6tables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT

	# drop all other packets
	iptables -A INPUT -j DROP
	iptables -A OUTPUT -j DROP
	iptables -A FORWARD -j DROP
	ip6tables -A INPUT -j DROP
	ip6tables -A OUTPUT -j DROP
	ip6tables -A FORWARD -j DROP