Spaces:
Runtime error
Runtime error
File size: 1,529 Bytes
8c486a8 3d5d7e9 8c486a8 | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 | *filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Allow established connections
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow loopback
-A INPUT -i lo -j ACCEPT
# External -> DMZ (attacker can reach web/mail)
-A FORWARD -s 10.0.0.0/24 -d 10.0.1.0/24 -p tcp --dport 80 -j ACCEPT
-A FORWARD -s 10.0.0.0/24 -d 10.0.1.0/24 -p tcp --dport 443 -j ACCEPT
-A FORWARD -s 10.0.0.0/24 -d 10.0.1.0/24 -p tcp --dport 25 -j ACCEPT
# DMZ -> Internal (web can reach db/files)
-A FORWARD -s 10.0.1.0/24 -d 10.0.2.0/24 -p tcp --dport 3306 -j ACCEPT
-A FORWARD -s 10.0.1.0/24 -d 10.0.2.0/24 -p tcp --dport 445 -j ACCEPT
# DMZ -> Management (web can reach ldap)
-A FORWARD -s 10.0.1.0/24 -d 10.0.3.0/24 -p tcp --dport 389 -j ACCEPT
-A FORWARD -s 10.0.1.0/24 -d 10.0.3.0/24 -p tcp --dport 636 -j ACCEPT
# Internal -> Management (db/files can reach ldap)
-A FORWARD -s 10.0.2.0/24 -d 10.0.3.0/24 -p tcp --dport 389 -j ACCEPT
{% for rule in firewall_rules %}
{% if rule.action == 'allow' %}
{% for port in rule.ports %}
-A FORWARD -s {{ zone_cidrs.get(rule.from_zone, '0.0.0.0/0') }} -d {{ zone_cidrs.get(rule.to_zone, '0.0.0.0/0') }} -p tcp --dport {{ port }} -j ACCEPT
{% endfor %}
{% elif rule.action == 'deny' %}
-A FORWARD -s {{ zone_cidrs.get(rule.from_zone, '0.0.0.0/0') }} -d {{ zone_cidrs.get(rule.to_zone, '0.0.0.0/0') }} -j DROP
{% endif %}
{% endfor %}
# Default deny forward
-A FORWARD -j DROP
# Log dropped packets
-A FORWARD -j LOG --log-prefix "iptables-dropped: " --log-level 4
COMMIT
|