blob: 8c8cfbda33afc50190ebd29ee25733591c0c5a36 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
|
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Declaring our chains
-N DEUXFLEURS-TRUSTED-NET
-N DEUXFLEURS-TRUSTED-PORT
# Internet Control Message Protocol
# (required)
-A INPUT -p icmp -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
# Administration
-A INPUT -p tcp --dport 22 -j ACCEPT
# Cluster
-A INPUT -s 2a01:e0a:260:b5b0::2 -j ACCEPT
-A INPUT -s 2a01:e0a:260:b5b0::3 -j ACCEPT
-A INPUT -s 2a01:e0a:260:b5b0::4 -j ACCEPT
# Local
-A INPUT -i docker0 -j ACCEPT
-A INPUT -s ::1/128 -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Who is part of our trusted net?
# Max@Bruxelles
-A DEUXFLEURS-TRUSTED-NET -s 2a02:1811:3612:b300::0/64 -j DEUXFLEURS-TRUSTED-PORT
# Max@Suresnes
-A DEUXFLEURS-TRUSTED-NET -s 2a01:e0a:183:7be2::0/64 -j DEUXFLEURS-TRUSTED-PORT
# Max@OVH
-A DEUXFLEURS-TRUSTED-NET -s 2001:41d0:a:307c:ac7c::0/64 -j DEUXFLEURS-TRUSTED-PORT
# Jill@Rennes
-A DEUXFLEURS-TRUSTED-NET -s 2a01:e0a:5e4:1d0::0/64 -j DEUXFLEURS-TRUSTED-PORT
# ADRN@Gandi
-A DEUXFLEURS-TRUSTED-NET -s 2001:4b98:dc0:41:216:3eff:fe9b:1afb/128 -j DEUXFLEURS-TRUSTED-PORT
# Quentin@Rennes
-A DEUXFLEURS-TRUSTED-NET -s 2a01:e35:2fdc:dbe0::0/64 -j DEUXFLEURS-TRUSTED-PORT
# Erwan@Rennes
-A DEUXFLEURS-TRUSTED-NET -s 2a01:e0a:260:b5b0::0/64 -j DEUXFLEURS-TRUSTED-PORT
# LX@Orsay
-A DEUXFLEURS-TRUSTED-NET -s 2a06:a004:3025:1::0/64 -j DEUXFLEURS-TRUSTED-PORT
-A DEUXFLEURS-TRUSTED-NET -s 2a06:a003:515d:1::0/64 -j DEUXFLEURS-TRUSTED-PORT
-A DEUXFLEURS-TRUSTED-NET -s 2001:910:1204:1::0/64 -j DEUXFLEURS-TRUSTED-PORT
# Zorun@Nantes
-A DEUXFLEURS-TRUSTED-NET -s 2a00:5881:4008::/56 -j DEUXFLEURS-TRUSTED-PORT
# Quentin@Lyon
-A DEUXFLEURS-TRUSTED-NET -s 2a01:e0a:28f:5e60::/64 -j DEUXFLEURS-TRUSTED-PORT
# Source address is not trusted
-A DEUXFLEURS-TRUSTED-NET -j RETURN
# What can do our trusted net?
# Access garage basically
-A DEUXFLEURS-TRUSTED-PORT -p tcp --dport 3901 -j ACCEPT
# Port is not allowed
-A DEUXFLEURS-TRUSTED-PORT -j RETURN
# Let's check if the user comes from our trusted network
-A INPUT -j DEUXFLEURS-TRUSTED-NET
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
|