#
# /etc/sysconfig/iptables for clubmask login server
#
# default policy - deny
# allow unrestricted icmp
# allow dns queries to upenn name servers
# allow ntp queries to upenn ntp servers
# allow unrestricted ssh in and out (but log incoming)
# allow unrestricted to/from internal interfaces
#
# created 2.13.2002 - dillo
# added amanda, http, lpr 20020320 - widyono
# added ftp, debugging 20020321 - widyono
# added httpd server, smtp server 20020626 - widyono
# added Jorj's pinger 20020715 - widyono
# added ganglia collection 20020912 - henken
#

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

# LOGGING
-N accept-n-log
-A accept-n-log -j LOG --log-level 4 --log-prefix "accept-n-log:"
-A accept-n-log -j ACCEPT
-N drop-n-log
-A drop-n-log -j LOG --log-level 4 --log-prefix "drop-n-log:"
-A drop-n-log -j DROP

# internal interfaces
-A INPUT -i lo -j ACCEPT 
-A OUTPUT -o lo -j ACCEPT 
# NB: Adapt to your specific situation before using these!!!
-A INPUT -i eth1 -j ACCEPT 
-A OUTPUT -o eth1 -j ACCEPT 

# icmp
# Really should be tightened...
-A INPUT -p icmp -j ACCEPT 
-A OUTPUT -p icmp -j ACCEPT 

# dns client
-A INPUT -s 158.130.12.2 -p udp -m udp --sport 53 -j ACCEPT 
-A OUTPUT -d 158.130.12.2 -p udp -m udp --dport 53 -j ACCEPT 
-A INPUT -s 158.130.12.3 -p udp -m udp --sport 53 -j ACCEPT 
-A OUTPUT -d 158.130.12.3 -p udp -m udp --dport 53 -j ACCEPT 
-A INPUT -s 128.91.2.13 -p udp -m udp --sport 53 -j ACCEPT 
-A OUTPUT -d 128.91.2.13 -p udp -m udp --dport 53 -j ACCEPT 
-A INPUT -s 128.91.254.1 -p udp -m udp --sport 53 -j ACCEPT 
-A OUTPUT -d 128.91.254.1 -p udp -m udp --dport 53 -j ACCEPT 
-A INPUT -s 128.91.254.4 -p udp -m udp --sport 53 -j ACCEPT 
-A OUTPUT -d 128.91.254.4 -p udp -m udp --dport 53 -j ACCEPT 

# ntp client
-A INPUT -s 158.130.12.4 -p udp -m udp --sport 123 -j ACCEPT 
-A OUTPUT -d 158.130.12.4 -p udp -m udp --dport 123 -j ACCEPT 
-A INPUT -s 158.130.8.3 -p udp -m udp --sport 123 -j ACCEPT 
-A OUTPUT -d 158.130.8.3 -p udp -m udp --dport 123 -j ACCEPT 
-A INPUT -s 128.91.2.13 -p udp -m udp --sport 123 -j ACCEPT 
-A OUTPUT -d 128.91.2.13 -p udp -m udp --dport 123 -j ACCEPT 
-A INPUT -s 128.91.254.1 -p udp -m udp --sport 123 -j ACCEPT 
-A OUTPUT -d 128.91.254.1 -p udp -m udp --dport 123 -j ACCEPT 
-A INPUT -s 128.91.254.4 -p udp -m udp --sport 123 -j ACCEPT 
-A OUTPUT -d 128.91.254.4 -p udp -m udp --dport 123 -j ACCEPT 

# ssh client
-A INPUT -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT 
-A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT 

# ssh server
-A INPUT -p tcp -m tcp --dport 22 -m state --state INVALID,NEW -j LOG --log-prefix "iptables(ssh connection): " 
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT 
-A OUTPUT -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT 

# http client
-A OUTPUT -p tcp -m tcp --dport http -j ACCEPT
-A INPUT -p tcp -m tcp --sport http --dport 1024: -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport https -j ACCEPT
-A INPUT -p tcp -m tcp --sport https --dport 1024: -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport webcache -j ACCEPT
-A INPUT -p tcp -m tcp --sport webcache --dport 1024: -m state --state ESTABLISHED -j ACCEPT

# smtp client
-A OUTPUT -p tcp -m tcp --dport smtp -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport smtp -m state --state ESTABLISHED -j ACCEPT

# smtp server
# Only if you really *are* an SMTP server, of course
#-A INPUT -p tcp -m tcp --dport smtp -m state --state NEW,ESTABLISHED -j ACCEPT
#-A OUTPUT -p tcp -m tcp --sport smtp -m state --state ESTABLISHED -j ACCEPT

# lpr client
-A INPUT -p tcp -m tcp --sport printer -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport printer -j ACCEPT

# ftp client
-A INPUT  -p tcp -m tcp --sport ftp -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT
# active ftp
-A INPUT  -p tcp -m tcp --sport ftp-data -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport ftp-data -m state --state ESTABLISHED -j ACCEPT
# passive ftp
-A INPUT  -p tcp -m tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1024: --dport 1024: -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# IMAP + SSL client
-A INPUT  -p tcp -m tcp --sport imaps -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport imaps -m state --state NEW,ESTABLISHED -j ACCEPT

# Auth server for stupid services which still require identd
-A INPUT  -p tcp -m tcp --dport auth  -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport auth  -m state --state ESTABLISHED -j ACCEPT

# rsync client
-A OUTPUT -p tcp -m tcp --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT

# Jorj's host pinger
-A INPUT -p tcp -m tcp -s 158.130.64.10 --dport 10000 -m state --state NEW -j ACCEPT

# amanda client
-A INPUT -s 158.130.12.248 -p udp -m udp --dport amanda -j ACCEPT
-A OUTPUT -d 158.130.12.248 -p udp -m udp --sport amanda -j ACCEPT
-A INPUT -s 158.130.12.248 -p tcp -m tcp --dport 1024: -j ACCEPT
-A OUTPUT -d 158.130.12.248 -p tcp -j ACCEPT
# should above line also have this: ?
#   -m tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED
# debug any straggling issues
-A INPUT -s 158.130.12.248 -j accept-n-log
-A OUTPUT -d 158.130.12.248 -p udp -j accept-n-log

# kerberos client
-A INPUT -p tcp -m tcp --sport kerberos -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport kerberos -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --sport kerberos -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --dport kerberos -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport kerberos-adm -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport kerberos-adm -m state --state NEW,ESTABLISHED -j ACCEPT

# ganglla web interface data collection
-A INPUT -p tcp -m tcp -s 158.130.18.100 --dport 8649 -j ACCEPT
-A OUTPUT -p tcp -m tcp -d 158.130.18.100 --sport 8649 -j ACCEPT

# ttcp testing --widyono 20020326
#-A INPUT -p tcp -m tcp --dport 5001 -j ACCEPT
#-A OUTPUT -p tcp -m tcp --sport 5001 -m state --state ESTABLISHED -j ACCEPT
#-A OUTPUT -p tcp -m tcp --dport 5001 -j ACCEPT
#-A INPUT -p tcp -m tcp --sport 5001 -m state --state ESTABLISHED -j ACCEPT

# general output, for emergencies only!
#-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#-A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# syslog from other nodes: for mgmt node only; tweak interface for internal network
#-A INPUT -p udp -m udp -i eth2 --dport 514 -j ACCEPT

# DEBUGGING (MUST be at end!!!)
-A OUTPUT -p tcp -j drop-n-log

COMMIT