This repository has been archived by the owner on Jan 2, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 4
/
rules.example.yml
55 lines (45 loc) · 2.48 KB
/
rules.example.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
## !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
## NOTE: These rules are just an example of common use cases. They are
## incomplete in some instances. These are only examples and should not be
## used without a proper review and editing.
## Never apply firewall rules you don't understand.
{{/* comments formatted like this will be omitted from the final output */}}
# More documentation can be found here: https://golang.org/pkg/text/template/
{$ dnsServers: ["google-public-dns-a.google.com", "google-public-dns-b.google.com"] $}
# Allow DNS lookups (tcp, udp port 53) from {{ list .dnsServers }}
{{ range $i := lookupHosts .dnsServers -}}
-{{ .Type }} -A OUTPUT -p udp -d {{ ipfmt .Addr }} --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-{{ .Type }} -A INPUT -p udp -s {{ ipfmt .Addr }} --sport 53 -m state --state ESTABLISHED -j ACCEPT
-{{ .Type }} -A OUTPUT -p tcp -d {{ ipfmt .Addr }} --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-{{ .Type }} -A INPUT -p tcp -s {{ ipfmt .Addr }} --sport 53 -m state --state ESTABLISHED -j ACCEPT
{{ end }}
{$ pkgServers: ["security.ubuntu.com", "us.archive.ubuntu.com"] $}
# Allow connection to package servers: {{ list .pkgServers }}
{{ range $i := lookupHosts .pkgServers -}}
-{{ .Type }} -A OUTPUT -p tcp -d {{ ipfmt .Addr }} -m multiport --dports 21,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
{{ end }}
{$ sshServers: ["192.168.33.1", "192.168.1.10"] $}
# Allow ssh access only from known sources: {{ list .sshServers }}
{{ range $i := lookupHosts .sshServers -}}
-{{ .Type }} -A INPUT -p tcp --dport 22 -s {{ ipfmt .Addr }} -j ACCEPT
{{ end }}
{$ syslogServers: ["logs.papertrailapp.com"] $}
# Allow remote syslog
{{ range $i := lookupHosts .syslogServers -}}
-{{ .Type }} -A OUTPUT -d {{ ipfmt .Addr }} -m state --state NEW,ESTABLISHED -j ACCEPT
{{ end }}
{$ httpServers: ["acme-v01.api.letsencrypt.org", "acme-v02.api.letsencrypt.org", "acme-v03.api.letsencrypt.org"] $}
# Allow web access to specific servers: {{ list .httpServers }}
{{ range $i := lookupHosts .httpServers -}}
-{{ .Type }} -A OUTPUT -p tcp -d {{ ipfmt .Addr }} -m multiport --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
{{ end }}
# Allow established in/out connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# final logging rules, always set as last!
{@ log_rules.example.yml @}
COMMIT