forked from google/capirca
-
Notifications
You must be signed in to change notification settings - Fork 0
/
sample_speedway.pol
70 lines (67 loc) · 1.44 KB
/
sample_speedway.pol
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
header {
comment:: "Sample policy for Speedway Iptables."
comment:: "Speedway generates iptables output suitable for loading"
comment:: "using the iptables-restore command"
target:: speedway INPUT DROP
}
term base-allow-est-in {
option:: established
action:: accept
}
term base-allow-icmp-in {
protocol:: icmp
icmp-type:: echo-request
action:: accept
}
term base-traceroute-in {
protocol:: udp
source-port:: TRACEROUTE
destination-port:: HIGH_PORTS
action:: accept
}
term base-allow-ssh-in {
source-address:: INTERNAL
protocol:: tcp
destination-port:: SSH
action:: accept
}
header {
comment:: "Sample output filter policy for Speedway Iptables."
target:: speedway OUTPUT DROP
}
term base-allow-lo0-out {
comment:: "Allow all loopback communications"
verbatim:: speedway "-A OUTPUT -o lo -j ACCEPT"
}
term base-allow-est-out {
option:: established
action:: accept
}
term base-allow-dns-query-out {
protocol:: udp
destination-port:: DNS
action:: accept
}
term base-allow-icmp-out {
protocol:: icmp
action:: accept
}
term base-traceroute-out {
protocol:: udp
destination-port:: TRACEROUTE
source-port:: HIGH_PORTS
action:: accept
}
term base-allow-ssh-out {
destination-address:: INTERNAL
protocol:: tcp
destination-port:: SSH
action:: accept
}
header {
comment:: "Sample forwarding filter policy for Speedway Iptables."
target:: speedway FORWARD DROP
}
term base-forwarding-deny {
action:: reject
}