## mark a section (Learn more)

*filter # Default DROP -P INPUT DROP -P FORWARD DROP -P OUTPUT DROP # Allow localhost in, and lo iface -A INPUT -s 127.0.0.1 -j ACCEPT -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT # Allow established and related in, allow new and established out -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT # Drop ICMP Info Leakage -A INPUT -p icmp -m icmp --icmp-type 13 -j DROP -A OUTPUT -p icmp -m icmp --icmp-type 14 -j DROP # Allow ping out and reply back in -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT # Make sure NEW connections have SYN set -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "IPT NEW W/O SYN: " -A INPUT -p tcp ! --syn -m state --state NEW -j DROP # Log and Drop christmas tree packets -A INPUT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "IPT XMAS TREE PKT: " -A INPUT -p tcp --tcp-flags ALL ALL -j DROP # Log and Drop NULL packets -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "IPT NULL PKT: " -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # Log and drop all other non-specific malformed tcp packets -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j LOG --log-prefix "IPT BAD TCP FLAGS: " -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j LOG --log-prefix "IPT BAD TCP FLAGS: " -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP -A INPUT -p tcp --tcp-flags ACK,URG URG -j LOG --log-prefix "IPT BAD TCP FLAGS: " -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j LOG --log-prefix "IPT BAD TCP FLAGS: " -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "IPT BAD TCP FLAGS: " -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "IPT BAD TCP FLAGS: " -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j LOG --log-prefix "IPT BAD TCP FLAGS: " -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP -A INPUT -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j LOG --log-prefix "IPT BAD TCP FLAGS: " -A INPUT -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "IPT BAD TCP FLAGS: " -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP # Log and drop IP Fragments to prevent fragmentation attack -A INPUT -f -j LOG --log-prefix "IPT FRAGMENTS: " -A INPUT -f -j DROP <% if open_tcp_ports && !open_tcp_ports.empty? -%> # These ports can be accessed via anyone -A INPUT -p tcp -m multiport --dports <%= open_tcp_ports %> -j ACCEPT <% end -%> <% if open_udp_ports && !open_udp_ports.empty? -%> # These ports can be accessed via anyone -A INPUT -p udp -m multiport --dports <%= open_udp_ports %> -j ACCEPT <% end -%> <% if (restricted_tcp_ports && !restricted_tcp_ports.empty?) && (trustednets && ![ trustednets ].flatten.empty?) -%> # These ports can only be accessed via trusted nets <% [ trustednets ].flatten.each do |network| -%> -A INPUT -s <%= network %> -p tcp -m multiport --dports <%= restricted_tcp_ports %> -j ACCEPT <% end -%> <% end -%> <% if (restricted_udp_ports && !restricted_udp_ports.empty?) && (trustednets && ![ trustednets ].flatten.empty?) -%> # These ports can only be accessed via trusted nets <% [ trustednets ].flatten.each do |network| -%> -A INPUT -s <%= network %> -p udp -m multiport --dports <%= restricted_udp_ports %> -j ACCEPT <% end -%> <% end -%> # Allow puppetrunner -A INPUT -s <%= puppetserver %> -p tcp -m tcp --dport 8139 -m comment --comment "Allow for puppetrunner" -j ACCEPT <% if (hostname == "puppet") -%> # This is so the puppets can communicate with their master <% [ nodenets ].flatten.each do |network| -%> -A INPUT -s <%= network %> -p tcp --dport 8140 -j ACCEPT <% end -%> <% end -%> <% if (hostname == "aptproxy") -%> # This is so local systems can check aptproxy <% [ nodenets ].flatten.each do |network| -%> -A INPUT -s <%= network %> -p tcp --dport 9999 -j ACCEPT <% end -%> <% end -%> <% if hostname.include? "nagios" -%> # Allows clients to hit nsca <% [ nodenets ].flatten.each do |network| -%> -A INPUT -s <%= network %> -p tcp --dport 5667 -j ACCEPT <% end -%> <% end -%> # Log and Drop invalid states -A INPUT -m state --state INVALID -j LOG --log-prefix "IPT INVALID STATE: " -A INPUT -m state --state INVALID -j DROP COMMIT

This paste will be private.