Add iptables config for zmirror.humbughq.com

For now we allow all UDP traffic. I'll look into doing something clever. This isn't puppetized, either. (imported from commit bdf53df87a5f6c8af6d950b25946b5ec8a4f910b)
2012-12-03 17:40:08 -05:00 · 2012-12-03 17:40:08 -05:00 · 922b44a1da
parent 021a897786
commit 922b44a1da
1 changed files with 37 additions and 0 deletions
--- a/servers/puppet/files/iptables/rules.zmirror
+++ b/servers/puppet/files/iptables/rules.zmirror
@ -0,0 +1,37 @@
+*filter
+
+# Set up logging for dropped packets
+-N LOGDROP
+-A LOGDROP -m limit --limit 15/min -j LOG --log-prefix "iptables dropped: " --log-level 7
+-A LOGDROP -j DROP
+
+# Allow all outbound traffic
+-A OUTPUT -j ACCEPT
+
+# Accept all loopback traffic
+-A INPUT -i lo -j ACCEPT
+
+# Drop all traffic to loopback IPs on other interfaces
+-A INPUT ! -i lo -d 127.0.0.0/8 -j LOGDROP
+
+# Accept incoming traffic related to established connections
+-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+# Accept incoming traffic on TCP port 22 (SSH)
+-A INPUT -p tcp --dport 22 -j ACCEPT
+
+# Accept incoming traffic on UDP port 2104 (zhm)
+-A INPUT -p udp --dport 2104 -j ACCEPT
+
+# It's hard to know what ephemeral ports the zephyr clients are listening on.
+# Apparently they do not send outgoing traffic sufficient for the
+# ESTABLISHED,RELATED rule above.  So for now we allow all UDP traffic.
+#
+# FIXME: do something better here.
+-A INPUT -p udp -j ACCEPT
+
+# Drop everything else
+-A INPUT   -j LOGDROP
+-A FORWARD -j LOGDROP
+
+COMMIT