# This file was auto-generated by Puppet.  Do not edit by hand.
*filter

# Set up logging for dropped packets
-N LOGDROP
-A LOGDROP -m limit --limit 15/min -j LOG --log-prefix "iptables dropped: " --log-level 7
-A LOGDROP -j DROP

# Allow all outbound traffic
-A OUTPUT -j ACCEPT

# Accept all loopback traffic
-A INPUT -i lo -j ACCEPT

# Drop all traffic to loopback IPs on other interfaces
-A INPUT ! -i lo -d 127.0.0.0/8 -j LOGDROP

# Accept incoming traffic related to established connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

<% if @fqdn.include? "zmirror" -%>
# Accept incoming traffic on TCP port 22 (SSH)
-A INPUT -p tcp --dport 22 -j ACCEPT

# Accept incoming traffic on UDP port 2104 (zhm)
-A INPUT -p udp --dport 2104 -j ACCEPT

# It's hard to know what ephemeral ports the zephyr clients are listening on.
# Apparently they do not send outgoing traffic sufficient for the
# ESTABLISHED,RELATED rule above.  So for now we allow all UDP traffic.
#
# FIXME: do something better here.
-A INPUT -p udp -j ACCEPT
<% else -%>

# Accept incoming traffic on TCP ports:
-A INPUT -p tcp --dport ssh        -j ACCEPT
-A INPUT -p tcp --dport smtp       -j ACCEPT
-A INPUT -p tcp --dport http       -j ACCEPT
-A INPUT -p tcp --dport https      -j ACCEPT
-A INPUT -p tcp --dport postgresql -j ACCEPT

#                       Smokescreen proxy
-A INPUT -p tcp --dport 4750       -j ACCEPT

#                       statsd
-A INPUT -p udp --dport 8125       -j ACCEPT
<% end -%>

# Drop everything else
-A INPUT   -j LOGDROP
-A FORWARD -j LOGDROP

COMMIT