igable · February 26, 2014 17:28
diff --git a/iptables b/iptables
 # perfSONAR Toolkit Firewall Config v1.0

 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]

 # convenience for logging things we want to specifically deny
 #-N DENYLOG
 #-A DENYLOG -j LOG --log-prefix DENIED_HOST:
 #-A DENYLOG -j DROP
 #-A INPUT -j DENYLOG -s <someipORnetwork>

 # Allow Loopback
 -A INPUT -i lo -j ACCEPT
 -A OUTPUT -o lo -j ACCEPT

 # Accept ICMP
 -A INPUT -p icmp --icmp-type any -j ACCEPT

 # Accept existing and related connections
 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

 #NTP rules
 -A INPUT -s 0/0 -d 0/0 -p udp --source-port 123:123 -m state --state ESTABLISHED -j ACCEPT
 -A OUTPUT -s 0/0 -d 0/0 -p udp --destination-port 123:123 -m state --state NEW,ESTABLISHED -j ACCEPT

 # =-=-=-=-=-=- Core perfSONAR Services =-=-=-=-=-=-

 # Incoming Web - TCP Ports 80 and 443
 -A INPUT -m tcp -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A INPUT -m tcp -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

 # Incoming NTP - UDP Port 123
 -A INPUT -p udp --dport 123 -m udp -j ACCEPT 

 # Incoming SSH - TCP Port 22
 -A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 22 -j ACCEPT

 # =-=-=-=-=-=- perfSONAR Measurement Tools =-=-=-=-=-=-

 # UDP Traceroute (Incoming)
 -A INPUT -m udp -p udp --dport 33434:33634 -j ACCEPT

 # NPAD Control (Incoming)
 -A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 8000 -j ACCEPT 

 # NPAD Test (Incoming)
 -A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 8001:8020 -j ACCEPT 

 # NDT Control (Incoming)
 -A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 7123 -j ACCEPT 

 # NDT Test (Incoming)
 -A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 3001:3003 -j ACCEPT 

 # OWAMP Control (Incoming)
 -A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 861 -j ACCEPT  

 # OWAMP Test (Incoming)
 -A INPUT -m udp -p udp --dport 8760:8960 -j ACCEPT 

 # BWCTL Control (Incoming)
 -A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 4823 -j ACCEPT 

 # BWCTL Peer (Incoming, TCP and UDP)
 -A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 6001:6200 -j ACCEPT 
 -A INPUT -m udp -p udp --dport 6001:6200 -j ACCEPT 

 # BWCTL Test (Incoming, TCP and UDP)
 -A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 5000:5600 -j ACCEPT 
 -A INPUT -m udp -p udp --dport 5000:5600 -j ACCEPT 

 # BWCTL Test [Historic] (Incoming, TCP and UDP)
 -A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 10101:10300 -j ACCEPT 
 -A INPUT -m udp -p udp --dport 10101:10300 -j ACCEPT 

 # =-=-=-=-=-=- Measurement Middleware =-=-=-=-=-=-

 # perfSONAR gLS Echo (Incoming, TCP and UDP)
 -A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 7 -j ACCEPT 
 -A INPUT -m udp -p udp --dport 7 -j ACCEPT 

 # perfSONAR SNMP MA (Incoming)
 -A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 8065 -j ACCEPT 
 -A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 9990 -j ACCEPT 

 # perfSONAR perfSONAR-BUOY Web Service (Incoming)
 -A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 8085 -j ACCEPT 

 # perfSONAR Traceroute MA (Incoming)
 -A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 8086 -j ACCEPT 

 # perfSONAR Traceroute MP [Historical] (Incoming)
 -A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 8087 -j ACCEPT 

 # perfSONAR PingER Control and Testing (Incoming)
 -A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 8075 -j ACCEPT 

 # perfSONAR perfSONAR-BUOY Control (Incoming)
 -A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 8569:8570 -j ACCEPT 

 # perfSONAR Lookup Service [Historical] (Incoming)
 -A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 8090 -j ACCEPT 
 -A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 8095 -j ACCEPT 
 -A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 9995 -j ACCEPT 

 # log before we drop whatever is left.
 # -A INPUT -j LOG --log-prefix DROPPED_PACKET:

 # Drop the rest

 -A INPUT -j REJECT --reject-with icmp-host-prohibited
 -A FORWARD -j REJECT --reject-with icmp-host-prohibited



 -I INPUT 1 -m udp -p udp --dport  5001:5300 -j ACCEPT
 -I INPUT 1 -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport  5001:5300 -j ACCEPT
 -I INPUT 1 -m udp -p udp --dport  5301:5600 -j ACCEPT
 -I INPUT 1 -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport  5301:5600 -j ACCEPT
 -I INPUT 1 -m udp -p udp --dport  6001:6200 -j ACCEPT
 -I INPUT 1 -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport  6001:6200 -j ACCEPT
 -I INPUT 1 -m udp -p udp --dport  8760:8960 -j ACCEPT
 -I INPUT 1 -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport  8760:8960 -j ACCEPT
 COMMIT
	# perfSONAR Toolkit Firewall Config v1.0

	*filter
	:INPUT ACCEPT [0:0]
	:FORWARD ACCEPT [0:0]
	:OUTPUT ACCEPT [0:0]

	# convenience for logging things we want to specifically deny
	#-N DENYLOG
	#-A DENYLOG -j LOG --log-prefix DENIED_HOST:
	#-A DENYLOG -j DROP
	#-A INPUT -j DENYLOG -s <someipORnetwork>

	# Allow Loopback
	-A INPUT -i lo -j ACCEPT
	-A OUTPUT -o lo -j ACCEPT

	# Accept ICMP
	-A INPUT -p icmp --icmp-type any -j ACCEPT

	# Accept existing and related connections
	-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

	#NTP rules
	-A INPUT -s 0/0 -d 0/0 -p udp --source-port 123:123 -m state --state ESTABLISHED -j ACCEPT
	-A OUTPUT -s 0/0 -d 0/0 -p udp --destination-port 123:123 -m state --state NEW,ESTABLISHED -j ACCEPT

	# =-=-=-=-=-=- Core perfSONAR Services =-=-=-=-=-=-

	# Incoming Web - TCP Ports 80 and 443
	-A INPUT -m tcp -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
	-A INPUT -m tcp -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

	# Incoming NTP - UDP Port 123
	-A INPUT -p udp --dport 123 -m udp -j ACCEPT

	# Incoming SSH - TCP Port 22
	-A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 22 -j ACCEPT

	# =-=-=-=-=-=- perfSONAR Measurement Tools =-=-=-=-=-=-

	# UDP Traceroute (Incoming)
	-A INPUT -m udp -p udp --dport 33434:33634 -j ACCEPT

	# NPAD Control (Incoming)
	-A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 8000 -j ACCEPT

	# NPAD Test (Incoming)
	-A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 8001:8020 -j ACCEPT

	# NDT Control (Incoming)
	-A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 7123 -j ACCEPT

	# NDT Test (Incoming)
	-A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 3001:3003 -j ACCEPT

	# OWAMP Control (Incoming)
	-A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 861 -j ACCEPT

	# OWAMP Test (Incoming)
	-A INPUT -m udp -p udp --dport 8760:8960 -j ACCEPT

	# BWCTL Control (Incoming)
	-A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 4823 -j ACCEPT

	# BWCTL Peer (Incoming, TCP and UDP)
	-A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 6001:6200 -j ACCEPT
	-A INPUT -m udp -p udp --dport 6001:6200 -j ACCEPT

	# BWCTL Test (Incoming, TCP and UDP)
	-A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 5000:5600 -j ACCEPT
	-A INPUT -m udp -p udp --dport 5000:5600 -j ACCEPT

	# BWCTL Test [Historic] (Incoming, TCP and UDP)
	-A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 10101:10300 -j ACCEPT
	-A INPUT -m udp -p udp --dport 10101:10300 -j ACCEPT

	# =-=-=-=-=-=- Measurement Middleware =-=-=-=-=-=-

	# perfSONAR gLS Echo (Incoming, TCP and UDP)
	-A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 7 -j ACCEPT
	-A INPUT -m udp -p udp --dport 7 -j ACCEPT

	# perfSONAR SNMP MA (Incoming)
	-A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 8065 -j ACCEPT
	-A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 9990 -j ACCEPT

	# perfSONAR perfSONAR-BUOY Web Service (Incoming)
	-A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 8085 -j ACCEPT

	# perfSONAR Traceroute MA (Incoming)
	-A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 8086 -j ACCEPT

	# perfSONAR Traceroute MP [Historical] (Incoming)
	-A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 8087 -j ACCEPT

	# perfSONAR PingER Control and Testing (Incoming)
	-A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 8075 -j ACCEPT

	# perfSONAR perfSONAR-BUOY Control (Incoming)
	-A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 8569:8570 -j ACCEPT

	# perfSONAR Lookup Service [Historical] (Incoming)
	-A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 8090 -j ACCEPT
	-A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 8095 -j ACCEPT
	-A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 9995 -j ACCEPT

	# log before we drop whatever is left.
	# -A INPUT -j LOG --log-prefix DROPPED_PACKET:

	# Drop the rest

	-A INPUT -j REJECT --reject-with icmp-host-prohibited
	-A FORWARD -j REJECT --reject-with icmp-host-prohibited



	-I INPUT 1 -m udp -p udp --dport 5001:5300 -j ACCEPT
	-I INPUT 1 -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 5001:5300 -j ACCEPT
	-I INPUT 1 -m udp -p udp --dport 5301:5600 -j ACCEPT
	-I INPUT 1 -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 5301:5600 -j ACCEPT
	-I INPUT 1 -m udp -p udp --dport 6001:6200 -j ACCEPT
	-I INPUT 1 -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 6001:6200 -j ACCEPT
	-I INPUT 1 -m udp -p udp --dport 8760:8960 -j ACCEPT
	-I INPUT 1 -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 8760:8960 -j ACCEPT
	COMMIT