samrocketman · May 6, 2014 19:09 · samrocketman · May 6, 2014
diff --git a/iptables.rules b/iptables.rules
 #iptables config for gitlab

 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 #:OUTPUT DROP [0:0]
 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 #-A INPUT -p icmp -j ACCEPT
 -A INPUT -i lo -j ACCEPT
 -A OUTPUT -o lo -j ACCEPT

 ########################################################################
 # OUTBOUND RULES

 #allow ping only to public servers
 -A OUTPUT -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
 #allow all internal network outbound communications
 -A OUTPUT -d 192.168.10.0/24 -j ACCEPT
 -A OUTPUT -d 10.9.8.0/24 -j ACCEPT
 -A OUTPUT -d 192.168.100.1 -j ACCEPT
 #Google Public DNS
 -A OUTPUT -p udp -d 8.8.8.8 -m state --state NEW -m udp --dport 53 -j ACCEPT
 -A OUTPUT -p udp -d 8.8.4.4 -m state --state NEW -m udp --dport 53 -j ACCEPT
 #smtps outbound
 -A OUTPUT -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT
 #system updates
 -A OUTPUT -p tcp -m state --state NEW -m multiport --dport 21,80,443 -j ACCEPT
 #accept traceroutes
 -A OUTPUT -p udp -m state --state NEW -m udp --dport 33434:33523 -j ACCEPT

 # END OUTBOUND RULES
 ########################################################################

 ########################################################################
 # INTERNAL INBOUND NETWORK RULES

 #icmp
 -A INPUT -p icmp -s 192.168.10.0/24 -j ACCEPT

 #GitLab inbound rules
 -A INPUT -p tcp -s 192.168.10.0/24 -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT

 # END INTERNAL INBOUND NETWORK RULES
 ########################################################################

 ########################################################################
 # PUBLIC INTERNET RULES

 #ssh from everyone in the world
 #-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

 # END PUBLIC INTERNET RULES
 ########################################################################

 #enable logging for troubleshooting inbound/outbound
 #-N LOGGING
 #-A LOGGING -p tcp -m limit --limit 2/min -j LOG --log-prefix "iptables DROP: " --log-level 4
 #-A LOGGING -j RETURN
 #-A OUTPUT -j LOGGING
 #-A INPUT -j LOGGING

 #block all remaining requests
 -A INPUT -j REJECT --reject-with icmp-host-prohibited
 -A FORWARD -j REJECT --reject-with icmp-host-prohibited
 COMMIT
	#iptables config for gitlab

	*filter
	:INPUT ACCEPT [0:0]
	:FORWARD ACCEPT [0:0]
	:OUTPUT ACCEPT [0:0]
	#:OUTPUT DROP [0:0]
	-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
	-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
	-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
	#-A INPUT -p icmp -j ACCEPT
	-A INPUT -i lo -j ACCEPT
	-A OUTPUT -o lo -j ACCEPT

	########################################################################
	# OUTBOUND RULES

	#allow ping only to public servers
	-A OUTPUT -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
	#allow all internal network outbound communications
	-A OUTPUT -d 192.168.10.0/24 -j ACCEPT
	-A OUTPUT -d 10.9.8.0/24 -j ACCEPT
	-A OUTPUT -d 192.168.100.1 -j ACCEPT
	#Google Public DNS
	-A OUTPUT -p udp -d 8.8.8.8 -m state --state NEW -m udp --dport 53 -j ACCEPT
	-A OUTPUT -p udp -d 8.8.4.4 -m state --state NEW -m udp --dport 53 -j ACCEPT
	#smtps outbound
	-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT
	#system updates
	-A OUTPUT -p tcp -m state --state NEW -m multiport --dport 21,80,443 -j ACCEPT
	#accept traceroutes
	-A OUTPUT -p udp -m state --state NEW -m udp --dport 33434:33523 -j ACCEPT

	# END OUTBOUND RULES
	########################################################################

	########################################################################
	# INTERNAL INBOUND NETWORK RULES

	#icmp
	-A INPUT -p icmp -s 192.168.10.0/24 -j ACCEPT

	#GitLab inbound rules
	-A INPUT -p tcp -s 192.168.10.0/24 -m state --state NEW -m multiport --dports 22,80,443 -j ACCEPT

	# END INTERNAL INBOUND NETWORK RULES
	########################################################################

	########################################################################
	# PUBLIC INTERNET RULES

	#ssh from everyone in the world
	#-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

	# END PUBLIC INTERNET RULES
	########################################################################

	#enable logging for troubleshooting inbound/outbound
	#-N LOGGING
	#-A LOGGING -p tcp -m limit --limit 2/min -j LOG --log-prefix "iptables DROP: " --log-level 4
	#-A LOGGING -j RETURN
	#-A OUTPUT -j LOGGING
	#-A INPUT -j LOGGING

	#block all remaining requests
	-A INPUT -j REJECT --reject-with icmp-host-prohibited
	-A FORWARD -j REJECT --reject-with icmp-host-prohibited
	COMMIT