Skip to content

Instantly share code, notes, and snippets.

@squeedee

squeedee/10-cf-internet.conf

Last active August 29, 2015 14:02
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save squeedee/0a0a2a360d1b570f94fb to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save squeedee/0a0a2a360d1b570f94fb to your computer and use it in GitHub Desktop.
Download ZIP
Working firewall
Raw
10-cf-internet.conf
# /etc/rsyslog.d/10-cf-internet.conf
# Log kernel generated UFW log messages to file
:msg,contains,"cf-to-internet-traffic:" /var/log/cf-internet.log
Raw
ipt-firewall-and-logging
# Generated by iptables-save v1.4.12 on Wed Jun 4 08:01:11 2014
*nat
:PREROUTING ACCEPT [158881:9653125]
:INPUT ACCEPT [109:6976]
:OUTPUT ACCEPT [29390:1794686]
:POSTROUTING ACCEPT [184193:11156459]
:warden-instance-17qu0fod625 - [0:0]
:warden-instance-17qu0fod626 - [0:0]
:warden-instance-17qu0fod627 - [0:0]
:warden-instance-17qu0fod628 - [0:0]
:warden-instance-17qu0fod629 - [0:0]
:warden-instance-17qu0fod62a - [0:0]
:warden-instance-17qu0fod62b - [0:0]
:warden-instance-17qu0fod62c - [0:0]
:warden-instance-17qu0fod62d - [0:0]
:warden-instance-17qu0fod62e - [0:0]
:warden-instance-17qu0fod62f - [0:0]
:warden-instance-17qu0fod62g - [0:0]
:warden-postrouting - [0:0]
:warden-prerouting - [0:0]
-A PREROUTING -j warden-prerouting
-A OUTPUT -o lo -j warden-prerouting
-A POSTROUTING -j warden-postrouting
###########################################################################
# We can leave this rule alone, we're going to catch this stuff in forward
#
-A warden-postrouting -s 10.245.0.0/19 ! -d 10.245.0.0/19 -j MASQUERADE
-A warden-prerouting -j warden-instance-17qu0fod625
-A warden-prerouting -j warden-instance-17qu0fod626
-A warden-prerouting -j warden-instance-17qu0fod627
-A warden-prerouting -j warden-instance-17qu0fod628
-A warden-prerouting -j warden-instance-17qu0fod629
-A warden-prerouting -j warden-instance-17qu0fod62a
-A warden-prerouting -j warden-instance-17qu0fod62b
-A warden-prerouting -j warden-instance-17qu0fod62c
-A warden-prerouting -j warden-instance-17qu0fod62d
-A warden-prerouting -j warden-instance-17qu0fod62e
-A warden-prerouting -j warden-instance-17qu0fod62f
-A warden-prerouting -j warden-instance-17qu0fod62g
COMMIT
# Completed on Wed Jun 4 08:01:11 2014
# Generated by iptables-save v1.4.12 on Wed Jun 4 08:01:11 2014
*filter
:INPUT ACCEPT [1277434:1653761916]
:FORWARD ACCEPT [1290111:1605039475]
:OUTPUT ACCEPT [1583032:2217521661]
:warden-default - [0:0]
:warden-forward - [0:0]
:on-premises-forward - [0:0]
:warden-instance-17qu0fod625 - [0:0]
:warden-instance-17qu0fod626 - [0:0]
:warden-instance-17qu0fod627 - [0:0]
:warden-instance-17qu0fod628 - [0:0]
:warden-instance-17qu0fod629 - [0:0]
:warden-instance-17qu0fod62a - [0:0]
:warden-instance-17qu0fod62b - [0:0]
:warden-instance-17qu0fod62c - [0:0]
:warden-instance-17qu0fod62d - [0:0]
:warden-instance-17qu0fod62e - [0:0]
:warden-instance-17qu0fod62f - [0:0]
:warden-instance-17qu0fod62g - [0:0]
-A FORWARD -i w-+ -j warden-forward
-A warden-default -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A warden-forward -i eth0 -j ACCEPT
###########################################################################
# We want to firewall all forward packets not destined for the cf-subnet
# NOTE: Packets between cf-subnet and the director machine(this one) are
# unnaffected, because they do not travel through the 'forward' chain
-A warden-forward ! -d 10.245.0.0/19 -j on-premises-firewall
-A warden-forward -i w-17qu0fod62g-0 -g warden-instance-17qu0fod62g
-A warden-forward -i w-17qu0fod62f-0 -g warden-instance-17qu0fod62f
-A warden-forward -i w-17qu0fod62e-0 -g warden-instance-17qu0fod62e
-A warden-forward -i w-17qu0fod62d-0 -g warden-instance-17qu0fod62d
-A warden-forward -i w-17qu0fod62c-0 -g warden-instance-17qu0fod62c
-A warden-forward -i w-17qu0fod62b-0 -g warden-instance-17qu0fod62b
-A warden-forward -i w-17qu0fod62a-0 -g warden-instance-17qu0fod62a
-A warden-forward -i w-17qu0fod629-0 -g warden-instance-17qu0fod629
-A warden-forward -i w-17qu0fod628-0 -g warden-instance-17qu0fod628
-A warden-forward -i w-17qu0fod627-0 -g warden-instance-17qu0fod627
-A warden-forward -i w-17qu0fod626-0 -g warden-instance-17qu0fod626
-A warden-forward -i w-17qu0fod625-0 -g warden-instance-17qu0fod625
-A warden-forward -j DROP
############################################################################
# all on-prem rules are from cf-net
############################################################################
# dont block the dns (discoverable)
-A on-premises-firewall -d 192.168.9.0/24 -j RETURN
############################################################################
# dont block the Mac (not easily discoverable - would love a better solution)
-A on-premises-firewall -d 192.168.100.0/24 -j RETURN
############################################################################
# LOG it and REJECT it
-A on-premises-firewall -m limit --limit 5/min -j LOG --log-prefix "cf-to-internet-traffic: " --log-level 0
-A on-premises-firewall -j REJECT
-A warden-instance-17qu0fod625 -g warden-default
-A warden-instance-17qu0fod626 -g warden-default
-A warden-instance-17qu0fod627 -g warden-default
-A warden-instance-17qu0fod628 -g warden-default
-A warden-instance-17qu0fod629 -g warden-default
-A warden-instance-17qu0fod62a -g warden-default
-A warden-instance-17qu0fod62b -g warden-default
-A warden-instance-17qu0fod62c -g warden-default
-A warden-instance-17qu0fod62d -g warden-default
-A warden-instance-17qu0fod62e -g warden-default
-A warden-instance-17qu0fod62f -g warden-default
-A warden-instance-17qu0fod62g -g warden-default
COMMIT
# Completed on Wed Jun 4 08:01:11 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment