my Linux stuff: March 2015

example for iptables on centos:

# configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.

#################################################################################
# Filtering table:
#################################################################################
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

######################################################
# INPUT - beginning
# -----------------
# allow packets of already established connections:
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# INPUT to firewall from loopback - all allowed (lo)
# --------------------------------------------------
-A INPUT -i lo -j ACCEPT

# INPUT to firewall - from NTTNode (eth2)
# --------------------------------------
# allow any traffic from inside:
-A INPUT -i eth2 -j ACCEPT

# INPUT to firewall - from OpenVPN connections (tun0)
# ---------------------------------------------------
# allow any traffic for OpenVPN clients:
-A INPUT -i tun0 -s 192.168.100.0/24 -j ACCEPT

# INPUT to firewall - from KVM VMs connections (virbr0)
# ---------------------------------------------------
# allow any traffic for KVM VMs:
-A INPUT -i virbr0 -s 10.80.90.0/24 -j ACCEPT

# INPUT to firewall - from Internet (eth3)
# ----------------------------------------
# allow pings for connection testing:
-A INPUT -i eth0 -p icmp --icmp-type echo-request -j ACCEPT

#
# allow incoming OpenVPN connections:
-A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 1194 -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
#
# allow SSH on port 22000
-A INPUT -i eth0 -p tcp -m tcp --dport 22000 -m state --state NEW -j ACCEPT

######################################################

# FORWARDING - beginning
# ----------------------
# allow packets of already established connections:
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# FORWARDING - from NTTNode to Internet (eth2 --> eth0)
# ----------------------------------------------------
# allow any outgoing traffic:
-A FORWARD -i eth2 -o eth0 -j ACCEPT

# FORWARDING - from NTTNode to OpenVPN clients (eth0 --> tun0)
# -----------------------------------------------------------

# FORWARDING - from Internet to CI VM (eth0 --> virbr0)
# ---------------------------------------------------
-A FORWARD -i eth0 -o virbr0 -j ACCEPT

# FORWARDING - from NTTNode to CI VM (eth2 --> virbr0)
# ---------------------------------------------------
-A FORWARD -i eth2 -o virbr0 -j ACCEPT

# FORWARDING - from OpenVPN to Node12 (tun0 --> eth2)
# ---------------------------------------------------
# allow any traffic for OpenVPN users:
-A FORWARD -i tun0 -o eth2 -s 192.168.100.0/24 -j ACCEPT

# FORWARDING - from CI VM to NTTNode (virbr0 --> eth2)
# ----------------------------------------------------
# allow any traffic for OpenVPN users:
-A FORWARD -i virbr0 -o eth2 -j ACCEPT

# FORWARDING - from CI VM to Internet (virbr0 --> eth0)
# ----------------------------------------------------
# allow any traffic for OpenVPN users:
-A FORWARD -i virbr0 -o eth0 -j ACCEPT

# FORWARDING - from CI VM to OpenVPN client (virbr0 --> tun0)
# ---------------------------------------------------
# allow any traffic for OpenVPN users:
-A FORWARD -i virbr0 -o tun0 -j ACCEPT

# FORWARDING - from OpenVPN client to CI VM (tun0 --> virbr0)
# ---------------------------------------------------
# allow any traffic for OpenVPN users
-A FORWARD -i tun0 -o virbr0 -j ACCEPT

# FORWARDING - from OpenVPN to Internet (tun0 --> eth0)
# -----------------------------------------------------
-A FORWARD -i tun0 -o eth0 -j ACCEPT

# FORWARDING - from kvm to kvm (virbr0 --> virbr0)
# ----------------------------------------------------
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT

# FORWARDING - from Internet to OpenVPN clients (eth0 --> tun0)
# -------------------------------------------------------------

# FORWARDING - from Internet to CI VM (eth0 --> virbr0)
# ----------------------------------------------------

# FORWARDING - from CI VM to Internet (virbr0 --> eth0)
# ----------------------------------------------------
-A FORWARD -i virbr0 -o eth0 -j ACCEPT

# FORWARDING - from NTTNode to OpenVPN clients (eth2 --> tun0)
# ----------------------------------------------------
-A FORWARD -i eth2 -o tun0 -j ACCEPT

# COMMIT filtering rules
COMMIT

#################################################################################
# NAT table:
#################################################################################
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# enable NAT for any outgoing traffic (eth2-->eth0 or tun0-->eth0)
-A POSTROUTING -o eth0 -j MASQUERADE

# COMMIT NAT rules
COMMIT

Sunday, March 15, 2015