Would like to move to to https://github.com/rug-cit-hpc/pg-playbooks but has large files...
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 

89 lines
2.9 KiB

#!/bin/bash
# Modified version of firewall encountered on live pg-scheduler
# DIY-firewall (GS)
# scheduler02.hpc.rug.nl
# prevent SYNC-floods:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# initialize:
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -N LOGDROP
/sbin/iptables -A LOGDROP -j LOG
/sbin/iptables -A LOGDROP -j DROP
# config default policy's:
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP
# vars:
IFACE="{{ansible_default_ipv4.interface}}"
LOOPBACK="127.0.0.0/8"
OPERATOR="129.125.50.41/32" # Nagios server
# kernel tweaks:
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
/bin/echo "0" > /proc/sys/net/ipv4/ip_forward
# allow loopback:
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
# allow eth0 (interconnect):
/sbin/iptables -A INPUT -i eth0 -j ACCEPT
/sbin/iptables -A OUTPUT -o eth0 -j ACCEPT
# allow icmp:
/sbin/iptables -A INPUT -i $IFACE -p icmp -j ACCEPT
/sbin/iptables -A OUTPUT -o $IFACE -p icmp -j ACCEPT
# refuse loopback packets incoming eth1
/sbin/iptables -A INPUT -i $IFACE -d $LOOPBACK -j DROP
# allow DNS:
/sbin/iptables -A INPUT -i $IFACE -p tcp --sport 53 -j ACCEPT
/sbin/iptables -A OUTPUT -o $IFACE -p tcp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -i $IFACE -p udp --sport 53 -j ACCEPT
/sbin/iptables -A OUTPUT -o $IFACE -p udp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -i $IFACE -p udp --sport 123 -j ACCEPT
/sbin/iptables -A OUTPUT -o $IFACE -p udp --dport 123 -j ACCEPT
# allow smtp out:
/sbin/iptables -A INPUT -i $IFACE -p tcp --sport 25 -j ACCEPT
/sbin/iptables -A OUTPUT -o $IFACE -p tcp --dport 25 -j ACCEPT
# bwp rug:
/sbin/iptables -A INPUT -i $IFACE -p tcp -s 129.125.249.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -o $IFACE -p tcp -d 129.125.249.0/24 --sport 22 -m state --state ESTABLISHED -j ACCEPT
# allow operator:
/sbin/iptables -A INPUT -i $IFACE -p tcp -s $OPERATOR -j ACCEPT
/sbin/iptables -A OUTPUT -o $IFACE -p tcp -d $OPERATOR -j ACCEPT
/sbin/iptables -A INPUT -i $IFACE -p udp -s $OPERATOR -j ACCEPT
/sbin/iptables -A OUTPUT -o $IFACE -p udp -d $OPERATOR -j ACCEPT
/sbin/iptables -A INPUT -i $IFACE -p icmp -s $OPERATOR -j ACCEPT
/sbin/iptables -A OUTPUT -o $IFACE -p icmp -d $OPERATOR -j ACCEPT
# allow gospel/slurm-db:
/sbin/iptables -A INPUT -i $IFACE -p tcp -s 129.125.36.145/32 -j ACCEPT
/sbin/iptables -A OUTPUT -o $IFACE -p tcp -d 129.125.36.145/32 -j ACCEPT
#log incoming packets:
/sbin/iptables -A INPUT -i $IFACE -d 129.125.50.193/32 -j LOGDROP
/sbin/iptables --list
# Save the newly generated config into system config.
# This ensures the firewall is loaded on boot.
/usr/sbin/iptables-save > /etc/sysconfig/iptables