#! /bin/bash ################################################################### #### #### DO NOT EDIT THIS FILE! #### This file is managed by cfengine; any manual changes will be overridden #### ################################################################### ####### Packetfilter script, chatham ############ cd `dirname $0` . ./functions.firewall . ./firewall.simple HOST_MAILBOX=192.168.8.78 HOST_MAILFILTER=192.168.8.97 HOSTS_NTP=( "${HOSTS_NTP}" "192.168.8.3" "192.168.9.134" ) flushAll addDefaultChains add_simple_invalid add_simple_ssh 'i-SSH' add -g .lhide addChain 'i_common' add -s $HOST_KASPERSKY -g .drop add -p tcp --dport 22 -g i-SSH add -p icmp --icmp-type 3 -j ACCEPT add -g .lreject addChain 'i-NAGIOS' add -p icmp --icmp-type 'echo-request' -j ACCEPT add -p tcp --dport 5666 -j ACCEPT add -p tcp --dport 22 -j ACCEPT add -p udp --dport 123 -j ACCEPT add -p udp --dport 161 -j ACCEPT add -p udp --dport 162 -j ACCEPT add -p tcp --dport 8889 -j ACCEPT # addChain 'i-SELF' add -p udp --dport 161 -s $HOST_CACTI -j ACCEPT add -g i_common # vserver rules addChain 'i-NS_EXT' add -p udp --dport 53 -j ACCEPT add -p tcp --dport 53 -j ACCEPT add -g i_common addChain 'i-MAILHOST' add -g i_common addChain 'i-MAIL_WWW' add -p tcp --dport 80 -j ACCEPT add -p tcp --dport 443 -j ACCEPT add -g i_common # selectChain 'INPUT' setPolicy DROP add -m state --state ESTABLISHED,RELATED -j ACCEPT add -m state --state INVALID -g i-INVALID add-many '-j i-NAGIOS -s' "${HOSTS_NAGIOS[@]}" add -d 192.168.8.5 -g i-SELF add -d 192.168.8.200 -g i-NS_EXT add -d 192.168.8.203 -g i-MAIL_WWW add -d 192.168.8.204 -g i-MAILHOST add -i lo -j ACCEPT ignore_simple_bcast add -g .ldrop #### selectChain 'FORWARD' setPolicy DROP add -g .ldrop #### addChain 'o-SELF' add_special_output mta syslog add -g .lreject addChain 'o-MAILHOST' add_special_output mta add -d $HOST_MAILFILTER -p tcp --dport 10002:10005 -j ACCEPT add -d $HOST_MAILFILTER -p tcp --dport 15160 -j ACCEPT add -d $HOST_MAILBOX -p tcp --dport 24 -j ACCEPT add -g .lreject addChain 'o-NS_EXT' add_special_output mta bind add -g .lreject addChain 'o-MAIL_WWW' add_special_output db add -g .lreject selectChain 'OUTPUT' setPolicy DROP add -m state --state ESTABLISHED,RELATED -j ACCEPT add -m state --state INVALID -g o-INVALID add -o lo -j ACCEPT add_simple_output add -s 192.168.8.5 -g o-SELF add -s 192.168.8.200 -g o-NS_EXT add -s 192.168.8.203 -g o-MAIL_WWW add -s 192.168.8.204 -g o-MAILHOST add -g .ldrop