-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathip6tables.idpl
48 lines (41 loc) · 1.68 KB
/
ip6tables.idpl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
## @IDPLCHAINS@
## Place in the appropriate section of system firewall rules
# Define Two Chains: IDPLPOOL and IDPLPORTS
# IDPLPOOL -- hosts that are in IDPL
# IDPLPORTS -- Allowable ports
-N IDPLPOOL
-N IDPLPORTS
# iDPL IPv6 Addresses
# mickey.buaa.edu.cn = 2001:da8:203:d406:16da:e9ff:fef9:b68f
# idpl.elab.cnic.cn = 2400:dd01:1011:1:92b1:1cff:fe0c:740d
# komatsu.chtc.wisc.edu = 2607:f388:107c:502::c
# flashio-osg.calit2.optiputer.net = 2607:f720:1700:31d::61
# mongo.mayer.optiputer.net = 2607:f720:1700:1b32::6
# murpa.rocksclusters.org = 2607:f720:1400:1410:d267:e5ff:fe13:108f
-A IDPLPOOL --source 2001:da8:203:d406:16da:e9ff:fef9:b68f -j IDPLPORTS
-A IDPLPOOL --source 2400:dd01:1011:1:92b1:1cff:fe0c:740d -j IDPLPORTS
-A IDPLPOOL --source 2607:f720:1700:31d::61 -j IDPLPORTS
-A IDPLPOOL --source 2607:f720:1700:1b32::6 -j IDPLPORTS
-A IDPLPOOL --source 2607:f720:1400:1410:d267:e5ff:fe13:108f -j IDPLPORTS
-A IDPLPOOL --source 2607:f388:107c:502::c -j IDPLPORTS
# Drop NFS. Allow ssh. Allow non-privileged ports
-A IDPLPORTS -p tcp --dport nfs -j DROP
-A IDPLPORTS -p tcp --dport ssh -j ACCEPT
-A IDPLPORTS -p tcp --dport 1024:65535 -j ACCEPT
## @IDPLCHAINS-END@
## @IDPLRULE@
### Add in the appropriate place Where IDPL should tested
-A INPUT -j IDPLPOOL
## @IDPLRULE-END@
## Generic Firewall config if ip6tables does not exist
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
# -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT