*filter # define / reset the tables that we'll be using :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :ACM-In - [0:0] :ACM-In-Mgt-OK - [0:0] :ACM-Out - [0:0] # base input rules -A INPUT -i lo -j ACCEPT -A INPUT -m state --state INVALID -j DROP -A INPUT -p icmp -j ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -m state --state NEW -j ACM-In -A INPUT -j REJECT # base output rules -A OUTPUT -o lo -j ACCEPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -m state --state NEW -j ACM-Out -A OUTPUT -j REJECT # rules for new incoming connections # allow incoming SSH connections from management machines -A ACM-In -p tcp --dport 22 -j ACM-In-Mgt-OK # shortcut for use in rules above -A ACM-In-Mgt-OK -s 10.0.0.0/8 -j ACCEPT -A ACM-In-Mgt-OK -s 130.39.195.0/24 -j ACCEPT # NTP servers -A ACM-Out -p udp -d 130.39.187.30 --dport 123 -j ACCEPT -A ACM-Out -p udp -d 130.39.187.31 --dport 123 -j ACCEPT # DNS servers -A ACM-Out -p udp -d 130.39.3.5 --dport 53 -j ACCEPT -A ACM-Out -p udp -d 130.39.244.30 --dport 53 -j ACCEPT -A ACM-Out -p udp -d 130.39.254.5 --dport 53 -j ACCEPT -A ACM-Out -p udp -d 130.39.254.30 --dport 53 -j ACCEPT # printers -A ACM-Out -p tcp -d 130.39.204.35 --dport 515 -j ACCEPT -A ACM-Out -p udp -d 130.39.204.35 --dport 515 -j ACCEPT -A ACM-Out -p tcp -d 130.39.204.200 --dport 515 -j ACCEPT -A ACM-Out -p udp -d 130.39.204.200 --dport 515 -j ACCEPT # miscellaneous -A ACM-Out -p tcp -d 130.39.187.236 -j ACCEPT COMMIT