Gitiles
Code Review Sign In
gerrit.opencord.org / vEG / 5ec4a4641792cf69541653291e13782e8aed0d43 / . / xos / synchronizer / templates / before.rules.j2
blob: b60aaefc5e949b93f15486ce36cb35fe774dbca2 [file] [log] [blame]
Andrea Campanellaedfdbca2017-02-01 17:33:47 -0800[diff] [blame]1#
2# rules.before
3#
4# Rules that should be run before the ufw command line added rules. Custom
5# rules should be added to one of these chains:
6# ufw-before-input
7# ufw-before-output
8# ufw-before-forward
9#
10
11# nat Table rules
12*nat
13:POSTROUTING ACCEPT [0:0]
14
15# Forward traffic from eth1 through eth0.
16-A POSTROUTING -o eth0 -j MASQUERADE
17
18# Set up NAT for CDN services
19-A POSTROUTING -o eth2 -j MASQUERADE
20
21# DNS safe browsing
22{% if safe_browsing %}
23{% for mac in safe_browsing %}
24-A PREROUTING -i eth1 -m mac --mac-source {{ mac }} -p udp --dport 53 -j REDIRECT --to-port 5353
25-A PREROUTING -i eth1 -m mac --mac-source {{ mac }} -p tcp --dport 53 -j REDIRECT --to-port 5353
26{% endfor %}
27{% endif %}
28
29{% if status != "enabled" %}
30-A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8000
31{% endif %}
32
33# don't delete the 'COMMIT' line or these nat table rules won't be processed
34COMMIT
35
36# Don't delete these required lines, otherwise there will be errors
37*filter
38:ufw-before-input - [0:0]
39:ufw-before-output - [0:0]
40:ufw-before-forward - [0:0]
41:ufw-not-local - [0:0]
42# End required lines
43
44# allow all on loopback
45-A ufw-before-input -i lo -j ACCEPT
46-A ufw-before-output -o lo -j ACCEPT
47
48# quickly process packets for which we already have a connection
49-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
50-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
51-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
52
53# drop INVALID packets (logs these in loglevel medium and higher)
54-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
55-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
56
57# ok icmp codes for INPUT
58-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
59-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
60-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
61-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
62-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
63
64# ok icmp code for FORWARD
65-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
66-A ufw-before-forward -p icmp --icmp-type source-quench -j ACCEPT
67-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
68-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
69-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT
70
71# allow dhcp client to work
72-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT
73
74#
75# ufw-not-local
76#
77-A ufw-before-input -j ufw-not-local
78
79# if LOCAL, RETURN
80-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN
81
82# if MULTICAST, RETURN
83-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN
84
85# if BROADCAST, RETURN
86-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN
87
88# all other non-local packets are dropped
89-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
90-A ufw-not-local -j DROP
91
92# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
93# is uncommented)
94-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT
95
96# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
97# is uncommented)
98-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT
99
100# don't delete the 'COMMIT' line or these rules won't be processed
101COMMIT