API tools faq
paste
Advertisement
Travel82

Untitled

Travel82
Feb 3rd, 2020
438
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 24.85 KB | None | 0 0
raw download clone embed print report
  1.  
  2. # Firewall configuration
  3. # POCR configuration
  4. #
  5. # 2018-12-7 hkamrik - added new scadanode
  6. # 2018-12-11 hkarmik - added http from ws to bond3
  7. # 2019-01-24 MakarenkoN - added Remote connection from WSs to TS
  8. # 2019-01-25 MakarenkoN - added Remote connections from NEWS to WSs TightVNC
  9. #
  10.  
  11. *filter
  12. :INPUT ACCEPT [0:0]
  13. :FORWARD ACCEPT [0:0]
  14. :OUTPUT ACCEPT [0:0]
  15. :LogDrop - [0:0]
  16.  
  17. # Stateful firewall
  18.  
  19. -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  20. -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
  21. -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  22.  
  23. # bond0 - Management 10.6.32.0/24
  24. # bond1 - Server net 10.6.33.0/24
  25. # bond2 - VLAN trunk
  26. # bond2.10 - DMZ1.0 - NFE 10.6.0.0/24
  27. # bond2.20 - DMZ2.0 - Terminal server 10.6.16.0/26
  28. # bond2.48 - Workstations control center 0 10.6.48.0/24
  29. # bond3 - DMZ out
  30.  
  31. # Everything allowed inside the device
  32. -A INPUT -i lo -j ACCEPT
  33. -A OUTPUT -o lo -j ACCEPT
  34.  
  35. # Drop AD's root dns server queries
  36. -A FORWARD -i bond1 -s 10.6.33.8 -p udp --dport 53 -j ACCEPT
  37. -A FORWARD -i bond1 -s 10.6.33.9 -p udp --dport 53 -j ACCEPT
  38. -A FORWARD -i bond1 -s 10.6.33.8 -p udp --sport 53 -j ACCEPT
  39. -A FORWARD -i bond1 -s 10.6.33.9 -p udp --sport 53 -j ACCEPT
  40. #
  41. -A FORWARD -o bond1 -d 10.6.33.8 -p udp --dport 53 -j ACCEPT
  42. -A FORWARD -o bond1 -d 10.6.33.9 -p udp --dport 53 -j ACCEPT
  43.  
  44. # SSH
  45. -A INPUT -p tcp --dport 22 -j ACCEPT
  46. -A OUTPUT -p tcp --dport 22 -j ACCEPT
  47. -A FORWARD -i bond3 -p tcp --dport 22 -j ACCEPT
  48.  
  49. # Incoming OpenVPN connections
  50. #-A INPUT -i bond1 -p udp --dport 1194 -d 192.168.1.76 -j ACCEPT
  51. #-A OUTPUT -o bond1 -p udp --sport 1194 -s 192.168.1.76 -j ACCEPT
  52.  
  53. # NTP
  54. -A INPUT -p udp --dport 123 -s 10.0.0.0/8 -j ACCEPT
  55. -A OUTPUT -p udp --sport 123 -d 10.0.0.0/8 -j ACCEPT
  56. -A OUTPUT -p udp --dport 123 -d 10.0.0.0/8 -j ACCEPT
  57. -A INPUT -p udp --dport 123 -s 172.20.0.0/8 -j ACCEPT
  58. -A OUTPUT -p udp --sport 123 -d 172.20.0.0/8 -j ACCEPT
  59. -A OUTPUT -p udp --dport 123 -d 172.20.0.0/8 -j ACCEPT
  60. -A INPUT -p udp --dport 123 -s 172.21.0.11/8 -j ACCEPT
  61. -A OUTPUT -p udp --sport 123 -d 172.21.0.11/8 -j ACCEPT
  62. -A OUTPUT -p udp --dport 123 -d 172.21.0.11/8 -j ACCEPT
  63.  
  64. # SNMP
  65. -A OUTPUT -o bond0 -p udp --dport 161 -j ACCEPT
  66. -A OUTPUT -o bond3 -p udp --dport 161 -j ACCEPT
  67.  
  68. # HP System management
  69. -A INPUT -i bond2.20 -p tcp -m multiport --dport 2301,2381 -j ACCEPT
  70. -A INPUT -i bond2.48 -s 10.6.48.161 -p tcp -m multiport --dport 2301,2381 -j ACCEPT
  71.  
  72. # Redundancy
  73. -A INPUT -i bond1 -s 10.6.33.0/29 -p udp --dport 8500 -j ACCEPT
  74. -A OUTPUT -o bond1 -d 10.6.33.0/29 -p udp --dport 8500 -j ACCEPT
  75. -A OUTPUT -o bond1 -s 10.6.33.0/29 -d 224.0.0.18/32 -p vrrp -j ACCEPT
  76. -A INPUT -i bond1 -s 10.6.33.0/29 -d 224.0.0.18/32 -p vrrp -j ACCEPT
  77.  
  78. # DNS to AD's
  79. -A OUTPUT -o bond1 -p udp --dport 53 -j ACCEPT
  80.  
  81. # Telnet to NFE
  82. -A OUTPUT -o bond2.10 -p tcp --dport 8023 -d 10.6.0.0/24 -j ACCEPT
  83.  
  84. # Serverwatch to NFE
  85. -A OUTPUT -o bond2.10 -d 10.6.0.198 -p udp --dport 6652 -j ACCEPT
  86. -A OUTPUT -o bond2.10 -d 10.6.0.198 -p udp --dport 6653 -j ACCEPT
  87. -A OUTPUT -o bond2.10 -d 10.6.0.208 -p udp --dport 6652 -j ACCEPT
  88. -A OUTPUT -o bond2.10 -d 10.6.0.208 -p udp --dport 6653 -j ACCEPT
  89.  
  90. # SNMP to NFE
  91. -A OUTPUT -o bond2.10 -d 10.6.0.199 -p udp --dport 6652 -j ACCEPT
  92. -A OUTPUT -o bond2.10 -d 10.6.0.199 -p udp --dport 6653 -j ACCEPT
  93. -A OUTPUT -o bond2.10 -d 10.6.0.209 -p udp --dport 6652 -j ACCEPT
  94. -A OUTPUT -o bond2.10 -d 10.6.0.209 -p udp --dport 6653 -j ACCEPT
  95. -A OUTPUT -o bond3 -d 10.6.0.199 -p udp --dport 6652 -j ACCEPT
  96. -A OUTPUT -o bond3 -d 10.6.0.199 -p udp --dport 6653 -j ACCEPT
  97. -A OUTPUT -o bond3 -d 10.6.0.209 -p udp --dport 6652 -j ACCEPT
  98. -A OUTPUT -o bond3 -d 10.6.0.209 -p udp --dport 6653 -j ACCEPT
  99.  
  100. # GWServer hardware monitoring to scada
  101. -A OUTPUT -o bond1 -d 10.6.33.32/28 -p tcp --dport 6001 -j ACCEPT
  102.  
  103. # IEC-104 and other protocols from NFE to substations
  104. -A FORWARD -i bond2.10 -o bond3 -s 10.6.0.0/24 -p tcp --dport 2404 -j ACCEPT
  105. -A FORWARD -i bond2.10 -o bond3 -s 10.6.0.0/24 -p udp --dport 2101:2150 -j ACCEPT
  106.  
  107. #
  108. #-A FORWARD -i bond2.20 -o bond3 -s 10.6.0.0/24 -p tcp --dport 3389 -j ACCEPT
  109.  
  110. # Ping
  111. -A OUTPUT -p icmp --icmp echo-request -j ACCEPT
  112. -A OUTPUT -p icmp --icmp echo-reply -j ACCEPT
  113. -A INPUT -p icmp --icmp echo-request -j ACCEPT
  114. -A INPUT -p icmp --icmp echo-reply -j ACCEPT
  115. -A FORWARD -p icmp --icmp echo-request -j ACCEPT
  116. -A FORWARD -p icmp --icmp echo-reply -j ACCEPT
  117.  
  118. ### Connections from Engineering WS
  119. -A FORWARD -i bond2.48 -s 10.6.48.160/29 -p tcp -m multiport --dports 80,443,22,23,1066,8023,3389,445,17990,5480,902,9877 -j ACCEPT
  120. -A INPUT -i bond2.48 -s 10.6.48.160/29 -p tcp -m multiport --dports 22,1066,8023 -j ACCEPT
  121. -A FORWARD -i bond2.48 -s 10.6.48.160/29 -p udp -m multiport --dports 137,161 -j ACCEPT
  122.  
  123. # connection from ws network to bond3
  124. -A FORWARD -i bond2.48 -o bond3 -s 10.6.48.0/24 -p tcp -m multiport --dports 80 -j ACCEPT
  125.  
  126. ### Connections from NWS07 WS TEMPORARY!!
  127. #-A FORWARD -i bond2.48 -s 10.6.48.198/32 -p tcp -m multiport --dports 80,443,22,23,1066,8023,3389,445,17990,5480,902,9877 -j ACCEPT
  128. #-A INPUT -i bond2.48 -s 10.6.48.198/32 -p tcp -m multiport --dports 22,1066,8023 -j ACCEPT
  129. #-A FORWARD -i bond2.48 -s 10.6.48.198/32 -p udp -m multiport --dports 137 -j ACCEPT
  130.  
  131. # Workstations to TS
  132. -A FORWARD -o bond2.20 -i bond2.48 -p tcp --dport 3389 -j ACCEPT
  133. # Maintenance from TS
  134. -A FORWARD -i bond2.20 -s 10.6.16.49 -p tcp -m multiport --dport 22,80,443,3389,8023,445 -j ACCEPT
  135. -A FORWARD -i bond2.20 -s 10.6.16.50 -p tcp -m multiport --dport 22,80,443,3389,8023,445 -j ACCEPT
  136.  
  137. #### Vmware vSphere connection
  138. -A FORWARD -i bond2.48 -o bond0 -d 10.6.32.66 -p tcp -m multiport --dport 80,443,902,5480,9443 -j ACCEPT
  139. -A FORWARD -i bond2.48 -o bond0 -d 10.6.32.71 -p tcp -m multiport --dport 80,443,902,5480,9443 -j ACCEPT
  140. -A FORWARD -i bond2.48 -o bond0 -d 10.6.32.72 -p tcp -m multiport --dport 80,443,902,5480,9443 -j ACCEPT
  141.  
  142. -A FORWARD -o bond2.48 -i bond0 -s 10.6.32.66 -p tcp -m multiport --sport 443 -j ACCEPT
  143. -A FORWARD -o bond2.48 -i bond0 -s 10.6.32.71 -p tcp -m multiport --sport 443 -j ACCEPT
  144. -A FORWARD -o bond2.48 -i bond0 -s 10.6.32.72 -p tcp -m multiport --sport 443 -j ACCEPT
  145.  
  146. #### Vmware VCenter Alarms to Scada
  147. -A FORWARD -i bond0 -o bond1 -d 10.6.33.34 -p tcp --dport 6001 -j ACCEPT
  148. -A FORWARD -i bond0 -o bond1 -d 10.6.33.35 -p tcp --dport 6001 -j ACCEPT
  149.  
  150. #### Scada to NFE
  151. -A INPUT -i bond1 -s 10.6.33.34 -p tcp -m multiport --dport 1066,1719,8023 -j ACCEPT
  152. -A INPUT -i bond1 -s 10.6.33.35 -p tcp -m multiport --dport 1066,1719,8023 -j ACCEPT
  153. -A FORWARD -i bond1 -s 10.6.33.34 -p tcp -m multiport --dport 1066,1719,8023 -j ACCEPT
  154. -A FORWARD -i bond1 -s 10.6.33.35 -p tcp -m multiport --dport 1066,1719,8023 -j ACCEPT
  155. -A INPUT -i bond1 -s 10.6.33.36 -p tcp -m multiport --dport 1066,1719,8023 -j ACCEPT
  156. -A INPUT -i bond1 -s 10.6.33.37 -p tcp -m multiport --dport 1066,1719,8023 -j ACCEPT
  157. -A FORWARD -i bond1 -s 10.6.33.36 -p tcp -m multiport --dport 1066,1719,8023 -j ACCEPT
  158. -A FORWARD -i bond1 -s 10.6.33.37 -p tcp -m multiport --dport 1066,1719,8023 -j ACCEPT
  159.  
  160.  
  161. #### Domain connection
  162. #### DNS 53, Kerberos 88, NTP 123, RPC 135, LDAP 389, SMB 445, secure LDAP 686, MS DFS 5722
  163. # DMZ2.0
  164. -A FORWARD -i bond2.20 -o bond1 -d 10.6.33.8 -p tcp -m multiport --dport 53,88,135,139,389,445,686,3268,5722 -j ACCEPT
  165. -A FORWARD -o bond2.20 -i bond1 -s 10.6.33.8 -p tcp -m multiport --dport 53,88,135,139,389,445,686,3268,5722 -j ACCEPT
  166. -A FORWARD -o bond2.20 -i bond1 -s 10.6.33.8 -p tcp -m multiport --sport 53,88,135,139,389,445,686,3268,5722 -j ACCEPT
  167. -A FORWARD -i bond2.20 -o bond1 -d 10.6.33.8 -p udp -m multiport --dport 53,88,123,137,138,389,445,5722 -j ACCEPT
  168. -A FORWARD -o bond2.20 -i bond1 -s 10.6.33.8 -p udp -m multiport --dport 53,88,123,137,138,389,445,5722 -j ACCEPT
  169. -A FORWARD -o bond2.20 -i bond1 -s 10.6.33.8 -p udp -m multiport --sport 53,88,123,137,138,389,445,5722 -j ACCEPT
  170. -A FORWARD -i bond2.20 -o bond1 -d 10.6.33.9 -p tcp -m multiport --dport 53,88,135,139,389,445,686,3268,5722 -j ACCEPT
  171. -A FORWARD -o bond2.20 -i bond1 -s 10.6.33.9 -p tcp -m multiport --dport 53,88,135,139,389,445,686,3268,5722 -j ACCEPT
  172. -A FORWARD -o bond2.20 -i bond1 -s 10.6.33.9 -p tcp -m multiport --sport 53,88,135,139,389,445,686,3268,5722 -j ACCEPT
  173. -A FORWARD -i bond2.20 -o bond1 -d 10.6.33.9 -p udp -m multiport --dport 53,88,123,137,138,389,445,5722 -j ACCEPT
  174. -A FORWARD -i bond2.20 -o bond1 -d 10.6.33.9 -p udp -m multiport --sport 53,88,123,137,138,389,445,5722 -j ACCEPT
  175. -A FORWARD -o bond2.20 -i bond1 -s 10.6.33.9 -p udp -m multiport --dport 53,88,123,137,138,389,445,5722 -j ACCEPT
  176. # Workstations
  177. -A FORWARD -i bond2.48 -o bond1 -d 10.6.33.8 -p tcp -m multiport --dport 53,88,135,139,389,445,686,3268,5722 -j ACCEPT
  178. -A FORWARD -o bond2.48 -i bond1 -s 10.6.33.8 -p tcp -m multiport --dport 53,88,135,139,389,445,686,3268,5722 -j ACCEPT
  179. -A FORWARD -o bond2.48 -i bond1 -s 10.6.33.8 -p tcp -m multiport --sport 53,88,135,139,389,445,686,3268,5722 -j ACCEPT
  180. -A FORWARD -i bond2.48 -o bond1 -d 10.6.33.8 -p udp -m multiport --dport 53,88,123,137,138,389,445,5722 -j ACCEPT
  181. -A FORWARD -o bond2.48 -i bond1 -s 10.6.33.8 -p udp -m multiport --dport 53,88,123,137,138,389,445,5722 -j ACCEPT
  182. -A FORWARD -o bond2.48 -i bond1 -s 10.6.33.8 -p udp -m multiport --sport 53,88,123,137,138,389,445,5722 -j ACCEPT
  183. -A FORWARD -i bond2.48 -o bond1 -d 10.6.33.9 -p tcp -m multiport --dport 53,88,135,139,389,445,686,3268,5722 -j ACCEPT
  184. -A FORWARD -o bond2.48 -i bond1 -s 10.6.33.9 -p tcp -m multiport --dport 53,88,135,139,389,445,686,3268,5722 -j ACCEPT
  185. -A FORWARD -o bond2.48 -i bond1 -s 10.6.33.9 -p tcp -m multiport --sport 53,88,135,139,389,445,686,3268,5722 -j ACCEPT
  186. -A FORWARD -i bond2.48 -o bond1 -d 10.6.33.9 -p udp -m multiport --dport 53,88,123,137,138,389,445,5722 -j ACCEPT
  187. -A FORWARD -o bond2.48 -i bond1 -s 10.6.33.9 -p udp -m multiport --dport 53,88,123,137,138,389,445,5722 -j ACCEPT
  188. -A FORWARD -o bond2.48 -i bond1 -s 10.6.33.9 -p udp -m multiport --sport 53,88,123,137,138,389,445,5722 -j ACCEPT
  189. # Management
  190. -A FORWARD -i bond0 -o bond1 -d 10.6.33.8 -p tcp -m multiport --dport 53,88,135,389,445,686,3268,5722 -j ACCEPT
  191. -A FORWARD -o bond0 -i bond1 -s 10.6.33.8 -p tcp -m multiport --dport 53,88,135,389,445,686,3268,5722 -j ACCEPT
  192. -A FORWARD -i bond0 -o bond1 -d 10.6.33.8 -p udp -m multiport --dport 53,88,123,137,138,389,445,5722 -j ACCEPT
  193. -A FORWARD -o bond0 -i bond1 -s 10.6.33.8 -p udp -m multiport --dport 53,88,123,137,138,389,445,5722 -j ACCEPT
  194. -A FORWARD -i bond0 -o bond1 -d 10.6.33.9 -p tcp -m multiport --dport 53,88,135,389,445,686,3268,5722 -j ACCEPT
  195. -A FORWARD -o bond0 -i bond1 -s 10.6.33.9 -p tcp -m multiport --dport 53,88,135,389,445,686,3268,5722 -j ACCEPT
  196. -A FORWARD -i bond0 -o bond1 -d 10.6.33.9 -p udp -m multiport --dport 53,88,123,137,138,389,445,5722 -j ACCEPT
  197. -A FORWARD -o bond0 -i bond1 -s 10.6.33.9 -p udp -m multiport --dport 53,88,123,137,138,389,445,5722 -j ACCEPT
  198.  
  199. # DomainCtl dynamic ports RPC...
  200. -A FORWARD -i bond2.20 -o bond1 -p tcp --dport 49152:65535 -j ACCEPT
  201. -A FORWARD -i bond2.20 -o bond1 -p udp --dport 49152:65535 -j ACCEPT
  202. -A FORWARD -i bond2.48 -o bond1 -p tcp --dport 49152:65535 -j ACCEPT
  203. -A FORWARD -i bond2.48 -o bond1 -p udp --dport 49152:65535 -j ACCEPT
  204. -A FORWARD -i bond0 -o bond1 -p tcp --dport 49152:65535 -j ACCEPT
  205. -A FORWARD -i bond0 -o bond1 -p udp --dport 49152:65535 -j ACCEPT
  206.  
  207. #### Terminal server to Scada
  208. -A FORWARD -i bond2.20 -o bond1 -s 10.6.16.0/26 -d 10.6.33.32/27 -p tcp -m multiport --dports 2010,3389,6001,6003,9789,9790,9792,9791 -j ACCEPT
  209. -A FORWARD -o bond2.20 -i bond1 -d 10.6.16.0/26 -s 10.6.33.32/27 -p tcp -m multiport --sports 2010,3389,6001,6003,9789,9790,9792,9791 -j ACCEPT
  210. -A FORWARD -o bond2.20 -i bond1 -d 10.6.16.0/26 -s 10.6.33.32/27 -p tcp -m state --state NEW,ESTABLISHED --dport 1521 -j ACCEPT
  211.  
  212. # Workstation to Scada
  213. -A FORWARD -i bond2.48 -o bond1 -s 10.6.48.128/25 -d 10.6.33.32/27 -p tcp -m multiport --dports 2010,3389,6001,6003,9789,9790,9792,9791 -j ACCEPT
  214. -A FORWARD -o bond2.48 -i bond1 -d 10.6.48.128/25 -s 10.6.33.32/27 -p tcp -m multiport --sports 2010,3389,6001,6003,9789,9790,9792,9791 -j ACCEPT
  215. -A FORWARD -o bond2.48 -i bond1 -d 10.6.48.128/25 -s 10.6.33.32/27 -p tcp -m state --state NEW,ESTABLISHED --dport 1521 -j ACCEPT
  216.  
  217. #### Terminal server to Oracle
  218. -A FORWARD -i bond2.20 -o bond1 -s 10.6.16.0/26 -d 10.6.33.96/28 -m state --state NEW,ESTABLISHED -p tcp --dport 1521 -j ACCEPT
  219. -A FORWARD -o bond2.20 -i bond1 -d 10.6.16.0/26 -s 10.6.33.96/28 -p tcp --sport 1521 -j ACCEPT
  220.  
  221. # Workstation to Oracle
  222. -A FORWARD -i bond2.48 -o bond1 -s 10.6.48.128/25 -d 10.6.33.96/28 -m state --state NEW,ESTABLISHED -p tcp --dport 1521 -j ACCEPT
  223. -A FORWARD -o bond2.48 -i bond1 -d 10.6.48.128/25 -s 10.6.33.96/28 -p tcp --sport 1521 -j ACCEPT
  224.  
  225. #### Server net to Terminal server web service
  226. -A FORWARD -i bond1 -o bond2.20 -s 10.6.33.0/24 -d 10.6.16.49/27 -p tcp --dport 7777 -j ACCEPT
  227.  
  228. # Workstation net to terminal server web service
  229. -A FORWARD -i bond2.48 -o bond2.20 -s 10.6.48.0/24 -d 10.6.16.49/27 -p tcp -m multiport --dports 80,7777 -j ACCEPT
  230.  
  231. #### Network drive mount from server net scadas
  232. #### TCP 139, SMB 445
  233. # to Terminal Server
  234. -A FORWARD -o bond2.20 -i bond1 -d 10.6.16.0/26 -s 10.6.33.32/27 -p tcp -m multiport --dport 139,445 -j ACCEPT
  235. # to Workstation
  236. -A FORWARD -o bond2.48 -i bond1 -d 10.6.48.128/25 -s 10.6.33.32/27 -p tcp -m multiport --dport 139,445 -j ACCEPT
  237.  
  238. # From workstation to Terminal Server
  239. -A FORWARD -i bond2.48 -o bond2.20 -s 10.6.48.128/25 -d 10.6.16.49/27 -p tcp -m multiport --dport 139,445 -j ACCEPT
  240.  
  241. #### NWSUS to windows update, all to NWSUS
  242. #-A FORWARD -i bond2.20 -o bond3 -s 10.6.16.33/32 -m multiport -p tcp --dport 80,443 -j ACCEPT
  243. #-A FORWARD -o bond2.20 -s 10.6.0.0/16 -m multiport -p tcp --dport 8530,8531 -j ACCEPT
  244.  
  245. #### iFix License server
  246. #-A FORWARD -i bond2.20 -o bond3 -s 10.6.16.0/26 -d 10.0.199.10/32 -m state --state NEW,ESTABLISHED -p tcp --dport 3333 -j ACCEPT
  247. #-A FORWARD -o bond2.20 -i bond3 -d 10.6.16.0/26 -s 10.0.199.10/32 -m state --state NEW,ESTABLISHED -p tcp --sport 3333 -j ACCEPT
  248. #-A FORWARD -i bond1 -o bond3 -s 10.6.33.0/24 -d 10.0.199.10/32 -m state --state NEW,ESTABLISHED -p tcp --dport 3333 -j ACCEPT
  249. #-A FORWARD -o bond1 -i bond3 -d 10.6.33.0/24 -s 10.0.199.10/32 -m state --state NEW,ESTABLISHED -p tcp --sport 3333 -j ACCEPT
  250.  
  251. #### Get status from iLO to Scada (NCHWHealth)
  252. -A FORWARD -i bond1 -o bond0 -s 10.6.33.34 -p tcp --dport 443 -j ACCEPT
  253. -A FORWARD -i bond1 -o bond0 -s 10.6.33.35 -p tcp --dport 443 -j ACCEPT
  254.  
  255. ## POCR specific
  256. # From Backupserver to SCADA
  257. -A FORWARD -i bond0 -o bond1 -s 10.6.32.81 -d 10.6.33.34 -p tcp --dport 2500:5000 -j ACCEPT
  258. -A FORWARD -i bond0 -o bond1 -s 10.6.32.81 -d 10.6.33.34 -p tcp --dport 6160:6162 -j ACCEPT
  259. -A FORWARD -i bond0 -o bond1 -s 10.6.32.81 -d 10.6.33.34 -p tcp -m multiport --dports 80,443,22,23,1066,8023,3389,445,17990,5480,902,9877 -j ACCEPT
  260. -A FORWARD -i bond0 -o bond1 -s 10.6.32.81 -d 10.6.33.34 -p udp -m multiport --dports 137 -j ACCEPT
  261. -A FORWARD -i bond0 -o bond1 -s 10.6.32.81 -d 10.6.33.35 -p tcp --dport 2500:5000 -j ACCEPT
  262. -A FORWARD -i bond0 -o bond1 -s 10.6.32.81 -d 10.6.33.35 -p tcp --dport 6160:6162 -j ACCEPT
  263. -A FORWARD -i bond0 -o bond1 -s 10.6.32.81 -d 10.6.33.35 -p tcp -m multiport --dports 80,443,22,23,1066,8023,3389,445,17990,5480,902,9877 -j ACCEPT
  264. -A FORWARD -i bond0 -o bond1 -s 10.6.32.81 -d 10.6.33.35 -p udp -m multiport --dports 137 -j ACCEPT
  265. -A FORWARD -i bond0 -o bond1 -s 10.6.32.81 -d 10.6.33.35 -p tcp --dport 2500:5000 -j ACCEPT
  266. -A FORWARD -i bond0 -o bond1 -s 10.6.32.81 -d 10.6.33.35 -p tcp --dport 6160:6162 -j ACCEPT
  267. -A FORWARD -i bond0 -o bond1 -s 10.6.32.81 -d 10.6.33.35 -p tcp -m multiport --dports 80,443,22,23,1066,8023,3389,445,17990,5480,902,9877 -j ACCEPT
  268. -A FORWARD -i bond0 -o bond1 -s 10.6.32.81 -d 10.6.33.35 -p udp -m multiport --dports 137 -j ACCEPT
  269. -A FORWARD -i bond0 -o bond1 -s 10.6.32.81 -d 10.6.33.35 -p tcp --dport 2500:5000 -j ACCEPT
  270. -A FORWARD -i bond0 -o bond1 -s 10.6.32.81 -d 10.6.33.35 -p tcp --dport 6160:6162 -j ACCEPT
  271. -A FORWARD -i bond0 -o bond1 -s 10.6.32.81 -d 10.6.33.35 -p tcp -m multiport --dports 80,443,22,23,1066,8023,3389,445,17990,5480,902,9877 -j ACCEPT
  272. -A FORWARD -i bond0 -o bond1 -s 10.6.32.81 -d 10.6.33.35 -p udp -m multiport --dports 137 -j ACCEPT
  273.  
  274. # From Backupserver to TS
  275. -A FORWARD -i bond0 -o bond2.20 -s 10.6.32.81 -d 10.6.16.49 -p tcp --dport 2500:5000 -j ACCEPT
  276. -A FORWARD -i bond0 -o bond2.20 -s 10.6.32.81 -d 10.6.16.49 -p tcp --dport 6160:6162 -j ACCEPT
  277. -A FORWARD -i bond0 -o bond2.20 -s 10.6.32.81 -d 10.6.16.49 -p tcp -m multiport --dports 80,443,22,23,1066,8023,3389,445,17990,5480,902,9877 -j ACCEPT
  278. -A FORWARD -i bond0 -o bond2.20 -s 10.6.32.81 -d 10.6.16.49 -p udp -m multiport --dports 137 -j ACCEPT
  279. -A FORWARD -i bond0 -o bond2.20 -s 10.6.32.81 -d 10.6.16.50 -p tcp --dport 2500:5000 -j ACCEPT
  280. -A FORWARD -i bond0 -o bond2.20 -s 10.6.32.81 -d 10.6.16.50 -p tcp --dport 6160:6162 -j ACCEPT
  281. -A FORWARD -i bond0 -o bond2.20 -s 10.6.32.81 -d 10.6.16.50 -p tcp -m multiport --dports 80,443,22,23,1066,8023,3389,445,17990,5480,902,9877 -j ACCEPT
  282. -A FORWARD -i bond0 -o bond2.20 -s 10.6.32.81 -d 10.6.16.50 -p udp -m multiport --dports 137 -j ACCEPT
  283. # From Backupserver to WS
  284. -A FORWARD -i bond0 -o bond2.48 -s 10.6.32.81 -d 10.6.48.128/25 -p tcp --dport 2500:5000 -j ACCEPT
  285. -A FORWARD -i bond0 -o bond2.48 -s 10.6.32.81 -d 10.6.48.128/25 -p tcp --dport 6160:6162 -j ACCEPT
  286. -A FORWARD -i bond0 -o bond2.48 -s 10.6.32.81 -d 10.6.48.128/25 -p tcp -m multiport --dports 80,443,22,23,1066,8023,3389,445,17990,5480,902,9877 -j ACCEPT
  287. -A FORWARD -i bond0 -o bond2.48 -s 10.6.32.81 -d 10.6.48.128/25 -p udp -m multiport --dports 137 -j ACCEPT
  288. # From Backupserver to DWH
  289. -A FORWARD -i bond0 -o bond1 -s 10.6.32.81 -d 10.6.33.98 -p tcp --dport 2500:5000 -j ACCEPT
  290. -A FORWARD -i bond0 -o bond1 -s 10.6.32.81 -d 10.6.33.98 -p tcp --dport 6160:6162 -j ACCEPT
  291. -A FORWARD -i bond0 -o bond1 -s 10.6.32.81 -d 10.6.33.98 -p tcp -m multiport --dports 80,443,22,23,1066,8023,3389,445,17990,5480,902,9877 -j ACCEPT
  292. -A FORWARD -i bond0 -o bond1 -s 10.6.32.81 -d 10.6.33.98 -p udp -m multiport --dports 137 -j ACCEPT
  293. -A FORWARD -i bond0 -o bond1 -s 10.6.32.81 -d 10.6.33.99 -p tcp --dport 2500:5000 -j ACCEPT
  294. -A FORWARD -i bond0 -o bond1 -s 10.6.32.81 -d 10.6.33.99 -p tcp --dport 6160:6162 -j ACCEPT
  295. -A FORWARD -i bond0 -o bond1 -s 10.6.32.81 -d 10.6.33.99 -p tcp -m multiport --dports 80,443,22,23,1066,8023,3389,445,17990,5480,902,9877 -j ACCEPT
  296. -A FORWARD -i bond0 -o bond1 -s 10.6.32.81 -d 10.6.33.99 -p udp -m multiport --dports 137 -j ACCEPT
  297. # From Backupserver to NAD
  298. -A FORWARD -i bond0 -o bond1 -s 10.6.32.81 -d 10.6.33.8 -p tcp --dport 2500:5000 -j ACCEPT
  299. -A FORWARD -i bond0 -o bond1 -s 10.6.32.81 -d 10.6.33.8 -p tcp --dport 6160:6162 -j ACCEPT
  300. -A FORWARD -i bond0 -o bond1 -s 10.6.32.81 -d 10.6.33.8 -p tcp -m multiport --dports 80,443,22,23,1066,8023,3389,445,17990,5480,902,9877 -j ACCEPT
  301. -A FORWARD -i bond0 -o bond1 -s 10.6.32.81 -d 10.6.33.8 -p udp -m multiport --dports 137 -j ACCEPT
  302. -A FORWARD -i bond0 -o bond1 -s 10.6.32.81 -d 10.6.33.9 -p tcp --dport 2500:5000 -j ACCEPT
  303. -A FORWARD -i bond0 -o bond1 -s 10.6.32.81 -d 10.6.33.9 -p tcp --dport 6160:6162 -j ACCEPT
  304. -A FORWARD -i bond0 -o bond1 -s 10.6.32.81 -d 10.6.33.9 -p tcp -m multiport --dports 80,443,22,23,1066,8023,3389,445,17990,5480,902,9877 -j ACCEPT
  305. -A FORWARD -i bond0 -o bond1 -s 10.6.32.81 -d 10.6.33.9 -p udp -m multiport --dports 137 -j ACCEPT
  306. # From Backupserver to NGW-server and NFE-server
  307. -A INPUT -i bond0 -s 10.6.32.81 -p tcp --dport 2500:2501 -j ACCEPT
  308. -A INPUT -i bond0 -s 10.6.32.81 -p tcp --dport 6160:6162 -j ACCEPT
  309. -A INPUT -i bond0 -s 10.6.32.81 -p tcp --dport 22 -j ACCEPT
  310. -A FORWARD -i bond0 -o bond2.10 -s 10.6.32.81 -d 10.6.0.17 -p tcp --dport 2500:5000 -j ACCEPT
  311. -A FORWARD -i bond0 -o bond2.10 -s 10.6.32.81 -d 10.6.0.17 -p tcp --dport 6160:6162 -j ACCEPT
  312. -A FORWARD -i bond0 -o bond2.10 -s 10.6.32.81 -d 10.6.0.17 -p tcp --dport 22 -j ACCEPT
  313. -A FORWARD -i bond0 -o bond2.10 -s 10.6.32.81 -d 10.6.0.18 -p tcp --dport 2500:5000 -j ACCEPT
  314. -A FORWARD -i bond0 -o bond2.10 -s 10.6.32.81 -d 10.6.0.18 -p tcp --dport 6160:6162 -j ACCEPT
  315. -A FORWARD -i bond0 -o bond2.10 -s 10.6.32.81 -d 10.6.0.18 -p tcp --dport 22 -j ACCEPT
  316. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.133 -d 10.6.16.49 -p tcp --dport 3389 -j ACCEPT
  317. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.133 -d 10.6.16.50 -p tcp --dport 3389 -j ACCEPT
  318. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.50 -d 10.6.16.49 -p tcp --dport 3389 -j ACCEPT
  319. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.50 -d 10.6.16.50 -p tcp --dport 3389 -j ACCEPT
  320. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.32 -d 10.6.16.49 -p tcp --dport 3389 -j ACCEPT
  321. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.32 -d 10.6.16.50 -p tcp --dport 3389 -j ACCEPT
  322. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.206 -d 10.6.16.49 -p tcp --dport 3389 -j ACCEPT
  323. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.206 -d 10.6.16.50 -p tcp --dport 3389 -j ACCEPT
  324. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.35 -d 10.6.16.49 -p tcp --dport 3389 -j ACCEPT
  325. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.35 -d 10.6.16.50 -p tcp --dport 3389 -j ACCEPT
  326. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.8 -d 10.6.16.49 -p tcp --dport 3389 -j ACCEPT
  327. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.8 -d 10.6.16.50 -p tcp --dport 3389 -j ACCEPT
  328. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.202 -d 10.6.16.49 -p tcp --dport 3389 -j ACCEPT
  329. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.202 -d 10.6.16.50 -p tcp --dport 3389 -j ACCEPT
  330. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.205 -d 10.6.16.49 -p tcp --dport 3389 -j ACCEPT
  331. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.205 -d 10.6.16.50 -p tcp --dport 3389 -j ACCEPT
  332. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.203 -d 10.6.16.49 -p tcp --dport 3389 -j ACCEPT
  333. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.203 -d 10.6.16.50 -p tcp --dport 3389 -j ACCEPT
  334. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.36 -d 10.6.16.49 -p tcp --dport 3389 -j ACCEPT
  335. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.36 -d 10.6.16.50 -p tcp --dport 3389 -j ACCEPT
  336. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.34 -d 10.6.16.49 -p tcp --dport 3389 -j ACCEPT
  337. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.34 -d 10.6.16.50 -p tcp --dport 3389 -j ACCEPT
  338. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.204 -d 10.6.16.49 -p tcp --dport 3389 -j ACCEPT
  339. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.204 -d 10.6.16.50 -p tcp --dport 3389 -j ACCEPT
  340. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.201 -d 10.6.16.49 -p tcp --dport 3389 -j ACCEPT
  341. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.201 -d 10.6.16.50 -p tcp --dport 3389 -j ACCEPT
  342. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.51 -d 10.6.16.49 -p tcp --dport 3389 -j ACCEPT
  343. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.51 -d 10.6.16.50 -p tcp --dport 3389 -j ACCEPT
  344. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.31 -d 10.6.16.49 -p tcp --dport 3389 -j ACCEPT
  345. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.31 -d 10.6.16.50 -p tcp --dport 3389 -j ACCEPT
  346. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.33 -d 10.6.16.49 -p tcp --dport 3389 -j ACCEPT
  347. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.33 -d 10.6.16.50 -p tcp --dport 3389 -j ACCEPT
  348. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.49 -d 10.6.16.49 -p tcp --dport 3389 -j ACCEPT
  349. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.49 -d 10.6.16.50 -p tcp --dport 3389 -j ACCEPT
  350. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.71 -d 10.6.16.49 -p tcp --dport 3389 -j ACCEPT
  351. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.71 -d 10.6.16.50 -p tcp --dport 3389 -j ACCEPT
  352. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.157 -d 10.6.16.49 -p tcp --dport 3389 -j ACCEPT
  353. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.157 -d 10.6.16.50 -p tcp --dport 3389 -j ACCEPT
  354. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.41 -d 10.6.16.49 -p tcp --dport 3389 -j ACCEPT
  355. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.41 -d 10.6.16.50 -p tcp --dport 3389 -j ACCEPT
  356. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.58 -d 10.6.16.49 -p tcp --dport 3389 -j ACCEPT
  357. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.58 -d 10.6.16.50 -p tcp --dport 3389 -j ACCEPT
  358. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.177 -d 10.6.16.49 -p tcp --dport 3389 -j ACCEPT
  359. -A FORWARD -o bond2.20 -i bond3 -s 172.21.0.177 -d 10.6.16.50 -p tcp --dport 3389 -j ACCEPT
  360. -A FORWARD -o bond2.20 -i bond2.48 -s 10.6.48.150 -d 10.6.16.49 -p tcp --dport 3389 -j ACCEPT
  361. -A FORWARD -o bond2.20 -i bond2.48 -s 10.6.48.150 -d 10.6.16.50 -p tcp --dport 3389 -j ACCEPT
  362. #Remote connections from NEWS to WSs TightVNC
  363. -A FORWARD -i bond2.48 -o bond3 -s 10.6.48.161 -p tcp -m multiport --dport 5900 -j ACCEPT
  364. -A FORWARD -i bond2.48 -o bond3 -s 10.6.48.162 -p tcp -m multiport --dport 5900 -j ACCEPT
  365.  
  366.  
  367. # Everything else forbidden
  368. -A INPUT -p udp -d 255.255.255.255 -j DROP
  369. -A INPUT -p udp --dport 136:139 -j DROP
  370. -A INPUT -p tcp --dport 136:139 -j DROP
  371. -A INPUT -p udp --dport 1947 -j DROP
  372. -A INPUT -j LogDrop
  373. -A FORWARD -j LogDrop
  374. -A OUTPUT -j LogDrop
  375. -A LogDrop -j LOG
  376. -A LogDrop -j DROP
  377.  
  378. COMMIT
  379.  
  380. # NAT Rules
  381. *nat
  382. :PREROUTING ACCEPT
  383. :POSTROUTING ACCEPT
  384. :OUTPUT ACCEPT
  385. COMMIT
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!