daily pastebin goal
67%
SHARE
TWEET

Untitled

a guest Oct 12th, 2017 56 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # This file is generated from a template at /usr/local/pf/conf/iptables.conf
  2. # Any changes made to this file will be lost on restart
  3.  
  4. # iptables template
  5. # This file is manipulated on PacketFence's startup before being given to iptables
  6. *filter
  7.  
  8. ### INPUT ###
  9. :INPUT DROP [0:0]
  10. # accept loopback stuff
  11. -A INPUT --in-interface lo --jump ACCEPT
  12. # accept anything related
  13. -A INPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT
  14. # Accept Ping (easier troubleshooting)
  15. -A INPUT --protocol icmp --icmp-type echo-request --jump ACCEPT
  16.  
  17. :input-management-if - [0:0]
  18. # SSH
  19. -A input-management-if --match state --state NEW --match tcp --protocol tcp --dport 22 --jump ACCEPT
  20. # HTTP and HTTPS for the portal
  21. -A input-management-if --protocol tcp --match tcp --dport 80 --jump ACCEPT
  22. -A input-management-if --protocol tcp --match tcp --dport 443 --jump ACCEPT
  23. # Web Admin
  24. -A input-management-if --protocol tcp --match tcp --dport 1443 --jump ACCEPT
  25. # Webservices
  26. -A input-management-if --protocol tcp --match tcp --dport 9090 --jump ACCEPT
  27. # AAA
  28. -A input-management-if --protocol tcp --match tcp --dport 7070 --jump ACCEPT
  29. # PacketFence Status
  30. -A input-management-if --protocol tcp --match tcp --dport 9191 --jump ACCEPT
  31. # httpd.portal modstatus
  32. -A input-management-if --protocol tcp --match tcp --dport 1444 --jump ACCEPT
  33. # httpd.collector
  34. -A input-management-if --protocol tcp --match tcp --dport 9292 --jump ACCEPT
  35. # haproxy stats (uncomment if activating the haproxy dashboard)
  36. #-A input-management-if --protocol tcp --match tcp --dport 1025 --jump ACCEPT
  37. # GRAPHITE-WEB
  38. -A input-management-if --protocol tcp --match tcp --dport 9000 --jump ACCEPT
  39. # CARBON_CACHE
  40. -A input-management-if --protocol tcp --match tcp --dport 2004 --jump ACCEPT
  41. -A input-management-if --protocol tcp --match tcp --dport 7002 --jump ACCEPT
  42.  
  43. # RADIUS
  44. -A input-management-if --protocol tcp --match tcp --dport 1812 --jump ACCEPT
  45. -A input-management-if --protocol udp --match udp --dport 1812 --jump ACCEPT
  46. -A input-management-if --protocol tcp --match tcp --dport 1813 --jump ACCEPT
  47. -A input-management-if --protocol udp --match udp --dport 1813 --jump ACCEPT
  48. -A input-management-if --protocol tcp --match tcp --dport 1815 --jump ACCEPT
  49. -A input-management-if --protocol udp --match udp --dport 1815 --jump ACCEPT
  50. -A input-management-if --protocol tcp --match tcp --dport 2083 --jump ACCEPT
  51. # RADIUS (eduroam virtual-server)
  52. # eduroam integration is not configured
  53.  
  54. # SNMP Traps
  55. -A input-management-if --protocol udp --match udp --dport 162  --jump ACCEPT
  56. # DHCP (for IP Helpers to mgmt to track users' IP in production VLANs)
  57. -A input-management-if --protocol udp --match udp --dport 67  --jump ACCEPT
  58. -A input-management-if --protocol tcp --match tcp --dport 67  --jump ACCEPT
  59. # OpenVAS Administration Interface
  60. -A input-management-if --protocol tcp --match tcp --dport 9392 --jump ACCEPT
  61. # Nessus Administration Interface
  62. -A input-management-if --protocol tcp --match tcp --dport 8834 --jump ACCEPT
  63. # PacketFence-PKI
  64. # -A input-management-if --protocol tcp --match tcp --dport 9393 --jump ACCEPT
  65. # -A input-management-if --protocol tcp --match tcp --dport 9292 --jump ACCEPT
  66.  
  67. # VRRP
  68. -A input-management-if -d 224.0.0.0/8 -j ACCEPT
  69. -A input-management-if -p vrrp -j ACCEPT
  70. # Mysql
  71. -A input-management-if --protocol tcp --match tcp --dport 3306 --jump ACCEPT
  72.  
  73. # Syslog
  74. -A input-management-if --protocol udp --match udp --dport 514 --jump ACCEPT
  75.  
  76. :input-portal-if - [0:0]
  77. -A input-portal-if --protocol tcp --match tcp --dport 80  --jump ACCEPT
  78. -A input-portal-if --protocol tcp --match tcp --dport 443 --jump ACCEPT
  79.  
  80. :input-radius-if - [0:0]
  81. -A input-radius-if --protocol tcp --match tcp --dport 1812 --jump ACCEPT
  82. -A input-radius-if --protocol udp --match udp --dport 1812 --jump ACCEPT
  83. -A input-radius-if --protocol tcp --match tcp --dport 1813 --jump ACCEPT
  84. -A input-radius-if --protocol udp --match udp --dport 1813 --jump ACCEPT
  85. -A input-radius-if --protocol tcp --match tcp --dport 1815 --jump ACCEPT
  86. -A input-radius-if --protocol udp --match udp --dport 1815 --jump ACCEPT
  87. -A input-radius-if --protocol tcp --match tcp --dport 2083 --jump ACCEPT
  88. # eduroam integration is not configured
  89.  
  90.  
  91. :input-internal-vlan-if - [0:0]
  92. # DNS
  93. -A input-internal-vlan-if --protocol tcp --match tcp --dport 53  --jump ACCEPT
  94. -A input-internal-vlan-if --protocol udp --match udp --dport 53  --jump ACCEPT
  95. # DHCP
  96. -A input-internal-vlan-if --protocol udp --match udp --dport 67  --jump ACCEPT
  97. -A input-internal-vlan-if --protocol tcp --match tcp --dport 67  --jump ACCEPT
  98. # HTTP (captive-portal)
  99. -A input-internal-vlan-if --protocol tcp --match tcp --dport 80  --jump ACCEPT
  100. -A input-internal-vlan-if --protocol tcp --match tcp --dport 443 --jump ACCEPT
  101. -A input-internal-vlan-if --protocol tcp --match tcp --dport 647 --jump ACCEPT
  102. # HTTP (parking portal)
  103. -A input-internal-vlan-if --protocol tcp --match tcp --dport 5252 --jump ACCEPT
  104.  
  105.  
  106.  
  107. :input-internal-isol_vlan-if - [0:0]
  108. # DNS
  109. -A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 53  --jump ACCEPT
  110. -A input-internal-isol_vlan-if --protocol udp --match udp --dport 53  --jump ACCEPT
  111. # DHCP
  112. -A input-internal-isol_vlan-if --protocol udp --match udp --dport 67  --jump ACCEPT
  113. -A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 67  --jump ACCEPT
  114. # HTTP (captive-portal)
  115. -A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 80  --jump ACCEPT
  116. -A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 443 --jump ACCEPT
  117. -A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 647 --jump ACCEPT
  118. # HTTP (parking portal)
  119. -A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 5252 --jump ACCEPT
  120.  
  121.  
  122. :input-internal-inline-if - [0:0]
  123. # DHCP
  124. -A input-internal-inline-if --protocol udp --match udp --dport 67  --jump ACCEPT
  125. -A input-internal-inline-if --protocol tcp --match tcp --dport 67  --jump ACCEPT
  126. # DNS
  127. # allow unregistered users and isolated users to reach it for DNAT purposes but prevent registered ones
  128. -A input-internal-inline-if --protocol tcp --match tcp --dport 53  --match mark --mark 0x3 --jump ACCEPT
  129. -A input-internal-inline-if --protocol udp --match udp --dport 53  --match mark --mark 0x3 --jump ACCEPT
  130. -A input-internal-inline-if --protocol tcp --match tcp --dport 53  --match mark --mark 0x2 --jump ACCEPT
  131. -A input-internal-inline-if --protocol udp --match udp --dport 53  --match mark --mark 0x2 --jump ACCEPT
  132. -A input-internal-inline-if --protocol tcp --match tcp --dport 53  --match mark --mark 0x1 --jump DROP
  133. -A input-internal-inline-if --protocol udp --match udp --dport 53  --match mark --mark 0x1 --jump DROP
  134. # HTTP (captive-portal)
  135. # prevent registered users from reaching it
  136. # TODO: Must work in dispatcher and Catalyst to redirect registered client out of the portal
  137. #-A input-internal-inline-if --protocol tcp --match tcp --dport 80  --match mark --mark 0x1 --jump DROP
  138. #-A input-internal-inline-if --protocol tcp --match tcp --dport 443 --match mark --mark 0x1 --jump DROP
  139. # allow everyone else behind inline interface (not registered, isolated, etc.)
  140. -A input-internal-inline-if --protocol tcp --match tcp --dport 80  --jump ACCEPT
  141. -A input-internal-inline-if --protocol tcp --match tcp --dport 443 --jump ACCEPT
  142. -A input-internal-inline-if --protocol tcp --match tcp --dport 647 --jump ACCEPT
  143.  
  144.  
  145. :input-highavailability-if - [0:0]
  146. #SSH
  147. -A input-highavailability-if --match state --state NEW --match tcp --protocol tcp --dport 22 --jump ACCEPT
  148. #Galera cluster
  149. -A input-highavailability-if --protocol tcp --match tcp --dport 4444 --jump ACCEPT
  150. -A input-highavailability-if --protocol tcp --match tcp --dport 4567 --jump ACCEPT
  151. -A input-highavailability-if --protocol tcp --match tcp --dport 4568 --jump ACCEPT
  152. #PacketFence MariaDB Quorum server
  153. -A input-highavailability-if --protocol tcp --match tcp --dport 7890 --jump ACCEPT
  154. -A input-highavailability-if --protocol tcp --match tcp --dport 7891 --jump ACCEPT
  155. # Corosync
  156. -A input-highavailability-if --protocol udp --match udp --dport 5405 --jump ACCEPT
  157. -A input-highavailability-if --protocol udp --match udp --dport 5407 --jump ACCEPT
  158. #DRBD
  159. -A input-highavailability-if --protocol tcp --match tcp --dport 7788 --jump ACCEPT
  160. # Heartbeat
  161. -A input-highavailability-if --protocol udp --match udp --dport 694 --jump ACCEPT
  162. #PCS
  163. -A input-highavailability-if --protocol tcp --match tcp --dport 2224 --jump ACCEPT
  164. -A input-highavailability-if --protocol tcp --match tcp --dport 3121 --jump ACCEPT
  165. -A input-highavailability-if --protocol tcp --match tcp --dport 21064 --jump ACCEPT
  166.  
  167. ### FORWARD ###
  168. :FORWARD DROP [0:0]
  169. :forward-internal-vlan-if - [0:0]
  170. -A forward-internal-vlan-if -m set --match-set pfsession_passthrough dst,dst --jump ACCEPT
  171. -A forward-internal-vlan-if -m set --match-set pfsession_passthrough src,src --jump ACCEPT
  172.  
  173.  
  174. :forward-internal-isolvlan-if - [0:0]
  175. -A forward-internal-isolvlan-if -m set --match-set pfsession_isol_passthrough dst,dst --jump ACCEPT
  176. -A forward-internal-isolvlan-if -m set --match-set pfsession_isol_passthrough src,src --jump ACCEPT
  177.  
  178.  
  179. :forward-internal-inline-if - [0:0]
  180. -A forward-internal-inline-if --match mark --mark 0x3 -m set --match-set pfsession_passthrough dst,dst --jump ACCEPT
  181. -A forward-internal-inline-if --match mark --mark 0x2 -m set --match-set pfsession_isol_passthrough dst,dst --jump ACCEPT
  182. -A forward-internal-inline-if --match mark --mark 0x1 --jump ACCEPT
  183.  
  184. :OUTPUT ACCEPT [0:0]
  185.  
  186. # These will redirect to the proper chains based on conf/pf.conf's configuration
  187. -A INPUT --in-interface eth1 -d 224.0.0.0/8 -j ACCEPT
  188. -A INPUT --in-interface eth1 -p vrrp -j ACCEPT
  189. # DHCP Sync
  190. -A INPUT --in-interface eth1 -d 10.0.128.6 --jump input-internal-inline-if
  191. -A INPUT --in-interface eth1 -d 255.255.255.255 --jump input-internal-inline-if
  192. -A INPUT --in-interface eth1 -d 10.254.188.20 --protocol tcp --match tcp --dport 443 --jump ACCEPT
  193. -A FORWARD --in-interface eth1 --jump forward-internal-inline-if
  194. -A INPUT --in-interface eth2 -d 224.0.0.0/8 -j ACCEPT
  195. -A INPUT --in-interface eth2 -p vrrp -j ACCEPT
  196. -A INPUT --in-interface eth2 --jump input-radius-if
  197. -A INPUT --in-interface eth2 --jump input-management-if
  198. -A FORWARD -d 10.0.128.0/19 --in-interface eth0 --jump ACCEPT
  199. -A FORWARD --in-interface eth0 --match state --state ESTABLISHED,RELATED --jump ACCEPT
  200.  
  201. COMMIT
  202.  
  203. *mangle
  204. :PREROUTING ACCEPT [0:0]
  205. :prerouting-int-inline-if - [0:0]
  206. -A prerouting-int-inline-if --jump MARK --set-mark 0x3
  207. -A prerouting-int-inline-if -m set --match-set pfsession_Unreg_10.0.128.0 src,src --jump MARK --set-mark 0x3
  208. -A prerouting-int-inline-if -m set --match-set pfsession_Reg_10.0.128.0 src,src --jump MARK --set-mark 0x1
  209. -A prerouting-int-inline-if -m set --match-set pfsession_Isol_10.0.128.0 src,src --jump MARK --set-mark 0x2
  210. :INPUT ACCEPT [0:0]
  211. :FORWARD ACCEPT [0:0]
  212. :OUTPUT ACCEPT [0:0]
  213. :POSTROUTING ACCEPT [0:0]
  214. :postrouting-int-inline-if - [0:0]
  215. -A postrouting-int-inline-if -m set --match-set PF-iL2_ID1_10.0.128.0 src -j CLASSIFY --set-class 1:1
  216. -A postrouting-int-inline-if -m set --match-set PF-iL2_ID1_10.0.128.0 dst -j CLASSIFY --set-class 1:1
  217. -A postrouting-int-inline-if -m set --match-set PF-iL2_ID2_10.0.128.0 src -j CLASSIFY --set-class 1:2
  218. -A postrouting-int-inline-if -m set --match-set PF-iL2_ID2_10.0.128.0 dst -j CLASSIFY --set-class 1:2
  219. -A postrouting-int-inline-if -m set --match-set PF-iL2_ID3_10.0.128.0 src -j CLASSIFY --set-class 1:3
  220. -A postrouting-int-inline-if -m set --match-set PF-iL2_ID3_10.0.128.0 dst -j CLASSIFY --set-class 1:3
  221. -A postrouting-int-inline-if -m set --match-set PF-iL2_ID4_10.0.128.0 src -j CLASSIFY --set-class 1:4
  222. -A postrouting-int-inline-if -m set --match-set PF-iL2_ID4_10.0.128.0 dst -j CLASSIFY --set-class 1:4
  223. -A postrouting-int-inline-if -m set --match-set PF-iL2_ID5_10.0.128.0 src -j CLASSIFY --set-class 1:5
  224. -A postrouting-int-inline-if -m set --match-set PF-iL2_ID5_10.0.128.0 dst -j CLASSIFY --set-class 1:5
  225.  
  226. # These will redirect to the proper chains based on conf/pf.conf's configuration
  227. -A PREROUTING --in-interface eth1 --jump prerouting-int-inline-if
  228. -A POSTROUTING --out-interface eth1 --jump postrouting-int-inline-if
  229. -A POSTROUTING --out-interface eth0 --jump postrouting-int-inline-if
  230. COMMIT
  231.  
  232. *nat
  233. :PREROUTING ACCEPT [0:0]
  234. :prerouting-int-inline-if - [0:0]
  235. :postrouting-inline-routed - [0:0]
  236. :postrouting-int-inline-if - [0:0]
  237. :prerouting-int-vlan-if - [0:0]
  238.  
  239. -A prerouting-int-inline-if --protocol udp --destination-port 53 -s 10.0.128.0/255.255.224.0 --match mark --mark 0x3 --jump DNAT --to 10.0.128.6
  240. -A prerouting-int-inline-if --protocol udp --destination-port 53 -s 10.0.128.0/255.255.224.0 --match mark --mark 0x2 --jump DNAT --to 10.0.128.6
  241. -A prerouting-int-inline-if -m set --match-set pfsession_passthrough dst,dst --match mark --mark 0x3 --jump ACCEPT
  242. -A prerouting-int-inline-if -m set --match-set pfsession_isol_passthrough dst,dst --match mark --mark 0x2 --jump ACCEPT
  243. -A prerouting-int-inline-if --protocol tcp --destination-port 80 -s 10.0.128.0/255.255.224.0 --match mark --mark 0x2 --jump DNAT --to 10.0.128.6
  244. -A prerouting-int-inline-if --protocol tcp --destination-port 443 -s 10.0.128.0/255.255.224.0 --match mark --mark 0x2 --jump DNAT --to 10.0.128.6
  245. -A PREROUTING -p tcp --dport 80 -m set --match-set parking src -j REDIRECT --to-port 5252
  246. -A PREROUTING -p tcp --dport 443 -m set --match-set parking src -j REDIRECT --to-port 5252
  247.  
  248.  
  249. :OUTPUT ACCEPT [0:0]
  250. # These will redirect to the proper chains based on conf/pf.conf's configuration
  251. -A PREROUTING --in-interface eth1 --jump prerouting-int-inline-if
  252. -A POSTROUTING --out-interface eth1 --jump postrouting-int-inline-if
  253. -A POSTROUTING -s 10.0.128.0/19 --out-interface eth0 --match mark --mark 0x3 --jump postrouting-inline-routed
  254. -A POSTROUTING --out-interface eth0 --match mark --mark 0x3 --jump postrouting-int-inline-if
  255. -A POSTROUTING -s 10.0.128.0/19 --out-interface eth0 --match mark --mark 0x1 --jump postrouting-inline-routed
  256. -A POSTROUTING --out-interface eth0 --match mark --mark 0x1 --jump postrouting-int-inline-if
  257. -A POSTROUTING -s 10.0.128.0/19 --out-interface eth0 --match mark --mark 0x2 --jump postrouting-inline-routed
  258. -A POSTROUTING --out-interface eth0 --match mark --mark 0x2 --jump postrouting-int-inline-if
  259.  
  260.  
  261. :POSTROUTING ACCEPT [0:0]
  262.  
  263. #-A postrouting-int-inline-if --jump MASQUERADE
  264.  
  265.  
  266. #
  267. # Chain to enable routing instead of NAT
  268. #
  269. -A postrouting-inline-routed --jump ACCEPT
  270.  
  271.  
  272. #
  273. # NAT out (PAT actually)
  274. #
  275. # If you want to do your own thing regarding NAT like for example:
  276. # - allowing through instead of doing NAT (make sure you have the proper return route)
  277. # - traffic out on some interface other than management
  278. # - overloading on multiple IP addresses
  279. # Comment the next two lines and do it here on the POSTROUTING chain.
  280. # Make sure to adjust the FORWARD rules also to allow traffic back-in.
  281.  
  282.  
  283. #
  284. # Routing for the hidden domain network
  285. #
  286. -A POSTROUTING -s 169.254.0.0/16 -o eth2 -j SNAT --to-source 10.254.188.20
  287.  
  288. COMMIT
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top