SHARE
TWEET

Untitled

a guest Oct 12th, 2017 53 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # This file is generated from a template at /usr/local/pf/conf/iptables.conf
  2. # Any changes made to this file will be lost on restart
  3.  
  4. # iptables template
  5. # This file is manipulated on PacketFence's startup before being given to iptables
  6. *filter
  7.  
  8. ### INPUT ###
  9. :INPUT DROP [0:0]
  10. # accept loopback stuff
  11. -A INPUT --in-interface lo --jump ACCEPT
  12. # accept anything related
  13. -A INPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT
  14. # Accept Ping (easier troubleshooting)
  15. -A INPUT --protocol icmp --icmp-type echo-request --jump ACCEPT
  16.  
  17. :input-management-if - [0:0]
  18. # SSH
  19. -A input-management-if --match state --state NEW --match tcp --protocol tcp --dport 22 --jump ACCEPT
  20. # HTTP and HTTPS for the portal
  21. -A input-management-if --protocol tcp --match tcp --dport 80 --jump ACCEPT
  22. -A input-management-if --protocol tcp --match tcp --dport 443 --jump ACCEPT
  23. # Web Admin
  24. -A input-management-if --protocol tcp --match tcp --dport 1443 --jump ACCEPT
  25. # Webservices
  26. -A input-management-if --protocol tcp --match tcp --dport 9090 --jump ACCEPT
  27. # AAA
  28. -A input-management-if --protocol tcp --match tcp --dport 7070 --jump ACCEPT
  29. # PacketFence Status
  30. -A input-management-if --protocol tcp --match tcp --dport 9191 --jump ACCEPT
  31. # httpd.portal modstatus
  32. -A input-management-if --protocol tcp --match tcp --dport 1444 --jump ACCEPT
  33. # httpd.collector
  34. -A input-management-if --protocol tcp --match tcp --dport 9292 --jump ACCEPT
  35. # haproxy stats (uncomment if activating the haproxy dashboard)
  36. #-A input-management-if --protocol tcp --match tcp --dport 1025 --jump ACCEPT
  37. # GRAPHITE-WEB
  38. -A input-management-if --protocol tcp --match tcp --dport 9000 --jump ACCEPT
  39. # CARBON_CACHE
  40. -A input-management-if --protocol tcp --match tcp --dport 2004 --jump ACCEPT
  41. -A input-management-if --protocol tcp --match tcp --dport 7002 --jump ACCEPT
  42.  
  43. # RADIUS
  44. -A input-management-if --protocol tcp --match tcp --dport 1812 --jump ACCEPT
  45. -A input-management-if --protocol udp --match udp --dport 1812 --jump ACCEPT
  46. -A input-management-if --protocol tcp --match tcp --dport 1813 --jump ACCEPT
  47. -A input-management-if --protocol udp --match udp --dport 1813 --jump ACCEPT
  48. -A input-management-if --protocol tcp --match tcp --dport 1815 --jump ACCEPT
  49. -A input-management-if --protocol udp --match udp --dport 1815 --jump ACCEPT
  50. -A input-management-if --protocol tcp --match tcp --dport 2083 --jump ACCEPT
  51. # RADIUS (eduroam virtual-server)
  52. # eduroam integration is not configured
  53.  
  54. # SNMP Traps
  55. -A input-management-if --protocol udp --match udp --dport 162  --jump ACCEPT
  56. # DHCP (for IP Helpers to mgmt to track users' IP in production VLANs)
  57. -A input-management-if --protocol udp --match udp --dport 67  --jump ACCEPT
  58. -A input-management-if --protocol tcp --match tcp --dport 67  --jump ACCEPT
  59. # OpenVAS Administration Interface
  60. -A input-management-if --protocol tcp --match tcp --dport 9392 --jump ACCEPT
  61. # Nessus Administration Interface
  62. -A input-management-if --protocol tcp --match tcp --dport 8834 --jump ACCEPT
  63. # PacketFence-PKI
  64. # -A input-management-if --protocol tcp --match tcp --dport 9393 --jump ACCEPT
  65. # -A input-management-if --protocol tcp --match tcp --dport 9292 --jump ACCEPT
  66.  
  67. # VRRP
  68. -A input-management-if -d 224.0.0.0/8 -j ACCEPT
  69. -A input-management-if -p vrrp -j ACCEPT
  70. # Mysql
  71. -A input-management-if --protocol tcp --match tcp --dport 3306 --jump ACCEPT
  72.  
  73. # Syslog
  74. -A input-management-if --protocol udp --match udp --dport 514 --jump ACCEPT
  75.  
  76. :input-portal-if - [0:0]
  77. -A input-portal-if --protocol tcp --match tcp --dport 80  --jump ACCEPT
  78. -A input-portal-if --protocol tcp --match tcp --dport 443 --jump ACCEPT
  79.  
  80. :input-radius-if - [0:0]
  81. -A input-radius-if --protocol tcp --match tcp --dport 1812 --jump ACCEPT
  82. -A input-radius-if --protocol udp --match udp --dport 1812 --jump ACCEPT
  83. -A input-radius-if --protocol tcp --match tcp --dport 1813 --jump ACCEPT
  84. -A input-radius-if --protocol udp --match udp --dport 1813 --jump ACCEPT
  85. -A input-radius-if --protocol tcp --match tcp --dport 1815 --jump ACCEPT
  86. -A input-radius-if --protocol udp --match udp --dport 1815 --jump ACCEPT
  87. -A input-radius-if --protocol tcp --match tcp --dport 2083 --jump ACCEPT
  88. # eduroam integration is not configured
  89.  
  90.  
  91. :input-internal-vlan-if - [0:0]
  92. # DNS
  93. -A input-internal-vlan-if --protocol tcp --match tcp --dport 53  --jump ACCEPT
  94. -A input-internal-vlan-if --protocol udp --match udp --dport 53  --jump ACCEPT
  95. # DHCP
  96. -A input-internal-vlan-if --protocol udp --match udp --dport 67  --jump ACCEPT
  97. -A input-internal-vlan-if --protocol tcp --match tcp --dport 67  --jump ACCEPT
  98. # HTTP (captive-portal)
  99. -A input-internal-vlan-if --protocol tcp --match tcp --dport 80  --jump ACCEPT
  100. -A input-internal-vlan-if --protocol tcp --match tcp --dport 443 --jump ACCEPT
  101. -A input-internal-vlan-if --protocol tcp --match tcp --dport 647 --jump ACCEPT
  102. # HTTP (parking portal)
  103. -A input-internal-vlan-if --protocol tcp --match tcp --dport 5252 --jump ACCEPT
  104.  
  105.  
  106.  
  107. :input-internal-isol_vlan-if - [0:0]
  108. # DNS
  109. -A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 53  --jump ACCEPT
  110. -A input-internal-isol_vlan-if --protocol udp --match udp --dport 53  --jump ACCEPT
  111. # DHCP
  112. -A input-internal-isol_vlan-if --protocol udp --match udp --dport 67  --jump ACCEPT
  113. -A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 67  --jump ACCEPT
  114. # HTTP (captive-portal)
  115. -A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 80  --jump ACCEPT
  116. -A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 443 --jump ACCEPT
  117. -A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 647 --jump ACCEPT
  118. # HTTP (parking portal)
  119. -A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 5252 --jump ACCEPT
  120.  
  121.  
  122. :input-internal-inline-if - [0:0]
  123. # DHCP
  124. -A input-internal-inline-if --protocol udp --match udp --dport 67  --jump ACCEPT
  125. -A input-internal-inline-if --protocol tcp --match tcp --dport 67  --jump ACCEPT
  126. # DNS
  127. # allow unregistered users and isolated users to reach it for DNAT purposes but prevent registered ones
  128. -A input-internal-inline-if --protocol tcp --match tcp --dport 53  --match mark --mark 0x3 --jump ACCEPT
  129. -A input-internal-inline-if --protocol udp --match udp --dport 53  --match mark --mark 0x3 --jump ACCEPT
  130. -A input-internal-inline-if --protocol tcp --match tcp --dport 53  --match mark --mark 0x2 --jump ACCEPT
  131. -A input-internal-inline-if --protocol udp --match udp --dport 53  --match mark --mark 0x2 --jump ACCEPT
  132. -A input-internal-inline-if --protocol tcp --match tcp --dport 53  --match mark --mark 0x1 --jump DROP
  133. -A input-internal-inline-if --protocol udp --match udp --dport 53  --match mark --mark 0x1 --jump DROP
  134. # HTTP (captive-portal)
  135. # prevent registered users from reaching it
  136. # TODO: Must work in dispatcher and Catalyst to redirect registered client out of the portal
  137. #-A input-internal-inline-if --protocol tcp --match tcp --dport 80  --match mark --mark 0x1 --jump DROP
  138. #-A input-internal-inline-if --protocol tcp --match tcp --dport 443 --match mark --mark 0x1 --jump DROP
  139. # allow everyone else behind inline interface (not registered, isolated, etc.)
  140. -A input-internal-inline-if --protocol tcp --match tcp --dport 80  --jump ACCEPT
  141. -A input-internal-inline-if --protocol tcp --match tcp --dport 443 --jump ACCEPT
  142. -A input-internal-inline-if --protocol tcp --match tcp --dport 647 --jump ACCEPT
  143.  
  144.  
  145. :input-highavailability-if - [0:0]
  146. #SSH
  147. -A input-highavailability-if --match state --state NEW --match tcp --protocol tcp --dport 22 --jump ACCEPT
  148. #Galera cluster
  149. -A input-highavailability-if --protocol tcp --match tcp --dport 4444 --jump ACCEPT
  150. -A input-highavailability-if --protocol tcp --match tcp --dport 4567 --jump ACCEPT
  151. -A input-highavailability-if --protocol tcp --match tcp --dport 4568 --jump ACCEPT
  152. #PacketFence MariaDB Quorum server
  153. -A input-highavailability-if --protocol tcp --match tcp --dport 7890 --jump ACCEPT
  154. -A input-highavailability-if --protocol tcp --match tcp --dport 7891 --jump ACCEPT
  155. # Corosync
  156. -A input-highavailability-if --protocol udp --match udp --dport 5405 --jump ACCEPT
  157. -A input-highavailability-if --protocol udp --match udp --dport 5407 --jump ACCEPT
  158. #DRBD
  159. -A input-highavailability-if --protocol tcp --match tcp --dport 7788 --jump ACCEPT
  160. # Heartbeat
  161. -A input-highavailability-if --protocol udp --match udp --dport 694 --jump ACCEPT
  162. #PCS
  163. -A input-highavailability-if --protocol tcp --match tcp --dport 2224 --jump ACCEPT
  164. -A input-highavailability-if --protocol tcp --match tcp --dport 3121 --jump ACCEPT
  165. -A input-highavailability-if --protocol tcp --match tcp --dport 21064 --jump ACCEPT
  166.  
  167. ### FORWARD ###
  168. :FORWARD DROP [0:0]
  169. :forward-internal-vlan-if - [0:0]
  170. -A forward-internal-vlan-if -m set --match-set pfsession_passthrough dst,dst --jump ACCEPT
  171. -A forward-internal-vlan-if -m set --match-set pfsession_passthrough src,src --jump ACCEPT
  172.  
  173.  
  174. :forward-internal-isolvlan-if - [0:0]
  175. -A forward-internal-isolvlan-if -m set --match-set pfsession_isol_passthrough dst,dst --jump ACCEPT
  176. -A forward-internal-isolvlan-if -m set --match-set pfsession_isol_passthrough src,src --jump ACCEPT
  177.  
  178.  
  179. :forward-internal-inline-if - [0:0]
  180. -A forward-internal-inline-if --match mark --mark 0x3 -m set --match-set pfsession_passthrough dst,dst --jump ACCEPT
  181. -A forward-internal-inline-if --match mark --mark 0x2 -m set --match-set pfsession_isol_passthrough dst,dst --jump ACCEPT
  182. -A forward-internal-inline-if --match mark --mark 0x1 --jump ACCEPT
  183.  
  184. :OUTPUT ACCEPT [0:0]
  185.  
  186. # These will redirect to the proper chains based on conf/pf.conf's configuration
  187. -A INPUT --in-interface eth1 -d 224.0.0.0/8 -j ACCEPT
  188. -A INPUT --in-interface eth1 -p vrrp -j ACCEPT
  189. # DHCP Sync
  190. -A INPUT --in-interface eth1 -d 10.0.128.6 --jump input-internal-inline-if
  191. -A INPUT --in-interface eth1 -d 255.255.255.255 --jump input-internal-inline-if
  192. -A INPUT --in-interface eth1 -d 10.254.188.20 --protocol tcp --match tcp --dport 443 --jump ACCEPT
  193. -A FORWARD --in-interface eth1 --jump forward-internal-inline-if
  194. -A INPUT --in-interface eth2 -d 224.0.0.0/8 -j ACCEPT
  195. -A INPUT --in-interface eth2 -p vrrp -j ACCEPT
  196. -A INPUT --in-interface eth2 --jump input-radius-if
  197. -A INPUT --in-interface eth2 --jump input-management-if
  198. -A FORWARD -d 10.0.128.0/19 --in-interface eth0 --jump ACCEPT
  199. -A FORWARD --in-interface eth0 --match state --state ESTABLISHED,RELATED --jump ACCEPT
  200.  
  201. COMMIT
  202.  
  203. *mangle
  204. :PREROUTING ACCEPT [0:0]
  205. :prerouting-int-inline-if - [0:0]
  206. -A prerouting-int-inline-if --jump MARK --set-mark 0x3
  207. -A prerouting-int-inline-if -m set --match-set pfsession_Unreg_10.0.128.0 src,src --jump MARK --set-mark 0x3
  208. -A prerouting-int-inline-if -m set --match-set pfsession_Reg_10.0.128.0 src,src --jump MARK --set-mark 0x1
  209. -A prerouting-int-inline-if -m set --match-set pfsession_Isol_10.0.128.0 src,src --jump MARK --set-mark 0x2
  210. :INPUT ACCEPT [0:0]
  211. :FORWARD ACCEPT [0:0]
  212. :OUTPUT ACCEPT [0:0]
  213. :POSTROUTING ACCEPT [0:0]
  214. :postrouting-int-inline-if - [0:0]
  215. -A postrouting-int-inline-if -m set --match-set PF-iL2_ID1_10.0.128.0 src -j CLASSIFY --set-class 1:1
  216. -A postrouting-int-inline-if -m set --match-set PF-iL2_ID1_10.0.128.0 dst -j CLASSIFY --set-class 1:1
  217. -A postrouting-int-inline-if -m set --match-set PF-iL2_ID2_10.0.128.0 src -j CLASSIFY --set-class 1:2
  218. -A postrouting-int-inline-if -m set --match-set PF-iL2_ID2_10.0.128.0 dst -j CLASSIFY --set-class 1:2
  219. -A postrouting-int-inline-if -m set --match-set PF-iL2_ID3_10.0.128.0 src -j CLASSIFY --set-class 1:3
  220. -A postrouting-int-inline-if -m set --match-set PF-iL2_ID3_10.0.128.0 dst -j CLASSIFY --set-class 1:3
  221. -A postrouting-int-inline-if -m set --match-set PF-iL2_ID4_10.0.128.0 src -j CLASSIFY --set-class 1:4
  222. -A postrouting-int-inline-if -m set --match-set PF-iL2_ID4_10.0.128.0 dst -j CLASSIFY --set-class 1:4
  223. -A postrouting-int-inline-if -m set --match-set PF-iL2_ID5_10.0.128.0 src -j CLASSIFY --set-class 1:5
  224. -A postrouting-int-inline-if -m set --match-set PF-iL2_ID5_10.0.128.0 dst -j CLASSIFY --set-class 1:5
  225.  
  226. # These will redirect to the proper chains based on conf/pf.conf's configuration
  227. -A PREROUTING --in-interface eth1 --jump prerouting-int-inline-if
  228. -A POSTROUTING --out-interface eth1 --jump postrouting-int-inline-if
  229. -A POSTROUTING --out-interface eth0 --jump postrouting-int-inline-if
  230. COMMIT
  231.  
  232. *nat
  233. :PREROUTING ACCEPT [0:0]
  234. :prerouting-int-inline-if - [0:0]
  235. :postrouting-inline-routed - [0:0]
  236. :postrouting-int-inline-if - [0:0]
  237. :prerouting-int-vlan-if - [0:0]
  238.  
  239. -A prerouting-int-inline-if --protocol udp --destination-port 53 -s 10.0.128.0/255.255.224.0 --match mark --mark 0x3 --jump DNAT --to 10.0.128.6
  240. -A prerouting-int-inline-if --protocol udp --destination-port 53 -s 10.0.128.0/255.255.224.0 --match mark --mark 0x2 --jump DNAT --to 10.0.128.6
  241. -A prerouting-int-inline-if -m set --match-set pfsession_passthrough dst,dst --match mark --mark 0x3 --jump ACCEPT
  242. -A prerouting-int-inline-if -m set --match-set pfsession_isol_passthrough dst,dst --match mark --mark 0x2 --jump ACCEPT
  243. -A prerouting-int-inline-if --protocol tcp --destination-port 80 -s 10.0.128.0/255.255.224.0 --match mark --mark 0x2 --jump DNAT --to 10.0.128.6
  244. -A prerouting-int-inline-if --protocol tcp --destination-port 443 -s 10.0.128.0/255.255.224.0 --match mark --mark 0x2 --jump DNAT --to 10.0.128.6
  245. -A PREROUTING -p tcp --dport 80 -m set --match-set parking src -j REDIRECT --to-port 5252
  246. -A PREROUTING -p tcp --dport 443 -m set --match-set parking src -j REDIRECT --to-port 5252
  247.  
  248.  
  249. :OUTPUT ACCEPT [0:0]
  250. # These will redirect to the proper chains based on conf/pf.conf's configuration
  251. -A PREROUTING --in-interface eth1 --jump prerouting-int-inline-if
  252. -A POSTROUTING --out-interface eth1 --jump postrouting-int-inline-if
  253. -A POSTROUTING -s 10.0.128.0/19 --out-interface eth0 --match mark --mark 0x3 --jump postrouting-inline-routed
  254. -A POSTROUTING --out-interface eth0 --match mark --mark 0x3 --jump postrouting-int-inline-if
  255. -A POSTROUTING -s 10.0.128.0/19 --out-interface eth0 --match mark --mark 0x1 --jump postrouting-inline-routed
  256. -A POSTROUTING --out-interface eth0 --match mark --mark 0x1 --jump postrouting-int-inline-if
  257. -A POSTROUTING -s 10.0.128.0/19 --out-interface eth0 --match mark --mark 0x2 --jump postrouting-inline-routed
  258. -A POSTROUTING --out-interface eth0 --match mark --mark 0x2 --jump postrouting-int-inline-if
  259.  
  260.  
  261. :POSTROUTING ACCEPT [0:0]
  262.  
  263. #-A postrouting-int-inline-if --jump MASQUERADE
  264.  
  265.  
  266. #
  267. # Chain to enable routing instead of NAT
  268. #
  269. -A postrouting-inline-routed --jump ACCEPT
  270.  
  271.  
  272. #
  273. # NAT out (PAT actually)
  274. #
  275. # If you want to do your own thing regarding NAT like for example:
  276. # - allowing through instead of doing NAT (make sure you have the proper return route)
  277. # - traffic out on some interface other than management
  278. # - overloading on multiple IP addresses
  279. # Comment the next two lines and do it here on the POSTROUTING chain.
  280. # Make sure to adjust the FORWARD rules also to allow traffic back-in.
  281.  
  282.  
  283. #
  284. # Routing for the hidden domain network
  285. #
  286. -A POSTROUTING -s 169.254.0.0/16 -o eth2 -j SNAT --to-source 10.254.188.20
  287.  
  288. COMMIT
RAW Paste Data
Top