Commit 1f85dafd authored by Imran Hussain's avatar Imran Hussain
Browse files

Get rid of some old rules from the sucs fw

parent e364c11a

ansible/roles/sucs-firewall/templates/firewall-rules

+0 −25
Original line number Diff line number Diff line
@@ -169,9 +169,6 @@ $IPT -A OUTPUT -d $PROXY_BOX -p tcp -m state --state NEW -m tcp --dport 3128 -j 
#NUT (ups monitor to silver)

$IPT -A OUTPUT -d 137.44.10.1 -p tcp -m state --state NEW -m tcp --dport 3493 -j ACCEPT



#ganglia (to silver)

$IPT -A OUTPUT -d 137.44.10.1 -p udp -m state --state NEW -m udp --dport 8649 -j ACCEPT



#IMCP to anywhere

$IPT -A OUTPUT -p ICMP -j ACCEPT
@@ -301,12 +298,6 @@ $IPT -A FORWARD -d $GAMES_BOX -p udp -m udp --dport 28785 -j ACCEPT 
$IPT -A FORWARD -d $GAMES_BOX -p tcp -m tcp --dport 28786 -j ACCEPT

$IPT -A FORWARD -d $GAMES_BOX -p udp -m udp --dport 28786 -j ACCEPT



#Try and get steam working from inside the room ~elbows



$IPT -A FORWARD -p udp -m udp --dport 27000:27030 -j ACCEPT

$IPT -A FORWARD -p tcp -m tcp --dport 27014:27050 -j ACCEPT

$IPT -A FORWARD -p udp -m udp --dport 4380 -j ACCEPT



#

# SUCS

# All rules for the sucs network go here
@@ -334,9 +325,6 @@ $IPT -A FORWARD -d 137.44.10.1 -p udp -m udp --dport 53 -j ACCEPT 
#SSH (to silver) from anywhere

$IPT -A FORWARD -d 137.44.10.1 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT



#FTP (to silver) from anywhere

$IPT -A FORWARD -d 137.44.10.1 -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT



#SMTP (to silver) from anywhere

$IPT -A FORWARD -d 137.44.10.1 -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT

$IPT -A FORWARD -d 137.44.10.1 -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT
@@ -360,10 +348,6 @@ $IPT -A FORWARD -d 137.44.10.1 -s $NET_CAMPUS -p tcp -m state --state NEW -m tcp 
$IPT -A FORWARD -d 137.44.10.1 -p tcp -m state --state NEW -m tcp --dport 123 -j ACCEPT

$IPT -A FORWARD -d 137.44.10.1 -p udp -m udp --dport 123 -j ACCEPT



#SMB (to silver) from campus

$IPT -A FORWARD -d 137.44.10.1 -s $NET_CAMPUS -p tcp -m state --state NEW -m multiport --dport 139,445 -j ACCEPT

$IPT -A FORWARD -d 137.44.10.1 -s $NET_CAMPUS -p udp -m udp --dport 137:138 -j ACCEPT



#IMAP (to silver) from anywhere

$IPT -A FORWARD -d 137.44.10.1 -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT
@@ -500,10 +484,6 @@ $IPT -A FORWARD -d $NET_VMS -i $INTERFACE_GUEST -m mark --mark 1 -j ACCEPT 
# Allow all from GUESTNet to Games Server if they are marked as allowed

$IPT -A FORWARD -d $GAMES_BOX -i $INTERFACE_GUEST -m mark --mark 1 -j ACCEPT



#SMB - Only to silver

$IPT -A FORWARD ! -d 137.44.10.1 -i $INTERFACE_GUEST -p tcp -m state --state NEW -m tcp --dport 137:139 -j DROP

$IPT -A FORWARD ! -d 137.44.10.1 -i $INTERFACE_GUEST -p udp -m udp --dport 137:139 -j DROP



#DNS - Only to campus

$IPT -A FORWARD ! -d $NET_CAMPUS -i $INTERFACE_GUEST -p tcp -m state --state NEW -m tcp --dport 53 -j DROP

$IPT -A FORWARD ! -d $NET_CAMPUS -i $INTERFACE_GUEST -p udp -m udp --dport 53 -j DROP
@@ -520,11 +500,6 @@ $IPT -t nat -A PREROUTING -i $INTERFACE_GUEST -m mark ! --mark 1 -p tcp -m tcp - 
# Rest of Transparent Proxy

$IPT -t nat -A PREROUTING ! -i $INTERFACE_OUTSIDE ! -s $PROXY_BOX ! -d $NET_INSIDE -p tcp --dport 80 -m policy --dir in --pol none -j DNAT --to $PROXY_BOX:$PROXY_PORT



# pptp vpns

$IPT -A FORWARD -i $INTERFACE_GUEST -p 47 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

$IPT -A FORWARD -s $NET_GUEST -p 47 -j ACCEPT

$IPT -A FORWARD -d $NET_GUEST -p 47 -j ACCEPT



#

# Outright Blocks on what GuestNET can talk to

#