diff options
Diffstat (limited to 'grid5000/steps/data/setup/puppet/modules/env/files/std/net_access/iptables')
-rw-r--r-- | grid5000/steps/data/setup/puppet/modules/env/files/std/net_access/iptables | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/grid5000/steps/data/setup/puppet/modules/env/files/std/net_access/iptables b/grid5000/steps/data/setup/puppet/modules/env/files/std/net_access/iptables new file mode 100644 index 0000000..9721f72 --- /dev/null +++ b/grid5000/steps/data/setup/puppet/modules/env/files/std/net_access/iptables @@ -0,0 +1,31 @@ +#!/bin/sh + +# MANAGED BY PUPPET +# Module:: env::std::net_access +# + +/sbin/iptables-restore <<EOF +*filter + +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] + +#Log outgoing traffic to NAT +# ACCEPT even if it's the default policy : Avoid having these destinations in the logs +-A OUTPUT -d 127.0.0.1 -j ACCEPT +-A OUTPUT -d 172.16.0.0/12 -j ACCEPT +-A OUTPUT -d 10.0.0.0/8 -j ACCEPT +-A OUTPUT -d 192.168.4.0/24 -j ACCEPT +-A OUTPUT -d 192.168.66.0/24 -j ACCEPT +# Multicast traffic +-A OUTPUT -d 224.0.0.0/4 -j ACCEPT + +# Rate-limit UDP logging to 10 pkt/s per destination IP +# https://intranet.grid5000.fr/bugzilla/show_bug.cgi?id=12295 +-A OUTPUT -p udp -m hashlimit --hashlimit-name UDPG5K --hashlimit-rate-match --hashlimit-above 10/s --hashlimit-mode dstip -j ACCEPT + +# Log everything else : it's going outside g5k +-A OUTPUT -m conntrack --ctstate NEW -j LOG --log-level 7 --log-uid --log-prefix "outgoing traffic " +COMMIT +EOF |