1 files changed, 31 insertions, 0 deletions

diff --git a/grid5000/steps/data/setup/puppet/modules/env/files/std/net_access/iptables b/grid5000/steps/data/setup/puppet/modules/env/files/std/net_access/iptables
new file mode 100644
index 0000000..9721f72
--- /dev/null
+++ b/grid5000/steps/data/setup/puppet/modules/env/files/std/net_access/iptables
@@ -0,0 +1,31 @@
+#!/bin/sh
+
+# MANAGED BY PUPPET
+# Module:: env::std::net_access
+#
+
+/sbin/iptables-restore <<EOF
+*filter
+
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+
+#Log outgoing traffic to NAT
+# ACCEPT even if it's the default policy : Avoid having these destinations in the logs
+-A OUTPUT -d 127.0.0.1 -j ACCEPT
+-A OUTPUT -d 172.16.0.0/12 -j ACCEPT
+-A OUTPUT -d 10.0.0.0/8 -j ACCEPT
+-A OUTPUT -d 192.168.4.0/24 -j ACCEPT
+-A OUTPUT -d 192.168.66.0/24 -j ACCEPT
+# Multicast traffic
+-A OUTPUT -d 224.0.0.0/4 -j ACCEPT
+
+# Rate-limit UDP logging to 10 pkt/s per destination IP
+# https://intranet.grid5000.fr/bugzilla/show_bug.cgi?id=12295
+-A OUTPUT -p udp -m hashlimit --hashlimit-name UDPG5K --hashlimit-rate-match --hashlimit-above 10/s --hashlimit-mode dstip -j ACCEPT
+
+# Log everything else : it's going outside g5k
+-A OUTPUT -m conntrack --ctstate NEW -j LOG --log-level 7 --log-uid --log-prefix "outgoing traffic "
+COMMIT
+EOF