iptables rules on outside interfaces about galaxykickstart HOT 1 CLOSED

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
COMMIT



*filter
# Allow all outgoing, but drop incoming and forwarding packets by default
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# Custom Docker chains
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]


# Custom per-protocol chains
:UDP - [0:0]
:TCP - [0:0]
:ICMP - [0:0]

# Acceptable Docker traffic
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION -j RETURN


# Acceptable UDP traffic


# Acceptable TCP traffic
-A TCP -p tcp --dport 22 -j ACCEPT
#-A TCP -p tcp --dport 80 -j ACCEPT
#-A TCP -p tcp --dport 443 -j ACCEPT
#http
-A TCP -s 203.101.227.3     -p tcp --dport 80 -j ACCEPT  
-A TCP -s 45.113.232.155    -p tcp --dport 80 -j ACCEPT  
-A TCP -s 43.240.97.231     -p tcp --dport 80 -j ACCEPT  
-A TCP -s 43.240.96.62      -p tcp --dport 80 -j ACCEPT  
-A TCP -s 115.146.86.78     -p tcp --dport 80 -j ACCEPT  
-A TCP -s 203.101.226.197   -p tcp --dport 80 -j ACCEPT  
-A TCP -s 115.146.88.148    -p tcp --dport 80 -j ACCEPT  
-A TCP -s 203.101.234.122   -p tcp --dport 80 -j ACCEPT  
#https
-A TCP -s 203.101.227.3     -p tcp --dport 443 -j ACCEPT  
-A TCP -s 45.113.232.155    -p tcp --dport 443 -j ACCEPT  
-A TCP -s 43.240.97.231     -p tcp --dport 443 -j ACCEPT  
-A TCP -s 43.240.96.62      -p tcp --dport 443 -j ACCEPT  
-A TCP -s 115.146.86.78     -p tcp --dport 443 -j ACCEPT  
-A TCP -s 203.101.226.197   -p tcp --dport 443 -j ACCEPT  
-A TCP -s 115.146.88.148    -p tcp --dport 443 -j ACCEPT  
-A TCP -s 203.101.234.122   -p tcp --dport 443 -j ACCEPT  
#rowland
-A TCP -s 220.237.12.233    -p tcp --dport 443 -j ACCEPT
-A TCP -s 220.237.12.233    -p tcp --dport 80  -j ACCEPT
#Isha
-A TCP -s 61.68.224.97    -p tcp --dport 443 -j ACCEPT
-A TCP -s 61.68.224.97    -p tcp --dport 80  -j ACCEPT
#steve
-A TCP -s 60.241.107.11    -p tcp --dport 443 -j ACCEPT
-A TCP -s 60.241.107.11    -p tcp --dport 80  -j ACCEPT

# Acceptable ICMP traffic
-A INPUT -p icmp -j ACCEPT

# Boilerplate acceptance policy
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT

# Drop invalid packets
-A INPUT -m conntrack --ctstate INVALID -j DROP

# Pass traffic to protocol-specific chains
## Only allow new connections (established and related should already be handled)
## For TCP, additionally only allow new SYN packets since that is the only valid
## method for establishing a new TCP connection
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
#-A INPUT -p icmp -m conntrack --ctstate NEW -j ICMP

# Reject anything that's fallen through to this point
## Try to be protocol-specific w/ rejection message
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable

# Commit the changes
COMMIT

*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

*security
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT