# iptables file standard for all CONTAINER. # Firewall configuration written by vzgot # the file is common and added to each container # if present in HN /var/lib/vzgot/etc/sysconfig/iptables # this file is given as a working example *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :std - [0:0] #----------------------------------------------------------- #defining rule to display reject in logs #(/var/log/messages) -N logrjct -A logrjct -j LOG --log-level 6 --log-prefix "RJCT " -A logrjct -j REJECT --reject-with icmp-host-prohibited #defining rule to reject without log -N rjct -A rjct -j DROP #----------------------------------------------------------- #standard rules -A FORWARD -j std -A INPUT -j std #----------------------------------------------------------- #accepting local loop -A std -i lo -j ACCEPT #----------------------------------------------------------- #acceptin already established link -A std -m state --state ESTABLISHED,RELATED -j ACCEPT #----------------------------------------------------------- #accepting icmp packet (should be already pre-filtered by HN) -A std -p icmp -j ACCEPT #----------------------------------------------------------- #accepting auth server -A std -p tcp -m tcp -j ACCEPT --dport auth #accepting all Email related services -A std -p tcp -m tcp -j ACCEPT --dport smtp -A std -p tcp -m tcp -j ACCEPT --dport pop-3 -A std -p tcp -m tcp -j ACCEPT --dport imaps -A std -p tcp -m tcp -j ACCEPT --dport imap #accepting all WEB related services -A std -p tcp -m tcp -j ACCEPT --dport www -A std -p tcp -m tcp -j ACCEPT --dport https #accepting all SSH related services -A std -p tcp -m tcp -j ACCEPT --dport ssh #accepting all snmp related services -A std -p udp -m udp -j ACCEPT --dport snmp #=========================================================== #reject and longging all other packet type -A std -j logrjct #----------------------------------------------------------- COMMIT