*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] # Declaring our chains -N DEUXFLEURS-TRUSTED-NET -N DEUXFLEURS-TRUSTED-PORT # Internet Control Message Protocol # (required) -A INPUT -p icmp -j ACCEPT -A INPUT -p ipv6-icmp -j ACCEPT # Administration -A INPUT -p tcp --dport 22 -j ACCEPT # Cluster -A INPUT -s 2a01:e0a:260:b5b0::2 -j ACCEPT -A INPUT -s 2a01:e0a:260:b5b0::3 -j ACCEPT -A INPUT -s 2a01:e0a:260:b5b0::4 -j ACCEPT # Local -A INPUT -i docker0 -j ACCEPT -A INPUT -s ::1/128 -j ACCEPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Who is part of our trusted net? # Max@Bruxelles -A DEUXFLEURS-TRUSTED-NET -s 2a02:1811:3612:b300::0/64 -j DEUXFLEURS-TRUSTED-PORT # Max@Suresnes -A DEUXFLEURS-TRUSTED-NET -s 2a01:e0a:183:7be2::0/64 -j DEUXFLEURS-TRUSTED-PORT # Max@OVH -A DEUXFLEURS-TRUSTED-NET -s 2001:41d0:a:307c:ac7c::0/64 -j DEUXFLEURS-TRUSTED-PORT # Jill@Rennes -A DEUXFLEURS-TRUSTED-NET -s 2a01:e0a:5e4:1d0::0/64 -j DEUXFLEURS-TRUSTED-PORT # ADRN@Gandi -A DEUXFLEURS-TRUSTED-NET -s 2001:4b98:dc0:41:216:3eff:fe9b:1afb/128 -j DEUXFLEURS-TRUSTED-PORT # Quentin@Rennes -A DEUXFLEURS-TRUSTED-NET -s 2a01:e35:2fdc:dbe0::0/64 -j DEUXFLEURS-TRUSTED-PORT # Erwan@Rennes -A DEUXFLEURS-TRUSTED-NET -s 2a01:e0a:260:b5b0::0/64 -j DEUXFLEURS-TRUSTED-PORT # LX@Orsay -A DEUXFLEURS-TRUSTED-NET -s 2a06:a004:3025:1::0/64 -j DEUXFLEURS-TRUSTED-PORT -A DEUXFLEURS-TRUSTED-NET -s 2a06:a003:515d:1::0/64 -j DEUXFLEURS-TRUSTED-PORT -A DEUXFLEURS-TRUSTED-NET -s 2001:910:1204:1::0/64 -j DEUXFLEURS-TRUSTED-PORT # Zorun@Nantes -A DEUXFLEURS-TRUSTED-NET -s 2a00:5881:4008::/56 -j DEUXFLEURS-TRUSTED-PORT # Quentin@Lyon -A DEUXFLEURS-TRUSTED-NET -s 2a01:e0a:28f:5e60::/64 -j DEUXFLEURS-TRUSTED-PORT # Source address is not trusted -A DEUXFLEURS-TRUSTED-NET -j RETURN # What can do our trusted net? # Access garage basically -A DEUXFLEURS-TRUSTED-PORT -p tcp --dport 3901 -j ACCEPT # Port is not allowed -A DEUXFLEURS-TRUSTED-PORT -j RETURN # Let's check if the user comes from our trusted network -A INPUT -j DEUXFLEURS-TRUSTED-NET COMMIT *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT