#This file is from the 
#DO NOT run the system firewall tool's or this file will be rewritten
##   Lines that start with ## are documentation
##   Lines that start with # are examples that maybe uncommented when needed

## Default setup , since INPUT default is ACCEPT ensure there is a REJECT/DROP
## at the end

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT

##
##   localhost INPUT is allowed
##

-A RH-Firewall-1-INPUT -i lo -j ACCEPT

##
##   pings on INPUT are allowed from anywhere
##

-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT

##
##   To allow pings from fnal.gov only uncomment the line below and 
##   and comment out the line above.
#-A RH-Firewall-1-INPUT -p icmp --icmp-type any -s 131.225.0.0/16 -j ACCEPT
##

##
##   Allows for already established connections , such as dns, krb auth
##

-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

##
##   DROP'ing the 5 ports below because we do not want them open for FNAL
##

-A RH-Firewall-1-INPUT -p 50 -j DROP
-A RH-Firewall-1-INPUT -p 51 -j DROP
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j DROP
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j DROP
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j DROP

##
##   Onsite at FNAL is allowed except for the above DROP list
##

-A RH-Firewall-1-INPUT -m tcp -p tcp -s 131.225.0.0/16 -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p udp -s 131.225.0.0/16 -j ACCEPT

##
## The following is pre approved for NEW inbound  
##

##
## port 22 tcp - ssh
##

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

##   To enable incoming access from the Soudan Mine uncomment the 2 lines below.
##
##
#-A RH-Firewall-1-INPUT -m tcp -p tcp -s 198.124.213.0/24 -j ACCEPT
#-A RH-Firewall-1-INPUT -m udp -p udp -s 198.124.213.0/24 -j ACCEPT
##

##
##   Put allowed NEW Inbound offsite ports here , only enable if really 
##   needed from offsite. If possible allow only specific systems/subnets.
##   To enable specific systems/subnets add
##   "-s <system ip>" or "-s <subnet/mask>" .  
##   This example allows input from port 22 (ssh) only for 131.225.68.23 . 
##
## -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 22 -s 131.225.68.23 -j ACCEPT
##

##
##   REJECT the rest , need because the default was defined to be ACCEPT above
##

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

COMMIT
