###########################################################################
# Doc Name: IPTables Example
# Number:   2/190 89-LZN 768 0145/2
# Revision: E
# Checked:   
# Prepared: Junyi Wang
# Approved:
# Data:
# Description: Example of Iptables Configuration for IPWorks
#
###########################################################################

########################################################################################################################################

Do!

After modifying the /cluster/etc/cluster.conf, make sure to reload the cluster.conf and reboot the cluster to make the changes take effect:
lde-config -r -a
cluster reboot -a

########################################################################################################################################


#############################################################################################################################################

Make sure all the iptables commands can be executed, otherwise the cluster cannot start successfully.
#############################################################################################################################################


###Init the firewall
iptables all --policy INPUT DROP
iptables all --flush INPUT
iptables all --policy FORWARD DROP
iptables all --flush FORWARD
iptables all --policy OUTPUT DROP
iptables all --flush OUTPUT
###Add chain for Internal network
iptables all --new-chain internal-in
iptables all --new-chain internal-out
iptables all --append INPUT --jump internal-in
iptables all --append OUTPUT --jump internal-out
###Add chain for lo network
iptables all --new-chain lo-in
iptables all --new-chain lo-out
iptables all --append INPUT --jump lo-in
iptables all --append OUTPUT --jump lo-out
###Add chain for oam network
iptables control --new-chain oam-in
iptables control --new-chain oam-out
iptables control --append INPUT --jump oam-in
iptables control --append OUTPUT --jump oam-out
###Add chain for prv network
iptables control --new-chain prv-in
iptables control --new-chain prv-out
iptables control --append INPUT --jump prv-in
iptables control --append OUTPUT --jump prv-out
###Add chain for evip
iptables all --new-chain evip-in
iptables all --new-chain evip-out
iptables all --append INPUT --jump evip-in
iptables all --append OUTPUT --jump evip-out


###Initial evip rules
iptables all --append evip-in --in-interface evip_macvlan0 --jump ACCEPT
iptables all --append evip-out --out-interface evip_macvlan0 --jump ACCEPT

###iptables rule for internal network.
iptables all --append internal-in --in-interface eth0 --jump ACCEPT
iptables all --append internal-out --out-interface eth0 --jump ACCEPT
###iptables rule for lo network.
iptables all --append lo-in --in-interface lo --jump ACCEPT
iptables all --append lo-out --out-interface lo --jump ACCEPT
###iptables rule for oam network.
###control node
#####for DNS Management
iptables control --append oam-in --protocol TCP --source <ecli client ip/net> --destination-port 17071 --in-interface eth1 --jump ACCEPT
iptables control --append oam-out --protocol TCP --source-port 17071 --out-interface eth1 --jump ACCEPT
#####for ssh/sftp
iptables control --append oam-in --protocol TCP --source <ssh client ip/net> --destination-port <ssh port> --in-interface eth1 --jump ACCEPT
iptables control --append oam-out --protocol TCP --source-port <ssh port> --out-interface eth1 --jump ACCEPT
#####for ECLI/NETCONF
iptables control --append oam-in --protocol TCP --source <ecli client ip/net> --destination-port 830 --in-interface eth1 --jump ACCEPT
iptables control --append oam-out --protocol TCP --source-port 830 --out-interface eth1 --jump ACCEPT
iptables control --append oam-in --protocol TCP --source <ecli client ip/net> --destination-port 22 --in-interface eth1 --jump ACCEPT
iptables control --append oam-out --protocol TCP --source-port 22 --out-interface eth1 --jump ACCEPT
#####for SNMP
iptables control --append oam-in --protocol UDP --source <OSSRC ip/net> --destination-port 161 --in-interface eth1 --jump ACCEPT
iptables control --append oam-out --protocol UDP --source-port 161 --out-interface eth1 --jump ACCEPT
iptables control --append oam-in --protocol UDP --source <OSSRC ip/net> --source-port 162 --in-interface eth1 --jump ACCEPT
iptables control --append oam-out --protocol UDP --destination-port 162 --out-interface eth1 --jump ACCEPT

#####for SNTP
iptables control --append oam-in --protocol UDP  --source-port 123 --in-interface eth1 --jump ACCEPT
iptables control --append oam-out --protocol UDP --destination-port 123 --out-interface eth1 --jump ACCEPT


#####for Rsyslog
iptables control --append oam-in --protocol UDP --source <Remote log server IP> --source-port <Remote log server UDP port> --in-interface eth1 --jump ACCEPT
iptables control --append oam-out --protocol UDP --destination-port <Remote log server UDP port> --out-interface eth1 --jump ACCEPT
iptables control --append oam-in --protocol UDP --source <Remote log server IP> --source-port <Remote log server UDP port> --in-interface eth1 --jump ACCEPT
iptables control --append oam-out --protocol UDP --destination-port <Remote log server UDP port> --out-interface eth1 --jump ACCEPT
#####for ldap authentication
iptables control --append oam-in --protocol TCP --source <Ldap server IP> --source-port <Ldap server port> --in-interface eth1 --jump ACCEPT
iptables control --append oam-out --protocol TCP --destination-port <Ldap server port> --out-interface eth1 --jump ACCEPT
#####for OAM <->sqlnode
iptables control --append oam-in --protocol TCP --source <Redundancy node's Sqlnode mip IP> --source-port 3307 --in-interface eth1 --jump ACCEPT
iptables control --append oam-out --protocol TCP --destination <Redundancy node's Sqlnode mip IP> --destination-port 3307 --out-interface eth1 --jump ACCEPT

#####for provision
iptables control --append prv-in --protocol TCP --source <provision client ip/net> --destination-port 22 --in-interface eth2 --jump ACCEPT
iptables control --append prv-out --protocol TCP --source-port 22 out-interface eth2 --jump ACCEPT

#####for sqlnode <-> OAM
iptables control --append prv-in --protocol TCP --source <Redundancy node's SC-1 oam address> --destination <Sqlnode mip IP> --destination-port 3307 --in-interface eth1 --jump ACCEPT
iptables control --append prv-out --protocol TCP --destination <Redundancy node's SC-1 oam address> --source <Sqlnode mip IP> --source-port 3307 --out-interface eth1 --jump ACCEPT

iptables control --append prv-in --protocol TCP --source <Redundancy node's SC-2 oam address> --destination <Redundancy node's Sqlnode mip IP> --destination-port 3307 --in-interface eth1 --jump ACCEPT
iptables control --append prv-out --protocol TCP --destination <Redundancy node's SC-2 oam address> --source-port 3307 --out-interface eth1 --jump ACCEPT

#####iptables rule for evip traffic network
###PL-3
#####For enum/dns
iptables payload --append evip-in --protocol UDP --destination-port 53 --in-interface ipw_sig_sp --jump ACCEPT
iptables payload --append evip-out --protocol UDP --source-port 53 --out-interface ipw_sig_sp --jump ACCEPT
iptables payload --append evip-in --protocol TCP --destination-port 53 --in-interface ipw_sig_sp --jump ACCEPT
iptables payload --append evip-out --protocol TCP --source-port 53 --out-interface ipw_sig_sp --jump ACCEPT
iptables payload --append evip-in --protocol ICMP --in-interface ipw_sig_sp --jump ACCEPT
iptables payload --append evip-out --protocol ICMP --out-interface ipw_sig_sp --jump ACCEPT
iptables payload --append evip-in --protocol UDP --source-port 161 --in-interface ipw_sig_sp --jump ACCEPT
iptables payload --append evip-out --protocol UDP --destination-port 161 --out-interface ipw_sig_sp --jump ACCEPT
#####For fesync
iptables payload --append evip-in --protocol TCP --source <CUDB IP> --destination-port 8080 --in-interface ipw_data_sp --jump ACCEPT
iptables payload --append evip-out --protocol TCP --destination <CUDB IP> --source-port 8080 --out-interface ipw_data_sp --jump ACCEPT
#####For ENUM FE and AAA FE
iptables payload --append evip-in --protocol TCP --source <CUDB IP> --source-port 389 --in-interface ipw_data_sp --jump ACCEPT
iptables payload --append evip-out --protocol TCP --destination <CUDB IP> --destination-port 389 --out-interface ipw_data_sp --jump ACCEPT
#####For SS7
iptables payload --append evip-in --protocol SCTP --source <SS7 client IP> --destination-port <M3UA port> --in-interface ipw_data_sp --jump ACCEPT
iptables payload --append evip-out --protocol SCTP --destination <SS7 client IP> --source-port <M3UA port> --out-interface ipw_data_sp --jump ACCEPT
#####For AAA diameter
iptables payload --append evip-in --protocol TCP --destination-port 3868 --in-interface ipw_sig_sp --jump ACCEPT
iptables payload --append evip-out --protocol TCP --source-port 3868 --out-interface ipw_sig_sp --jump ACCEPT
iptables payload --append evip-in --protocol SCTP --destination-port 3868 --in-interface ipw_sig_sp --jump ACCEPT
iptables payload --append evip-out --protocol SCTP --source-port 3868 --out-interface ipw_sig_sp --jump ACCEPT
#####For AAA radius
iptables payload --append evip-in --protocol UDP --destination-port 1812 --in-interface ipw_sig_sp --jump ACCEPT
iptables payload --append evip-out --protocol UDP --source-port 1812 --out-interface ipw_sig_sp --jump ACCEPT
iptables payload --append evip-in --protocol UDP --destination-port 1813 --in-interface ipw_sig_sp --jump ACCEPT
iptables payload --append evip-out --protocol UDP --source-port 1813 --out-interface ipw_sig_sp --jump ACCEPT
iptables payload --append evip-in --protocol UDP --source-port 3799 --in-interface ipw_sig_sp --jump ACCEPT
iptables payload --append evip-out --protocol UDP --destination-port 3799 --out-interface ipw_sig_sp --jump ACCEPT
#####For DHCPv4
iptables payload --append evip-in --protocol UDP --destination-port 67 --in-interface ipw_sig_sp --jump ACCEPT
iptables payload --append evip-out --protocol UDP --source-port 67 --out-interface ipw_sig_sp --jump ACCEPT
iptables payload --append evip-in --protocol UDP --destination-port 68 --in-interface ipw_sig_sp --jump ACCEPT
iptables payload --append evip-out --protocol UDP --source-port 68 --out-interface ipw_sig_sp --jump ACCEPT

##For ip6tables example:
###Init the firewall
ip6tables all --policy INPUT DROP
ip6tables all --flush INPUT
ip6tables all --policy FORWARD DROP
ip6tables all --flush FORWARD
ip6tables all --policy OUTPUT DROP
ip6tables all --flush OUTPUT
###Add chain for Internal network
ip6tables all --new-chain internal-in
ip6tables all --new-chain internal-out
ip6tables all --append INPUT --jump internal-in
ip6tables all --append OUTPUT --jump internal-out
###Add chain for lo network
ip6tables all --new-chain lo-in
ip6tables all --new-chain lo-out
ip6tables all --append INPUT --jump lo-in
ip6tables all --append OUTPUT --jump lo-out
###Add chain for oam network
ip6tables control --new-chain oam-in
ip6tables control --new-chain oam-out
ip6tables control --append INPUT --jump oam-in
ip6tables control --append OUTPUT --jump oam-out
###Add chain for prv network
ip6tables control --new-chain prv-in
ip6tables control --new-chain prv-out
ip6tables control --append INPUT --jump prv-in
ip6tables control --append OUTPUT --jump prv-out
###Add chain for evip
ip6tables all --new-chain evip-in
ip6tables all --new-chain evip-out
ip6tables all --append INPUT --jump evip-in
ip6tables all --append OUTPUT --jump evip-out
ip6tables all --append evip-in --in-interface evip_macvlan0 --jump ACCEPT
ip6tables all --append evip-out --out-interface evip_macvlan0 --jump ACCEPT

###ip6tables rule for internal network
ip6tables all --append internal-in --in-interface eth0 --jump ACCEPT
ip6tables all --append internal-out --out-interface eth0 --jump ACCEPT


###ip6tables rule for lo network
ip6tables all --append lo-in --in-interface lo --jump ACCEPT
ip6tables all --append lo-out --out-interface lo --jump ACCEPT


###iptables rule for evip traffic network
###PL-3
#####For enum/dns
ip6tables payload --append evip-in --protocol UDP --destination-port 53 --in-interface ipw_sig_sp --jump ACCEPT
ip6tables payload --append evip-out --protocol UDP --source-port 53 --out-interface ipw_sig_sp --jump ACCEPT
ip6tables payload --append evip-in --protocol TCP --destination-port 53 --in-interface ipw_sig_sp --jump ACCEPT
ip6tables payload --append evip-out --protocol TCP --source-port 53 --out-interface ipw_sig_sp --jump ACCEPT
ip6tables payload --append evip-in --protocol ICMP --in-interface ipw_sig_sp --jump ACCEPT
ip6tables payload --append evip-out --protocol ICMP --out-interface ipw_sig_sp --jump ACCEPT
ip6tables payload --append evip-in --protocol UDP --source-port 161 --in-interface ipw_sig_sp --jump ACCEPT
ip6tables payload --append evip-out --protocol UDP --destination-port 161 --out-interface ipw_sig_sp --jump ACCEPT
#####For AAA diameter
ip6tables payload --append evip-in --protocol SCTP --destination-port 3868 --in-interface ipw_sig_sp --jump ACCEPT
ip6tables payload --append evip-out --protocol SCTP  --source-port 3868 --out-interface ipw_sig_sp --jump ACCEPT
#####For AAA radius
ip6tables payload --append evip-in --protocol UDP --destination-port 1812 --in-interface ipw_sig_sp --jump ACCEPT
ip6tables payload --append evip-out --protocol UDP --source-port 1812 --out-interface ipw_sig_sp --jump ACCEPT
ip6tables payload --append evip-in --protocol UDP --destination-port 1813 --in-interface ipw_sig_sp --jump ACCEPT
ip6tables payload --append evip-out --protocol UDP --source-port 1813 --out-interface ipw_sig_sp --jump ACCEPT
ip6tables payload --append evip-in --protocol UDP --source-port 3799 --in-interface ipw_sig_sp --jump ACCEPT
ip6tables payload --append evip-out --protocol UDP --destination-port 3799 --out-interface ipw_sig_sp --jump ACCEPT




