Bidirectional RulesΒΆ
Example rule for INPUT and OUTPUT chains in one section
Sections without an ipset
[essential_services] section_type = general action = ['accept','out','in'] ip_version = ipv6 interface = eth0 protocol = tcp ports = 22:32
The section [essential_services] will create a kernel ipset called admin_workstations_x_v4 since its set to ipv4. The logic of the action is the following:
action = ['accept','out','in']
If the list has 3 elements it means that it will create two rules. One for INPUT and one for OUTPUT. Elements 2 and 3 define the ‘direction of the connection’. So the ‘out’,`’in’` means that new connections will be allowed initiating from an outside ip. This create two following rules.
/sbin/iptables -A INPUT -i eth0 -p tcp -m state --state **NEW,ESTABLISHED** -m multiport --dports 22,50 -j ACCEPT /sbin/iptables -A OUTPUT -o eth0 -p tcp -m state --state **ESTABLISHED** -j ACCEPT[essential_services_4] section_type = general action = ['accept','in','out'] ip_version = both interface = main protocol = tcp,udp
Sections with an ipset
[essential_services] section_type = general action = ['accept','out','in'] ip_version = ipv4 interface = eth0 protocol = tcp ports = 22,50 set = new_set [new_set] section_type = ipset ipset_type = hash:ip set_name = ['admin_workstations_x'] #set_ips_v4 = ['137.138.142.166','137.138.25.22','10.18.2.204','137.138.160.37','137.138.142.156'] set_hostnames = ['lxplus','pcthanos','syscontrol-dev','pcjcano2','kubernetes-node','kubernetes-master','agkara-train-2']
The section [essential_services] will create a kernel ipset called admin_workstations_x_v4 since its set to ipv4. The logic of the action is the following:
action = ['accept','out','in']
If the list has 3 elements it means that it will create two rules. One for INPUT and one for OUTPUT. Elements 2 and 3 define the ‘direction of the connection’. So the ‘out’,`’in’` means that new connections will be allowed initiating from an outside ip. This create two following rules.
/sbin/iptables -A INPUT -i eth0 -p tcp -m state --state NEW,ESTABLISHED -m multiport --dports 22,50 -m set --match-set admin_workstations_x_v4 src -j ACCEPT /sbin/iptables -A OUTPUT -o eth0 -p tcp -m state --state ESTABLISHED -m set --match-set admin_workstations_x_v4 dst -j ACCEPT
So new connections are allowed from the outside inside.