I'm using this cookbook in Centos 6.5 on AWS instances, the postfix recipe ends up at the end and essentially bricks the instance, since I can't access it thnourgh ssh anymore
The resulting /etc/sysconfig/iptables looks like this:
*filter
:INPUT ACCEPT [0,0]
:FORWARD ACCEPT [0,0]
:OUTPUT ACCEPT [0,0]
:FWR -
-A INPUT -j FWR
-A FWR -i lo -j ACCEPT
# Any established connection is money
-A FWR -m state --state RELATED,ESTABLISHED -j ACCEPT
# ICMP
-A FWR -p icmp -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 9102 -m comment --comment "Bacula client port" -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 7000 -m comment --comment "Cassandra Storage" -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 7001 -m comment --comment "Cassandra SSL" -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 9160 -m comment --comment "Cassandra RPC" -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 9042 -m comment --comment "Cassandra Native Transport" -j ACCEPT
-A OUTPUT -p udp --dport 123 -m comment --comment "ntpd" -j ACCEPT
-A INPUT -p udp --dport 1813 -m comment --comment "radiusd" -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8009 -m comment --comment "tomcat" -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 27017 -m comment --comment "mongo" -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8443 -m comment --comment "https" -j ACCEPT
-A FWR -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
-A FWR -p udp -j REJECT --reject-with icmp-port-unreachable
COMMIT
Am I missing anything that it should be doing that is not?
I'm using this cookbook in Centos 6.5 on AWS instances, the postfix recipe ends up at the end and essentially bricks the instance, since I can't access it thnourgh ssh anymore The resulting /etc/sysconfig/iptables looks like this:
Am I missing anything that it should be doing that is not?