Commit 6456cbb5 authored by jz143's avatar jz143

firewall rules for app server

parent 0dd02fbf
......@@ -21,7 +21,7 @@ require 'capistrano/rvm'
require 'capistrano/bundler'
require 'capistrano/rails/assets'
require 'capistrano/rails/migrations'
require 'capistrano/passenger'
require 'capistrano/puma'
# Load custom tasks from `lib/capistrano/tasks` if you have any defined
Dir.glob('lib/capistrano/tasks/*.rake').each { |r| import r }
......@@ -2,3 +2,4 @@
* Install `iPhone Distribution: Duke University` certificate and private key to `System` keychain on signing server.
- Get Info > Access Control > Allow all applications to access this item
* Install ImageMagick
* Install Redis
\ No newline at end of file
# Flush all current rules from iptables
iptables -F
ip6tables -F
iptables -t nat -F
# Allow SSH connections on tcp port 22
# This is essential when working on remote servers via SSH to prevent locking yourself out of the system
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
# Set default policies
iptables -P INPUT DROP
ip6tables -P INPUT DROP
iptables -P FORWARD DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP
# Set access for localhost
iptables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
# Accept packets belonging to established and related connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow IPv6 ICMP packets
ip6tables -A INPUT -p icmpv6 -j ACCEPT
# Allow pings
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp --icmpv6-type echo-request -j ACCEPT
ip6tables -A OUTPUT -p ipv6-icmp --icmpv6-type echo-reply -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
# (IPv4-only) Redis - allow access only from mac worker
# create a new chain
iptables -N redis-protection
# allow your IP
iptables -A redis-protection --src $ALLOW_IP_ADDRESS -j ACCEPT
# drop everyone else
iptables -A redis-protection -j DROP
# use chain xxx for packets coming to TCP port $REDIS_PORT
iptables -I INPUT -m tcp -p tcp --dport $REDIS_PORT -j redis-protection
# Save settings
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6
systemctl enable netfilter-persistent
systemctl start netfilter-persistent
# List rules
echo "filter table"
echo "============"
echo "IPv4"
echo "----"
iptables -L -v
echo "IPv6"
echo "----"
ip6tables -L -v
echo "nat table (IPv4 only)"
echo "====================="
iptables -t nat -L -v
echo "redis-protection table"
echo "======================"
iptables -t redis-protection -L -v
......@@ -47,6 +47,14 @@ namespace :deploy do
desc 'Restart services'
task :restart do
on roles(:app) do
invoke 'puma:restart'
before 'deploy:check:linked_dirs', :upload_config
after 'deploy:publishing', 'deploy:restart'
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment