iptables-fw-rules 17.5 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
#
# EMULAB-COPYRIGHT
# Copyright (c) 2005-2011 University of Utah and the Flux Group.
# All rights reserved.
#

#
# Firewall rule template.
#
# Each line consists of an iptables or ebtables rule, a '#' denoted "comment"
# at the end of the line indicates a rule number to use, a comma separated
# list of styles to which the rule applies, and an optional qualifier that
# indicates the types of firewalled nodes to which the rule should apply.
#
# Styles:
#
#	OPEN		allows everything
#	CLOSED   	allows only Emulab infrastructure services
#	BASIC		CLOSED + ssh from anywhere
#	ELABINELAB	Elab-in-elab, eliminates many Emulab services
#
# Qualifiers:
#
#	WINDOWS		For nodes running some variant of Windows
#	SAMENET		For nodes that are on the same subnet as any
#			"control" host (boss, subbosses, ops, fs).
#
# Note that currently, we do not support the qualifier. Rules with a
# qualifier are applied unconditionally to the style which they are a part of.
#
# Variables expanded by rc.firewall script that can be used here:
#
#	EMULAB_GWIP	IP address of gateway
#	EMULAB_NS	IP address of name server
#	EMULAB_CNET	Node control network in CIDR notation
#	EMULAB_MCADDR	Multicast address range used by frisbee
#	EMULAB_MCPORT	Port range used by frisbee
#	EMULAB_BOSSES	Comma separated list of subbosses (including "boss"),
#			used for services that subbosses provide
#			(dhcp/tftp/frisbee).
#	EMULAB_SERVERS	Comma separated list of all servers
#			(EMULAB_BOSSES + "ops" + "fs")
#
# Currently these are sufficient for rules we use.  Note that you can
# safely use symbolic hostnames "boss", "ops", "fs", "users", "ntp1"
# and "ntp2" as they are all guaranteed to resolve, either via the local
# hosts file or via DNS (assuming the firewall is not yet up or allows
# DNS traffic, which it should at that point in time).
#
# For an Emulab in Emulab setup, the names "myboss", "myops" and "myfs"
# are also valid for naming the respective inner servers.
#
# Additionally, the tokens 'pdev', 'vlandev', and 'me' will be replaced
# with the physical control net device, the VLAN device, and the firewall's
# control net IP address respectively.
#

#
# Set up default policies for the standard chains
# For all but the wide-open case, the default should
# be to DROP.
#
iptables -P INPUT DROP # BASIC,CLOSED,ELABINELAB
iptables -P OUTPUT DROP # BASIC,CLOSED,ELABINELAB
iptables -P FORWARD DROP # BASIC,CLOSED,ELABINELAB

#
# Match existing dynamic rules very early
#
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # BASIC,CLOSED,ELABINELAB

#
# Create a chain for forwarded/bridged packets coming
# from nodes on the vlan.  If it already exists, flush
# it.  Likewise for packets coming from nodes outside
# the vlan.  Note that these don't affect packets sent
# to the firewall itself.
#
iptables -N INSIDE # BASIC,CLOSED,ELABINELAB
iptables -F INSIDE # BASIC,CLOSED,ELABINELAB
iptables -N OUTSIDE # BASIC,CLOSED,ELABINELAB
iptables -F OUTSIDE # BASIC,CLOSED,ELABINELAB
iptables -A FORWARD -m physdev --physdev-in vlandev -j INSIDE # BASIC,CLOSED,ELABINELAB
iptables -A FORWARD -m physdev --physdev-in pdev -j OUTSIDE # BASIC,CLOSED,ELABINELAB

# Can talk to myself.  Does this do anything?
# This appears to be used by elvind?
#iptables -A INPUT -s me -d me -j ACCEPT # BASIC,CLOSED,ELABINELAB
91
92
iptables -A INPUT -i lo -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTPUT -o lo -j ACCEPT # BASIC,CLOSED,ELABINELAB
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318

#
# Nobody on the inside can talk to the firewall.
# Prevents anyone spoofing "me", "boss", "ops", etc.
#
iptables -A INSIDE -d me -j DROP # BASIC,CLOSED,ELABINELAB

#
# No one on the inside can talk to other experiments' nodes and visa-versa.
#
# XXX currently we only do this for the heavier weight firewalls because
# the user cannot override this.
#
# Note that this does not apply to nodes within this experiment because
# those packets never come to the firewall.
#
# Note also that EMULAB_CNET is only the "node control net" and does not
# include the public/private nets for boss, ops, etc.
#
# XXX yuk!  The gateway *is* part of EMULAB_CNET, and assorted packets do
# come from it:
#  * IGMP and PIM traffic
#  * DHCP replies from boss appear to have come from the gateway
#    (due to the helper function).
# so for now we allow any IP traffic from the gateway.
#
#
# XXX yuk 2!  In a non-segmented control network or in a configuration with
# subbosses, some or all of the server machines will be a part of "the node
# control net" so we cannot unconditionally block all traffic to/from outside
# control net addresses. Here we allow through all traffic involving the known
# servers and let later rules further limit it.
#
iptables -A OUTSIDE -s EMULAB_SERVERS -j ACCEPT # CLOSED,ELABINELAB+SAMENET
iptables -A INSIDE -d EMULAB_SERVERS -j ACCEPT # CLOSED,ELABINELAB+SAMENET
iptables -A OUTSIDE -s EMULAB_GWIP -j ACCEPT # CLOSED,ELABINELAB

#
# Otherwise, nodes inside/outside of the firewall cannot talk to each other. 
#
iptables -A INSIDE -d EMULAB_CNET -j DROP # CLOSED,ELABINELAB
iptables -A OUTSIDE -d EMULAB_CNET -j DROP # CLOSED,ELABINELAB

#
# Inside nodes cannot spoof other IP addresses.
#
# Beyond this rule we no longer have to check to make sure that source
# hosts like "boss" and "ops" come in the correct interface.
#
iptables -A INSIDE -s 0.0.0.0 -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A INSIDE -s 255.255.255.255 -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A INSIDE -s EMULAB_CNET -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A INSIDE -j DROP # BASIC,CLOSED,ELABINELAB

# DNS to NS
# Note: elabinelab myops/myfs use myboss for NS
iptables -A INSIDE -p udp -d EMULAB_NS --dport 53 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -s myboss -d EMULAB_NS --dport 53 -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
iptables -A OUTPUT -p udp -s me -d EMULAB_NS --dport 53 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB

# ssh from boss (for reboot, etc.) and others if appropriate
iptables -A OUTSIDE -p tcp --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC
iptables -A OUTSIDE -p tcp -s boss --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # CLOSED
iptables -A OUTSIDE -p tcp -s myboss --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
iptables -A OUTSIDE -p tcp -s myops --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
iptables -A OUTSIDE -p tcp -s myfs --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
iptables -A INPUT -p tcp -s boss -d me --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # CLOSED,ELABINELAB
iptables -A INPUT -p tcp -d me --dport 22 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC
#
# XXX early on in Emulab setup boss will ssh in and insert a rule at the
# beginning to allow all traffic.  Later we ssh in again to remove that rule.
# In order for the latter ssh command to complete, we have to make sure that
# an established connection to boss continues to work.
#
#iptables -A OUTPUT -p tcp -s me --sport 22 -d boss -m conntrack --ctstate ESTABLISHED -j ACCEPT # ELABINELAB
#iptables -A INPUT -p tcp -s boss -d me --dport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT # ELABINELAB


# NTP to ntp servers
# Note: elabinelab myops/myfs use myboss for NTP
iptables -A INSIDE -p udp -d ntp1 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -d ntp1 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -s myboss -d ntp1 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
iptables -A INSIDE -p tcp -s myboss -d ntp1 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
iptables -A INPUT -p udp -s me -d ntp1 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A INPUT -p tcp -s me -d ntp1 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A INSIDE -p udp -d ntp2 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -d ntp2 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -s myboss -d ntp2 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
iptables -A INSIDE -p tcp -s myboss -d ntp2 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
iptables -A INPUT -p udp -s me -d ntp2 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A INPUT -p tcp -s me -d ntp2 --dport 123 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB

# syslog with ops
iptables -A INSIDE -p udp -d ops --dport 514 -j ACCEPT # BASIC,CLOSED
iptables -A OUTPUT -p udp -s me --sport 514 -d ops --dport 514 -j ACCEPT # BASIC,CLOSED,ELABINELAB

#
# NFS
# DANGER WILL ROBINSON!!!
# Portmapper (tcp or udp), mountd and NFS (tcp or udp) with fs
#
# Note that we have to allow IP fragments through due to the default
# 8k read/write size.  Perhaps we should dial down the read/write size for
# firewalled experiments.
#
iptables -A INSIDE -p udp -d fs --dport 111 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -d fs --dport 111 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -d fs --dport 900 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -d fs --dport 900 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -d fs --dport 2049 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -d fs --dport 2049 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -d fs \! --sport 0:700 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -d fs -f -j ACCEPT # BASIC,CLOSED
iptables -A OUTSIDE -s fs -f -j ACCEPT # BASIC,CLOSED
iptables -A OUTPUT -p udp -s me -d fs --dport 111 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTPUT -p tcp -s me -d fs --dport 111 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTPUT -p udp -s me -d fs --dport 900 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTPUT -p tcp -s me -d fs --dport 900 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTPUT -p udp -s me -d fs --dport 2049 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTPUT -p tcp -s me -d fs --dport 2049 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTPUT -p udp -s me -d fs \! --sport 0:700 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTPUT -s me -d fs -f -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTSIDE -s fs -d me -f -j ACCEPT # BASIC,CLOSED,ELABINELAB

# Special services

# cvsup to boss
iptables -A INSIDE -p tcp -d boss --dport 5999 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A OUTPUT -p tcp -s me -d boss --dport 5999 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB

# elvind or pubsubd to ops (unicast TCP and multicast UDP)
iptables -A INSIDE -p udp -d ops --dport 2917 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -d ops --dport 16505 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -d ops --dport 2917 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -d ops --dport 16505 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A OUTPUT -p tcp -s me -d ops --dport 16505 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB

# slothd to boss
iptables -A INSIDE -p udp -d boss --dport 8509 -j ACCEPT # BASIC,CLOSED
iptables -A OUTPUT -p udp -s me -d boss --dport 8509 -j ACCEPT # BASIC,CLOSED,ELABINELAB

# The inner boss also needs to SSLXMLRPC to real boss to start frisbeed
# for image transfer.  Note that this rule must be before other XMLRPC rule
# (blocking connections from inside).
iptables -A INSIDE -p tcp -s myboss -d boss --dport 3069 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB

# HTTP/HTTPS/SSLXMLRPC into elabinelab boss from outside
iptables -A OUTSIDE -p tcp -d myboss --dport 80 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
iptables -A OUTSIDE -p tcp -d myboss --dport 443 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB
iptables -A OUTSIDE -p tcp -d myboss --dport 3069 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB

#
# Frisbee master server from boss
# elabinelab: boss to myboss
#
iptables -A INSIDE -p tcp -d EMULAB_BOSSES --dport 64494 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p tcp -s myboss -d EMULAB_BOSSES --dport 64494 --syn -m conntrack --ctstate NEW -j ACCEPT # ELABINELAB

#
# Frisbee multicast with boss
#  * nodes mcast everything to boss (joins, leaves and requests): 60046
#  * boss mcasts blocks to same mcaddr/port: 60047
#  * boss unicasts join replies to same port: 60048
#  * node and switch need to IGMP: 60049
#
# Elabinelab should only do this to download an image from real boss to
# the inner boss.  Re-imaging anything else from outside would be a disaster.
# But note that the image is still mcast, so we cannot really differentiate
# in 60047.
#
# NOTE: the unicast join replies (60048) make our life miserable. We cannot
# use a keep-state rule because the request was multicast and not directed to
# boss. Thus we have to open up a wide range of ports from boss for the reply.
# To make matters worse, this wide range potentially overlaps with rule 60067
# which allows TFTP traffic. Since the latter requires bi-directional traffic,
# we DO need to specify keep-state on this rule. If we ever start mcasting
# join replies, we could get rid of rule 60048 (which is why it is split out
# from 60047).
#

iptables -A INSIDE -p udp -d EMULAB_MCADDR --dport EMULAB_MCPORT -j ACCEPT # BASIC,CLOSED
iptables -A OUTSIDE -p udp -s EMULAB_BOSSES --sport EMULAB_MCPORT -d EMULAB_MCADDR --dport EMULAB_MCPORT -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTSIDE -p udp -s EMULAB_BOSSES --sport EMULAB_MCPORT --dport EMULAB_MCPORT -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -s myboss -d EMULAB_MCADDR --dport EMULAB_MCPORT -j ACCEPT # ELABINELAB
iptables -A OUTSIDE -p udp -s EMULAB_BOSSES --sport EMULAB_MCPORT -d myboss --dport EMULAB_MCPORT -j ACCEPT # ELABINELAB

iptables -A INSIDE -p igmp -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTSIDE -p igmp -j ACCEPT # BASIC,CLOSED,ELABINELAB

# Ping, IPoD from boss
# should we allow all ICMP in general?
iptables -A INSIDE -p icmp -j ACCEPT # BASIC
iptables -A OUTSIDE -p icmp -j ACCEPT # BASIC
iptables -A OUTSIDE -p icmp -s boss --icmp-type 6 -j ACCEPT # CLOSED,ELABINELAB
iptables -A OUTSIDE -p icmp -s boss --icmp-type 8 -j ACCEPT # CLOSED,ELABINELAB
iptables -A INSIDE -p icmp -d boss --icmp-type 0 -j ACCEPT # CLOSED,ELABINELAB
iptables -A INPUT -s boss -d me -p icmp --icmp-type 6 -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A INPUT -s boss -d me -p icmp --icmp-type 8 -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A INPUT -s me -d boss -p icmp --icmp-type 0 -j ACCEPT # BASIC,CLOSED,ELABINELAB

#
# Windows
# allow http, https (80,443) outbound for windows/cygwin updates
# SMB (445) with fs
# rdesktop (3389) to nodes
#
iptables -A INSIDE -p tcp --dport 80 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC+WINDOWS
iptables -A INSIDE -p tcp --dport 443 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC+WINDOWS
iptables -A INSIDE -p tcp -d fs --dport 445 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC+WINDOWS
iptables -A OUTSIDE -p tcp \! --sport 0:1023 --dport 3389 --syn -m conntrack --ctstate NEW -j ACCEPT # BASIC+WINDOWS


#
# Windows
# Explicitly stop blaster (135,4444) and slammer (1434)
#
iptables -A INPUT -p tcp --dport 135 -j DROP # BASIC,CLOSED,ELABINELAB+WINDOWS
iptables -A INPUT -p tcp --dport 4444 -j DROP # BASIC,CLOSED,ELABINELAB+WINDOWS
iptables -A INPUT -p udp --dport 1434 -j DROP # BASIC,CLOSED,ELABINELAB+WINDOWS

# Boot time only services (DHCP, TFTP, bootinfo, TMCC).

# DHCP requests from, and replies to, inside requests are always broadcast,
# replies may be broadcast or unicast
iptables -A INSIDE -p udp --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT # BASIC,CLOSED,ELABINELAB
319
iptables -A OUTSIDE -p udp --sport 67 --dport 68 -d 255.255.255.255 -j ACCEPT # BASIC,CLOSED,ELABINELAB
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346

#
# TFTP with boss or ops
# XXX tftpd can pick any port it wants in response to a request from any port
# so we have to open wide.
#
# Note that for elabinelab, inside nodes still need to be able to talk to
# real boss for PXE boot.
#
iptables -A INSIDE -p udp -d EMULAB_BOSSES,ops --dport 69 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTSIDE -p udp -s EMULAB_BOSSES,ops \! --sport 0:1023 \! --dport 0:1023 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB

#
# Emulab bootinfo with boss (nodes request/receive info or boss does PXEWAKEUP)
# XXX do we really need this for elabinelab inner nodes?
#
iptables -A INSIDE -p udp -d boss --dport 6969 --sport 9696 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTSIDE -p udp -s boss --sport 6970 --dport 9696 -j ACCEPT # BASIC,CLOSED,ELABINELAB

# TMCC (udp or tcp) with boss
iptables -A INSIDE -p tcp -d boss --dport 7777 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A INSIDE -p udp -d boss --dport 7777 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED
iptables -A OUTPUT -p tcp -s me -d boss --dport 7777 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB
iptables -A OUTPUT -p udp -s me -d boss --dport 7777 -m conntrack --ctstate NEW -j ACCEPT # BASIC,CLOSED,ELABINELAB

# BRIDGE-SPECIFIC RULES