ipscriptables 0.0.1

data/lib/ipscriptables/ruleset/class_methods.rb

@@ -0,0 +1,67 @@
+# -*- coding: utf-8 -*-
+
+module IPScriptables
+  class Ruleset
+    include Helpers
+
+    class << self
+      def from_file(path, opts = {})
+        f = File.open(path)
+        from_io(f, opts)
+      ensure
+        f.close if f
+      end
+
+      def from_io(io, opts = {}) # rubocop:disable CyclomaticComplexity, MethodLength, LineLength
+        rs = new(opts.merge(skip_builtin_chains: true))
+        table = nil
+        io.each_line do |ln|
+          ln.strip!
+          case ln
+          when /^#/
+            # comment, skip it
+          when /^\*(.*)/
+            fail RuntimeError unless table.nil?
+            table = rs.table($1)
+          when /^:(\w+) (\w+|-) \[(\d+):(\d+)\]$/
+            table.chain $1, $2, [$3.to_i, $4.to_i]
+          when /^(\[(\d+):(\d+)\] )?-A (\w+) (.*)/
+            ch = table[$4]
+            rule = $5
+            counters = [$2.to_i, $3.to_i] if $1
+            ch.rule(Rule.new(ch, rule, counters))
+          when /^COMMIT$/
+            fail 'COMMIT without table' if table.nil?
+            table = nil
+          else
+            fail "Cannot parse iptables-save line: #{ln}"
+          end
+        end
+        rs
+      end
+      alias_method :from_s, :from_io # string also has `#each_line` method
+
+      def from_command(*args)
+        opts = args.last.is_a?(Hash) ? args.pop : {}
+        from_s(Helpers.run_command(*args), opts.merge(command: args))
+      end
+
+      def from_system(opts = {})
+        opts[:family] ||= :inet
+        case opts[:family]
+        when :inet  then from_command 'iptables-save',  '-c', opts
+        when :inet6 then from_command 'ip6tables-save', '-c', opts
+        else fail NotImplementedError, "Unknonwn family #{opts[:family]}"
+        end
+      end
+
+      def from_iptables(opts = {})
+        from_system(opts.merge(family: :inet))
+      end
+
+      def from_ip6tables(opts = {})
+        from_system(opts.merge(family: :inet6))
+      end
+    end
+  end
+end

data/lib/ipscriptables/runtime.rb

@@ -0,0 +1,97 @@
+# -*- coding: utf-8 -*-
+# rubocop:disable BlockNesting
+
+require 'English'
+require 'logger'
+
+module IPScriptables
+  class Runtime
+    DEFAULT_OPTS = { counters: true }
+    attr_reader :log, :opts
+
+    def initialize(opts = {}, logger = nil)
+      @opts = DEFAULT_OPTS.merge(opts)
+      @log = logger || Logger.new($stderr)
+      @evaluating = 0
+      @rulesets = {}
+    end
+
+    def ruleset(family)
+      family = family.to_sym
+      @rulesets[family] ||=
+        IPScriptables::Ruleset.from_system(family: family).bud(opts)
+    end
+
+    def family(*families, &block)
+      families.each do |family|
+        begin
+          @evaluating += 1
+          ruleset(family).dsl_eval(&block)
+        ensure
+          @evaluating -= 1
+        end
+      end
+    end
+
+    def iptables(&block)
+      family(:inet, &block)
+    end
+
+    def ip6tables(&block)
+      family(:inet6, &block)
+    end
+
+    def load_file(path)
+      @evaluating += 1
+      log.info "Loading configuration from #{path}"
+      instance_eval(File.read(path), path)
+    ensure
+      @evaluating -= 1
+    end
+
+    def dsl_eval(&block)
+      @evaluating += 1
+      instance_eval(&block)
+    ensure
+      @evaluating -= 1
+    end
+
+    def execute!  # rubocop:disable CyclomaticComplexity, MethodLength
+      if @evaluating != 0
+        fail "I can't let you do that (DSL eval depth #{@evaluating})"
+      end
+
+      ok = true
+      @rulesets.sort.each do |family, ruleset|
+        if !opts.fetch(family, true)
+          log.info "Skipping #{family} as requested"
+        else
+          diff = ruleset.diff
+          if diff.to_s.empty?
+            log.info "No changes for #{family}, moving along."
+          else
+            log.info "Changes found for #{family}"
+            format = opts.fetch(:color, $stdout.tty?) ? :color : :text
+            puts diff.to_s(format) unless opts[:quiet]
+            if opts[:apply]
+              log.info "Restoring #{family}"
+              begin
+                ruleset.restore!
+              rescue => e
+                log.error "Failure restoring #{family}: #{e}"
+                ok = false
+                return ok if opts[:fail_fast]
+              end
+            else
+              log.info "Would restore #{family}"
+            end
+          end
+        end
+      end
+
+      log.warn 'There were errors' unless ok
+
+      ok
+    end
+  end
+end

data/lib/ipscriptables/table.rb

@@ -0,0 +1,77 @@
+# -*- coding: utf-8 -*-
+
+module IPScriptables
+  class Table
+    extend Forwardable
+    def_delegators :@chains, :[]=, :[], :keys
+    def_delegators :to_ary, :each, :empty?
+    def_delegators :ruleset, :opts
+    include Enumerable
+
+    attr_reader :name, :ruleset
+    def initialize(name, ruleset, &block)
+      @name = name.to_sym
+      @chains = Hashie::Mash.new
+      @ruleset = ruleset
+
+      create_builtin_chains unless ruleset.opts[:skip_builtin_chains]
+
+      Docile.dsl_eval(self, &block) if block_given?
+    end
+
+    def original
+      ruleset.original[name] if ruleset.original
+    end
+
+    BUILTIN_CHAINS = {
+      filter:   [:INPUT, :FORWARD, :OUTPUT],
+      nat:      [:PREROUTING, :INPUT, :OUTPUT, :POSTROUTING],
+      mangle:   [:PREROUTING, :INPUT, :OUTPUT, :FORWARD, :POSTROUTING],
+      raw:      [:PREROUTING, :OUTPUT],
+      security: [:INPUT, :OUTPUT, :FORWARD]
+    }
+
+    def create_builtin_chains
+      if BUILTIN_CHAINS.key? @name
+        BUILTIN_CHAINS[@name].each do |builtin|
+          chain builtin, :ACCEPT
+        end
+      else
+        warn "Unrecognized table #{@name}, not creating builtin chains"
+      end
+    end
+
+    def inherit(*names, &block) # rubocop:disable MethodLength
+      fail 'Need original to inherit' unless ruleset.original
+      original_table = ruleset.original[name]
+      names = original_table.keys if names.empty?
+      names.each do |name|
+        original_chain = original_table[name]
+        original_rules = original_chain.rules
+        original_rules = original_rules.select(&block) if block_given?
+        chain name, original_chain.policy, original_chain.counters do
+          rules.concat(original_rules)
+        end
+      end
+    end
+
+    def to_ary
+      @chains.values
+    end
+
+    def chain(name, *args, &block)
+      if @chains.key?(name)
+        @chains[name].alter(*args, &block)
+      else
+        @chains[name] = Chain.new(name, self, *args, &block)
+      end
+    end
+
+    def render
+      ["*#{name}",
+       map(&:render_header).join("\n"),
+       map(&:render_rules).compact.join("\n"),
+       'COMMIT'].reject { |piece| piece == '' }.join("\n")
+    end
+  end
+end

data/lib/ipscriptables/version.rb

@@ -0,0 +1,5 @@
+# -*- coding: utf-8 -*-
+
+module IPScriptables
+  VERSION = '0.0.1'
+end

data/spec/fixtures/clyhq.txt

@@ -0,0 +1,40 @@
+# Generated by iptables-save v1.4.12 on Tue Feb 18 15:14:18 2014
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [5012201:449061115]
+-A INPUT -p tcp -m tcp --dport 17443 -j ACCEPT
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i docker+ -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp-port-unreachable
+-A FORWARD -s 172.17.1.8/32 -d 172.17.1.86/32 -i docker0 -o docker0 -p tcp -m tcp --sport 6379 -j ACCEPT
+-A FORWARD -s 172.17.1.86/32 -d 172.17.1.8/32 -i docker0 -o docker0 -p tcp -m tcp --dport 6379 -j ACCEPT
+-A FORWARD -s 172.17.1.8/32 -d 172.17.1.85/32 -i docker0 -o docker0 -p tcp -m tcp --sport 6379 -j ACCEPT
+-A FORWARD -s 172.17.1.85/32 -d 172.17.1.8/32 -i docker0 -o docker0 -p tcp -m tcp --dport 6379 -j ACCEPT
+-A FORWARD -i docker0 -o docker0 -j ACCEPT
+-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
+-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+COMMIT
+# Completed on Tue Feb 18 15:14:18 2014
+# Generated by iptables-save v1.4.12 on Tue Feb 18 15:14:18 2014
+*nat
+:PREROUTING ACCEPT [1039:60550]
+:INPUT ACCEPT [929:53219]
+:OUTPUT ACCEPT [814:53755]
+:POSTROUTING ACCEPT [822:54235]
+:DOCKER - [0:0]
+-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
+-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
+-A POSTROUTING -s 10.0.0.0/24 ! -d 10.0.0.0/24 -j MASQUERADE
+-A POSTROUTING -s 172.17.0.0/16 ! -d 172.17.0.0/16 -j MASQUERADE
+-A DOCKER -d 127.0.0.1/32 ! -i docker0 -p tcp -m tcp --dport 8511 -j DNAT --to-destination 172.17.1.6:8080
+-A DOCKER -d 127.0.0.1/32 ! -i docker0 -p tcp -m tcp --dport 8510 -j DNAT --to-destination 172.17.1.7:8080
+-A DOCKER -d 127.0.0.1/32 ! -i docker0 -p tcp -m tcp --dport 8501 -j DNAT --to-destination 172.17.1.84:8080
+-A DOCKER -d 127.0.0.1/32 ! -i docker0 -p tcp -m tcp --dport 8500 -j DNAT --to-destination 172.17.1.85:8080
+COMMIT
+# Completed on Tue Feb 18 15:14:18 2014

data/spec/fixtures/docker-plus.txt

@@ -0,0 +1,31 @@
+# Generated by iptables-save v1.4.12 on Wed Feb 19 13:37:35 2014
+*filter
+:INPUT ACCEPT [211:14626]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [122:11280]
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i docker0 -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
+-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp-port-unreachable
+-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
+-A FORWARD -i docker0 -o docker0 -j ACCEPT
+COMMIT
+# Completed on Wed Feb 19 13:37:35 2014
+# Generated by iptables-save v1.4.12 on Wed Feb 19 13:37:35 2014
+*nat
+:PREROUTING ACCEPT [5:1208]
+:INPUT ACCEPT [5:1208]
+:OUTPUT ACCEPT [42:3215]
+:POSTROUTING ACCEPT [42:3215]
+:DOCKER - [0:0]
+-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
+-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
+-A POSTROUTING -s 172.17.0.0/16 ! -d 172.17.0.0/16 -j MASQUERADE
+-A POSTROUTING -s 10.0.3.0/24 ! -d 10.0.3.0/24 -j MASQUERADE
+COMMIT
+# Completed on Wed Feb 19 13:37:35 2014

data/spec/fixtures/drumknott.txt

@@ -0,0 +1,67 @@
+# Generated by iptables-save v1.4.12 on Tue Feb 18 13:47:34 2014
+*mangle
+:PREROUTING ACCEPT [9070264:2761485141]
+:INPUT ACCEPT [5794:541194]
+:FORWARD ACCEPT [9064470:2760943947]
+:OUTPUT ACCEPT [4447:1027385]
+:POSTROUTING ACCEPT [9068917:2761971332]
+COMMIT
+# Completed on Tue Feb 18 13:47:34 2014
+# Generated by iptables-save v1.4.12 on Tue Feb 18 13:47:34 2014
+*nat
+:PREROUTING ACCEPT [936831:58138468]
+:INPUT ACCEPT [383149:28442596]
+:OUTPUT ACCEPT [188115:19311882]
+:POSTROUTING ACCEPT [88176135:5298607741]
+:DOCKER - [0:0]
+-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
+-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
+-A POSTROUTING -s 10.0.0.0/24 ! -d 10.0.0.0/24 -j MASQUERADE
+-A POSTROUTING -s 172.17.0.0/16 ! -d 172.17.0.0/16 -j MASQUERADE
+-A POSTROUTING -s 10.0.0.0/24 ! -d 10.0.0.0/24 -j MASQUERADE
+-A POSTROUTING -s 10.0.3.0/24 ! -d 10.0.3.0/24 -j MASQUERADE
+-A DOCKER ! -i docker0 -p tcp -m tcp --dport 6379 -j DNAT --to-destination 172.17.0.2:6379
+COMMIT
+# Completed on Tue Feb 18 13:47:34 2014
+# Generated by iptables-save v1.4.12 on Tue Feb 18 13:47:34 2014
+*filter
+:INPUT ACCEPT [419:18560]
+:FORWARD ACCEPT [5802508472:1613710597740]
+:OUTPUT ACCEPT [2072879:485657573]
+:FWR - [0:0]
+-A INPUT -j FWR
+-A FWR -i lo -j ACCEPT
+-A FWR -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FWR -p icmp -j ACCEPT
+-A FWR -i docker+ -j ACCEPT
+-A FWR -s 1.1.1.1/32 -p tcp -m tcp --dport 9102 -j ACCEPT
+-A FWR -s 1.1.1.1/32 -p tcp -m tcp -m multiport --dports 4949,5666 -j ACCEPT
+-A FWR -s 10.0.3.55/32 -p tcp -m tcp --dport 6379 -j ACCEPT
+-A FWR -s 1.1.2.2/32 -p tcp -m tcp --dport 6379 -j ACCEPT
+-A FWR -s 1.1.2.3/32 -p tcp -m tcp --dport 6379 -j ACCEPT
+-A FWR -s 1.1.2.12/32 -p tcp -m tcp --dport 6379 -j ACCEPT
+-A FWR -s 1.1.2.13/32 -p tcp -m tcp --dport 6379 -j ACCEPT
+-A FWR -s 1.1.2.4/32 -p tcp -m tcp --dport 6379 -j ACCEPT
+-A FWR -s 1.1.2.15/32 -p tcp -m tcp --dport 6379 -j ACCEPT
+-A FWR -s 1.1.2.16/32 -p tcp -m tcp --dport 6379 -j ACCEPT
+-A FWR -s 1.1.2.5/32 -p tcp -m tcp --dport 6379 -j ACCEPT
+-A FWR -s 1.1.2.6/32 -p tcp -m tcp --dport 6379 -j ACCEPT
+-A FWR -s 1.1.2.7/32 -p tcp -m tcp --dport 6379 -j ACCEPT
+-A FWR -s 1.1.2.8/32 -p tcp -m tcp --dport 6379 -j ACCEPT
+-A FWR -s 1.1.2.9/32 -p tcp -m tcp --dport 6379 -j ACCEPT
+-A FWR -s 1.1.2.10/32 -p tcp -m tcp --dport 6379 -j ACCEPT
+-A FWR -s 1.1.2.11/32 -p tcp -m tcp --dport 6379 -j ACCEPT
+-A FWR -s 1.1.2.14/32 -p tcp -m tcp --dport 6379 -j ACCEPT
+-A FWR -s 1.1.2.15/32 -p tcp -m tcp --dport 6379 -j ACCEPT
+-A FWR -s 1.1.2.15/32 -p tcp -m tcp --dport 6379 -j ACCEPT
+-A FWR -s 1.1.2.17/32 -p tcp -m tcp --dport 6379 -j ACCEPT
+-A FWR -s 1.1.2.18/32 -p tcp -m tcp --dport 6379 -j ACCEPT
+-A FWR -s 1.1.2.19/32 -p tcp -m tcp --dport 6379 -j ACCEPT
+-A FWR -s 1.1.2.20/32 -p tcp -m tcp --dport 6379 -j ACCEPT
+-A FWR -s 1.1.2.21/32 -p tcp -m tcp --dport 6379 -j ACCEPT
+-A FWR -s 10.0.3.0/24 -p tcp -m tcp --dport 6379 -j ACCEPT
+-A FWR -p tcp -m tcp --dport 22 -j ACCEPT
+-A FWR -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
+-A FWR -p udp -j REJECT --reject-with icmp-port-unreachable
+COMMIT
+# Completed on Tue Feb 18 13:47:34 2014

data/spec/fixtures/falcor.txt

@@ -0,0 +1,39 @@
+# Generated by iptables-save v1.4.12 on Tue Feb 18 15:24:18 2014
+*nat
+:PREROUTING ACCEPT [110285:6967475]
+:INPUT ACCEPT [61845:3770509]
+:OUTPUT ACCEPT [138431:9598104]
+:POSTROUTING ACCEPT [137629:9513158]
+:DOCKER - [0:0]
+-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
+-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
+-A POSTROUTING -s 10.0.0.0/24 ! -d 10.0.0.0/24 -j MASQUERADE
+-A POSTROUTING -s 172.17.0.0/16 ! -d 172.17.0.0/16 -j MASQUERADE
+-A DOCKER -d 127.0.0.1/32 ! -i docker0 -p tcp -m tcp --dport 5000 -j DNAT --to-destination 172.17.0.60:5000
+COMMIT
+# Completed on Tue Feb 18 15:24:18 2014
+# Generated by iptables-save v1.4.12 on Tue Feb 18 15:24:18 2014
+*filter
+:INPUT ACCEPT [333:14408]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [182095162:19602137698]
+:FWR - [0:0]
+:LXC - [0:0]
+-A INPUT -i lxcbr0 -j LXC
+-A INPUT -j FWR
+-A FORWARD -i docker0 -o docker0 -j ACCEPT
+-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
+-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A FWR -i lo -j ACCEPT
+-A FWR -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A FWR -p icmp -j ACCEPT
+-A FWR -i docker+ -j ACCEPT
+-A FWR -p tcp -m tcp --dport 22 -j ACCEPT
+-A FWR -p tcp -m tcp --dport 80 -j ACCEPT
+-A FWR -p tcp -m tcp --dport 443 -j ACCEPT
+-A FWR -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
+-A FWR -p udp -j REJECT --reject-with icmp-port-unreachable
+-A LXC -p udp -m udp --sport 67:68 --dport 67:68 -j ACCEPT
+-A LXC -j RETURN
+COMMIT
+# Completed on Tue Feb 18 15:24:18 2014

data/spec/fixtures/ghq.txt

@@ -0,0 +1,102 @@
+# Generated by iptables-save v1.4.12 on Wed Feb 19 19:28:22 2014
+*nat
+:PREROUTING ACCEPT [732601:44001989]
+:INPUT ACCEPT [376018:22538408]
+:OUTPUT ACCEPT [3131507:229597576]
+:POSTROUTING ACCEPT [20476198:1943580383]
+:DOCKER - [0:0]
+[17617331:1738357444] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
+[138372:9654576] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
+[0:0] -A POSTROUTING -s 10.0.0.0/24 ! -d 10.0.0.0/24 -j MASQUERADE
+[12:912] -A POSTROUTING -s 172.17.0.0/16 ! -d 172.17.0.0/16 -j MASQUERADE
+[2:120] -A DOCKER ! -i docker0 -p tcp -m tcp --dport 2003 -j DNAT --to-destination 172.17.0.4:2003
+[0:0] -A DOCKER ! -i docker0 -p tcp -m tcp --dport 2004 -j DNAT --to-destination 172.17.0.4:2004
+[0:0] -A DOCKER ! -i docker0 -p tcp -m tcp --dport 49153 -j DNAT --to-destination 172.17.0.8:9000
+[95:5580] -A DOCKER ! -i docker0 -p tcp -m tcp --dport 5000 -j DNAT --to-destination 172.17.0.5:5000
+[0:0] -A DOCKER -d 127.0.0.1/32 ! -i docker0 -p tcp -m tcp --dport 49154 -j DNAT --to-destination 172.17.0.9:8080
+[17011603:1693997647] -A DOCKER ! -i docker0 -p udp -m udp --dport 8125 -j DNAT --to-destination 172.17.0.10:8125
+[0:0] -A DOCKER -d 127.0.0.1/32 ! -i docker0 -p tcp -m tcp --dport 49155 -j DNAT --to-destination 172.17.0.10:8126
+COMMIT
+# Completed on Wed Feb 19 19:28:22 2014
+# Generated by iptables-save v1.4.12 on Wed Feb 19 19:28:22 2014
+*filter
+:INPUT ACCEPT [1602:65593]
+:FORWARD ACCEPT [79892700:14079015733]
+:OUTPUT ACCEPT [173177551:46244981637]
+:FWR - [0:0]
+[162824485:36484450187] -A INPUT -j FWR
+[104747465:21902005069] -A FWR -i lo -j ACCEPT
+[57784384:14565443254] -A FWR -m state --state RELATED,ESTABLISHED -j ACCEPT
+[1137:85820] -A FWR -p icmp -j ACCEPT
+[141056:8463360] -A FWR -i docker+ -j ACCEPT
+[0:0] -A FWR -s 1.1.1.13/32 -p tcp -m tcp --dport 9101 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.20/32 -p tcp -m tcp --dport 9102 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.19/32 -p tcp -m tcp --dport 9103 -j ACCEPT
+[14230:850872] -A FWR -p tcp -m tcp --dport 80 -j ACCEPT
+[107014:5849940] -A FWR -p tcp -m tcp --dport 443 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.20/32 -p tcp -m tcp -m multiport --dports 4949,5666 -j ACCEPT
+[0:0] -A FWR -s 10.0.3.0/24 -p tcp -m tcp --dport 6379 -j ACCEPT
+[11024:635312] -A FWR -p tcp -m tcp --dport 22 -j ACCEPT
+[4:240] -A FWR -s 1.1.1.22/32 -p tcp -m tcp --dport 4514 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.22/32 -p udp -m udp --dport 8125 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.27/32 -p tcp -m tcp --dport 4514 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.27/32 -p udp -m udp --dport 8125 -j ACCEPT
+[3:180] -A FWR -s 1.1.1.21/32 -p tcp -m tcp --dport 4514 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.21/32 -p udp -m udp --dport 8125 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.18/32 -p tcp -m tcp --dport 4514 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.18/32 -p udp -m udp --dport 8125 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.10/32 -p tcp -m tcp --dport 4514 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.10/32 -p udp -m udp --dport 8125 -j ACCEPT
+[2:120] -A FWR -s 1.1.1.9/32 -p tcp -m tcp --dport 4514 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.9/32 -p udp -m udp --dport 8125 -j ACCEPT
+[13:780] -A FWR -s 1.1.1.7/32 -p tcp -m tcp --dport 4514 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.7/32 -p udp -m udp --dport 8125 -j ACCEPT
+[1:60] -A FWR -s 1.1.1.4/32 -p tcp -m tcp --dport 4514 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.4/32 -p udp -m udp --dport 8125 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.25/32 -p tcp -m tcp --dport 4514 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.25/32 -p udp -m udp --dport 8125 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.16/32 -p tcp -m tcp --dport 4514 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.16/32 -p udp -m udp --dport 8125 -j ACCEPT
+[1:60] -A FWR -s 1.1.1.3/32 -p tcp -m tcp --dport 4514 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.3/32 -p udp -m udp --dport 8125 -j ACCEPT
+[1:60] -A FWR -s 1.1.1.13/32 -p tcp -m tcp --dport 4514 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.13/32 -p udp -m udp --dport 8125 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.6/32 -p tcp -m tcp --dport 4514 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.6/32 -p udp -m udp --dport 8125 -j ACCEPT
+[1:60] -A FWR -s 1.1.1.23/32 -p tcp -m tcp --dport 4514 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.23/32 -p udp -m udp --dport 8125 -j ACCEPT
+[10:600] -A FWR -s 1.1.1.8/32 -p tcp -m tcp --dport 4514 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.8/32 -p udp -m udp --dport 8125 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.20/32 -p tcp -m tcp --dport 4514 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.20/32 -p udp -m udp --dport 8125 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.2/32 -p tcp -m tcp --dport 4514 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.2/32 -p udp -m udp --dport 8125 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.12/32 -p tcp -m tcp --dport 4514 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.12/32 -p udp -m udp --dport 8125 -j ACCEPT
+[10:600] -A FWR -s 1.1.1.28/32 -p tcp -m tcp --dport 4514 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.28/32 -p udp -m udp --dport 8125 -j ACCEPT
+[2:120] -A FWR -s 1.1.1.14/32 -p tcp -m tcp --dport 4514 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.14/32 -p udp -m udp --dport 8125 -j ACCEPT
+[0:0] -A FWR -s 10.0.3.115/32 -p tcp -m tcp --dport 4514 -j ACCEPT
+[0:0] -A FWR -s 10.0.3.115/32 -p udp -m udp --dport 8125 -j ACCEPT
+[13:780] -A FWR -s 1.1.1.17/32 -p tcp -m tcp --dport 4514 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.17/32 -p udp -m udp --dport 8125 -j ACCEPT
+[1:60] -A FWR -s 1.1.1.5/32 -p tcp -m tcp --dport 4514 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.5/32 -p udp -m udp --dport 8125 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.26/32 -p tcp -m tcp --dport 4514 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.26/32 -p udp -m udp --dport 8125 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.24/32 -p tcp -m tcp --dport 4514 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.24/32 -p udp -m udp --dport 8125 -j ACCEPT
+[0:0] -A FWR -s 10.0.3.55/32 -p tcp -m tcp --dport 4514 -j ACCEPT
+[0:0] -A FWR -s 10.0.3.55/32 -p udp -m udp --dport 8125 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.11/32 -p tcp -m tcp --dport 4514 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.11/32 -p udp -m udp --dport 8125 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.15/32 -p tcp -m tcp --dport 4514 -j ACCEPT
+[0:0] -A FWR -s 1.1.1.15/32 -p udp -m udp --dport 8125 -j ACCEPT
+[0:0] -A FWR -p tcp -m tcp --dport 22 -j ACCEPT
+[0:0] -A FWR -p tcp -m tcp --dport 443 -j ACCEPT
+[0:0] -A FWR -p tcp -m tcp --dport 80 -j ACCEPT
+[15158:889352] -A FWR -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
+[1353:157895] -A FWR -p udp -j REJECT --reject-with icmp-port-unreachable
+COMMIT
+# Completed on Wed Feb 19 19:28:22 2014