Path: blob/master/contrib/vm/compute_node/root/firewall
447 views
#!/usr/bin/env bash ipset create allowed hash:net ipset add allowed 130.211.113.153 # Permalinks ipset add allowed 91.189.88.0/24 # Canonical Group Limited, archive.ubuntu.com ipset add allowed 185.125.188.0/22 ipset add allowed 128.174.0.0/16 # University of Illinois, Macaulay2 ipset add allowed 160.79.104.10 # api.anthropic.com ipset add allowed 104.18.26.90 # api.deepseek.com.cdn.cloudflare.net ipset add allowed 104.18.27.90 ipset add allowed 162.159.140.245 # api.openai.com ipset add allowed 172.66.0.243 ipset add allowed 104.18.18.80 # api.x.ai ipset add allowed 104.18.19.80 ipset add allowed 217.160.0.231 # codetables.de ipset add allowed 162.255.119.162 # data.astropy.org ipset add allowed 94.136.40.82 # designtheory.org ipset add allowed 141.38.0.0/16 # Deutscher Wetterdienst ipset add allowed 162.125.0.0/16 # Dropbox ipset add allowed 193.144.0.0/14 # ESA - Villafranca Satellite Tracking Station ipset add allowed 88.131.0.0/16 # European Centre for Disease Prevention and Control ipset add allowed 151.101.0.0/16 # Fastly, PyPi.org ipset add allowed 140.82.112.0/20 # GitHub ipset add allowed 185.199.108.0/22 ipset add allowed 64.233.160.0/19 # Google services ipset add allowed 74.125.0.0/16 ipset add allowed 108.177.0.0/17 ipset add allowed 142.250.0.0/15 ipset add allowed 172.217.0.0/16 ipset add allowed 173.194.0.0/16 ipset add allowed 192.178.0.0/15 ipset add allowed 209.85.128.0/17 ipset add allowed 216.58.192.0/19 ipset add allowed 89.107.186.22 # graphclasses.org ipset add allowed 131.142.0.0/16 # Harvard-Smithsonian Center for Astrophysics ipset add allowed 108.128.53.182 # elb.koboroute.org ipset add allowed 52.214.202.32 ipset add allowed 54.77.106.83 ipset add allowed 34.207.37.27 # elb.kobotoolbox.org ipset add allowed 34.232.35.237 ipset add allowed 35.155.106.45 # ljcr.dmgordon.org/mathtrek.eu ipset add allowed 35.166.140.139 ipset add allowed 82.165.72.196 # mathtrek.eu ipset add allowed 129.78.68.121 # magma.maths.usyd.edu.au ipset add allowed 104.18.22.152 # api.mistral.ai ipset add allowed 104.18.23.152 ipset add allowed 129.164.0.0/16 # NASA ipset add allowed 137.78.0.0/16 ipset add allowed 206.188.192.120 # neilsloane.com ipset add allowed 104.239.138.29 # oeis.org ipset add allowed 216.105.38.13 # sourceforge.net ipset add allowed 108.167.142.230 # tssfl.com ipset add allowed 104.244.40.0/21 # Twitter ipset add allowed 130.88.0.0/16 # University of Manchester ipset add allowed 130.79.0.0/16 # Universite de Strasbourg ipset add allowed 137.208.0.0/16 # Vienna University of Economics and Business, CRAN ipset add allowed 208.80.152.0/22 # Wikimedia ipset add allowed 134.147.222.194 # www.findstat.org ipset add allowed 35.244.233.98 # www.kaggle.com ipset add allowed 69.147.64.0/18 # Yahoo ipset add allowed 188.125.95.0/24 iptables --flush # Loopback traffic iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Established connections iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Outbound DHCP request iptables -A OUTPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT # Outbound DNS lookups iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT # Outbound Network Time Protocol (NTP) requests iptables -A OUTPUT -p udp --dport 123 --sport 123 -j ACCEPT # Incoming connections to SageCell server for computations iptables -A INPUT -p tcp --dport 8888 -j ACCEPT # Incoming connections to nginx for static content iptables -A INPUT -p tcp --dport 8889 -j ACCEPT # Outbound HTTP to allowed hosts iptables -A OUTPUT -p tcp -m multiport --dport http,https -m state --state NEW -m set --match-set allowed dst -j ACCEPT # And nothing else iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP