diff --git a/docs/usage.rst b/docs/usage.rst --- a/docs/usage.rst +++ b/docs/usage.rst @@ -3,15 +3,12 @@ Usage ===== -Django Conntrackt provides a very simple interface for reading the information -about network connections across projects, as well as for obtaining *iptables* -rules. +Django Conntrackt provides a very simple interface for reading and editing the +information about network connections across projects, as well as for obtaining +*iptables* rules. -The Conntrackt content is currently being added through Django's administration -interface. - -Conntrackt key concepts ------------------------ +Key concepts +------------ There is a couple of key concepts to be aware of throughout the documentation: @@ -23,7 +20,7 @@ Location Location is used to group the related entities within a project. Locations can be abstract, like *primary site*, *secondary site*, or *disaster site*. They can also be more specific, like *Belgrade*, or *Stockholm*. The - layout of locations that you choose is completely up ot you. + layout of locations is completely up to the user of Conntrackt. Entity Entity is an origin or destination of network communication. An entity can @@ -41,114 +38,536 @@ Interface An interface is also used to provide subnet information for entities that represent subnets. - Multiple interfaces can be assigned to an entity as well. + Entity can have more than one interface assigned to it. Communication - Communication is used to specify the planned connections between - entities. This information is useful for keeping track which entity is - talking to which entity (and using which interfaces), allowing easier - tracking of what's happening in the project. + Communication is used to specify possible connections between entities. Each + communication contains information about source interface (of a specific, + source entity), destination interface (of a specific, target entity), + protocol type (TCP, UDP, ICMP), and port number (or, in case of ICMP, + package type). - In addition, this information can be used to generate the iptables rules for - servers to restrict the access. + In addition to describing the various connections that happen between + entities, communication information is also used for generating the + *iptables* rules for servers. + +Users and permissions +--------------------- -Navigating through Conntrackt ------------------------------ +Conntrackt employs standard Django permissions for object creation and +modification. This includes ability to *add*, *change*, and *delete* projects, +locations, entities, interfaces, and communications. -Conntrackt tries to employ a simple and lean web interface for all of its -tasks. Every Conntrackt page has a navigation bar at the top, that lets you -access the most common pages in the application. +In addition to write-related permissions, Conntrackt also comes with a single +read permission that is used to restrict read access to Conntrackt data (**Can +view information**). This permission is required in order to allow the users to +view the projects, locations, entities, interfaces, and communications. This is +the minimal permission necessary that should be granted to all users. -The *Main Page* links will take you to the homepage of Conntrackt. If you want -to add data to conntrackt, click on the *Administration* link, which will take -you to Django's built-in administration interface. +Navigating the pages +-------------------- + +Navigation bar +~~~~~~~~~~~~~~ + +The navigation bar is available on every page. Navigation bar contains at least +the following elements: -If you are not logged-in, you can click on the *Log-in* link that will take you -to the log-in page where you can provide your credentials (username and -password). In case you are already- logged-in, you will instead see your -*username* and *log-out* link. +* **Main Page** link will take you to Conntrackt homepage. +* **Administration** link will take you to Django's built-in administrator + interface, which can be used both for managing the users, and for adding and + modifying content. It is recommended to use Conntrackt's *native* user + interface for adding and modifying content. + +If you are currently logged-in, you will also be presented with the following +two elements: -Homepage -~~~~~~~~ +* **Username**, which links to your profile page (NOT IMPLEMENTED). +* **Log-out** link. -This page provides an overview of projects and entities belonging to the -projects. No information will be shown if there are no projects defined. +If you are not logged-in, you will instead be presented with the following +elements: + +* **Log-in** link, which will take you to the log-in page. + +Main page +~~~~~~~~~ -Each project's information is shown in a small frame on the page, with project -name at the top, and listing of entities belonging to the project under it. +The main page gives a simple listing of the available projects and +locations. -Clickin on the project name will take you to project details page, while -clicking on an entity name will take you to entity details page. +Each row in a project listing includes: -In addition, small clickable icons are show next to the project and -entities. Clicking on the book-like icon next to a project will trigger download -of ZIP archive that contains *iptables* rules for all of the project's entities -in separate files. This is a convenient way to obtain all of the *iptables* for -a project. +* **Project name**, which can be clicked on in order to get to the *project + details page*. +* **Download project iptables link** (small book icon), which can be used for + downloading the iptables rules for an entire project. +* **Edit project link** (small pen icon), which can be used for editing basic + information about a project. +* **Remove project link** (small cross icon), which can be used for removing a + project. -If you click on the icon next to an entity, you will be instead offered to -download *iptables* rules for that specific entity in plain-text format. +Each row in a location listing includes: + +* *Location name*. +* **Edit location link** (small pen icon), which can be used for editing basic + information about a location. +* **Remove location link** (small cross icon), which can be used for removing a + location. Project details page ~~~~~~~~~~~~~~~~~~~~ -The project details page provides an overview of project's locations, with -entities listed under the location to which they belong to. +The project details page provides listing of entities, as well as a diagram +showing the communications between them. The project details page also includes +links and buttons for manipulating the project information (including entities). + +From top to bottom the page includes the following elements: -Each location is contained inside of a small frame, with location name at the -top, and listing of entities in the location below it. +* Project title. +* Description of a project. +* Buttons for project-specific actions. +* Listing of end entities, grouped by locations. +* Communications diagram. -Clicking on an entity name will take you to entity details page. +The project-specific buttons are: + +* **Edit**, which can be used for editing basic information about a project. +* **Remove**, which can be used for removing a project. +* **Add entity**, which can be used for adding new entities to a project. +* **Add communication**, which can be used for adding a new communication to the + project. -In addition, small clickable icons are show next to the location and -entities. Clicking on the book-like icon next to a location will trigger download -of ZIP archive that contains *iptables* rules for all of the location's entities -in separate files. This is a convenient way to obtain all of the *iptables* for -a specific location in a project. +Each location-specific entity listing includes a *download location iptables* +link (small book icon), which can be used for downloading the *iptables* rules +for entities of a project in that particular location. Each entity row in the +listing includes: -If you click on the icon next to an entity, you will be instead offered to -download *iptables* rules for that specific entity in plain-text format. +* **Entity name**, which can be clicked on in order to get to the *entity + details page*. +* **Download entity iptables link** (small list icon), which can be used for + downloading the *iptables* rules for an entity. +* **Edit entity link** (small pen icon), which can be used for editing basic + information about an entity. +* **Remove entity link** (small cross icon), which can be used for removing an + entity. + +A small **add entity** button is available within each location-specific +listing, which can also be used for adding entities to a project. The difference +is that if location-specific button is used, the location of new entity will be +pre-populated (saving some time). + +The communications diagram displays all project entities, grouped by the +location, as well as communications between the entities. Each entity will be +represented by a distinctly-coloured square. The arrows pointing outside of the +entity represent an outgoing communication of an entity. Communications +displayed will also include information about the protocol and port being used. + +The format of the diagram image is *SVG*. Entity details page ~~~~~~~~~~~~~~~~~~~ -This page provides more details about an entity in a project. You will be -presented with the following information on this page: +The entity details page provides listing of entity's general information, +interfaces, incoming and outgoing communications, as well as the *iptables* rules. + +From top to bottom the page includes the following elements: + +* Entity name. +* Entity description. +* Buttons for entity-specific actions. +* General information about the entity. +* Listing of entity's interfaces. +* Listing of entity's incoming communications. +* Listing of entity's outgoing communications. +* *Iptables* rules for the entity. + +The entity-specific buttons are: + +* **Edit**, which can be used for editing basic information about an entity. +* **Remove**, which can be used for removing an entity. +* **Get Iptables**, which can be used for downloading the *iptables* rules for the + entity. + +The general information about an entity includes: + +* **Project** to which the entity belongs. The project name can be clicked on in + order to get to the project details page. +* *Location* where the entity can be found. + +Each row of the interface listing includes: + +* *Interface name*, with IP/netmask as well. +* **Edit interface link** (small pen icon), which can be used for editing basic + information about an interface. +* **Remove interface link** (small pen icon), which can be used for removing an + interface. + +An **add interface** button can be found at the bottom of the interface listing, +which can be used for adding a new interface to the entity. + +Each row of the incoming/outgoing communications listing includes: + +* **Entity and interface name**, which can be clicked on in order to get to the + source/destination entity. +* **Edit communication link** (small pen icon), which can be used for editing + communication information. +* **Remove communication link** (small cross icon), which can be used for removing + a communication. + +The *iptables rules* section displays the full *iptables* rules for an +entity. It also sports a convenient **download** button for getting the *iptables* +rules. + +Managing projects +----------------- + +Adding a project +~~~~~~~~~~~~~~~~ + +New projects can be added from the *main page*. You can navigate to the *main +page* via link in the navigation bar. + +Once at the *main page*, click on the **Add project** button. This will take you +to a page where some basic project information can be provided: + +* *Name* (mandatory). This is the name of the project. Project name must be + unique. +* *Description* (optional). This is the project description. This is a free-form + field, and it can be filled-up by user as needed. + +Once the mandatory fields have been filled-up, click on the **Add** button to add +the project. If no errors have been reported, and project was created +successfully, you will be taken to the *project details page*. + +Removing a project +~~~~~~~~~~~~~~~~~~ + +Project can be removed either via the *main page* or via *project details +page*. + +In order to remove a project via *main page*, navigate to it, and click on the +**remove icon** (small cross) next to the project name in the project listing. + +In order to remove a project via *project details page*, navigate to the *main +page*, click on the project name in order to be taken to the *project details +page*, and then click on the **Remove** button towards the top of the page. + +In both cases you will be prompted to confirm the removal of project. Keep in +mind that removing a project will also remove any entities that are associated +with it, interfaces of those entities, as well as communications involving those +entities. + +Updating a project +~~~~~~~~~~~~~~~~~~ + +Basic project information can be updated either via *main page* or via *project +details page*. -* Entity's project name. -* Entity's location name. -* Informationg about incoming and outgoing communications. -* Inline iptables rules. +In order to update a project via *main page*, navigate to it, and click on the +**edit icon** (small pen) next to the project name in the project listing. + +In order to update a project via *project details page*, navigate to the *main +page*, click on the project name in order to be taken to the *project details +page*, and then click on the **Edit** button towards the top of the page. + +Both actions will take you to the update page for a project where you can edit +the *name* and *description* of an existing project. In order to apply the +changes you made, click on the **Update** button. + +Managing locations +------------------ + +Adding a location +~~~~~~~~~~~~~~~~~ + +New locations can be added from the *main page*. You can navigate to the *main +page* via link in the navigation bar. + +Once at the *main page*, click on the **Add location** button. This will take +you to a page where some basic location information can be provided: + +* *Name* (mandatory). This is the name of the location. Location name must be + unique. +* *Description* (optional). This is the location description. This is a + free-form field, and it can be filled-up by user as needed. + +Once the mandatory fields have been filled-up, click on the **Add** button to +add the location. + +Removing a location +~~~~~~~~~~~~~~~~~~~ + +Location can be removed via the *main page*. + +Navigate to the *main page*, and click on the **remove icon** (small cross) next +to the location name in the location listing. + +You will be prompted to confirm the removal of location. Keep in mind that +removing a location will also remove any entities that are associated with it, +as well as interfaces and communications associated with those entities. + +Updating a location +~~~~~~~~~~~~~~~~~~~ + +Basic location information can be updated via *main page*. -The project name is clickable, and it will take you to project details page. +In order to update a location navigate to *main page*, and click on the **edit +icon** (small pen) next to the location name in the location listing. + +This will take you to the update page for a location where you can edit the +*name* and *description* of an existing location. In order to apply the changes +you made, click on the **Update** button. + +Managing entities +----------------- + +Adding an entity +~~~~~~~~~~~~~~~~ + +New entities can be added to a project via *project details page*. The page can +be reached by going to the *main page*, and then clicking on specific project +name in project list. + +Once at the *project details page*, click on the **Add entity** button, either +on the one towards the top of the page, or location-specific one. This will take +you to a page where some basic entity information can be provided: -The information about incoming communications shows all communications that have -one of this entity's interfaces as destination. The listing will show an IP -address/subnet of the source, protocol used in communication, and port number -(if applicable). +* *Name* (mandatory). This is the name of an entity. Entity name must be unique + in a project. Same name can be used by multiple entities as long as they + belong to separate projects. +* *Description* (optional). This is the entity description. This is a free-form + field, and it can be filled-up by user as needed. +* *Project* (mandatory). This is the project that the entity will belong to. The + project will have a fixed value. +* *Location* (mandatory). This is the location where the entity is located. If + location-specific **Add entity** button was used, this field will have a fixed + value. + +Once the mandatory fields have been filled-up, click on the **Add** button to +add the entity. + +.. tip:: + Using location-specific **Add entity** can be a great time-saver if you need + to add a lot of entities to a single location. Use it sparingly. + +Removing an entity +~~~~~~~~~~~~~~~~~~ + +Entity can be removed either via the *project details page* or via *entity +details page*. + +In order to remove an entity via *project details page*, navigate to it, and +click on the **remove icon** (small cross) next to the entity name. + +In order to remove an entity via *entity details page*, navigate to the *project +details page*, click on the entity name in order to be taken to the *entity +details page*, and then click on the **Remove** button towards the top of the +page. -Similarly, the outgoing communications listing will display communications where -the entity is the source (starting point), and includes information about -destination IP address/subnet, protocol user in communication, and port number -(if applicable). +In both cases you will be prompted to confirm the removal of entity. Keep in +mind that removing an entity will also remove any interfaces that are associated +with it, as well as related communications. + +Updating an entity +~~~~~~~~~~~~~~~~~~ + +Basic entity information can be updated either via *project details page* or via +*entity details page*. + +In order to update an entity via *project details page*, navigate to it, and +click on the **edit icon** (small pen) next to the entity. + +In order to update an entity via *entity details page*, navigate to the *project +details page*, click on the entity name in order to be taken to the *entity +details page*, and then click on the **Edit** button towards the top of the +page. + +Both actions will take you to the update page for an entity where you can edit +the *name*, *description*, *project*, or *location* of an existing entity. In +order to apply the changes you made, click on the **Update** button. + +.. warning:: + Project to which an entity belongs can only be changed if there's no defined + communications involving the entity in its current project. + +Managing interfaces +------------------- + +Adding an interface +~~~~~~~~~~~~~~~~~~~ + +New interface can be added to an entity via *entity details page*. The page can +be reached by going to the *project details page*, and then clicking on specific +entity name in the list. + +Once at the *entity details page*, click on the **Add interface** button. This +will take you to a page where some basic entity information can be provided: -The iptables listing can be obtained either by copy/pasting it from the page, or -by clicking on the *Download* button below it (which will generate a plaintext -file containing the same iptables rules as listed in the *iptables rules* -frame). +* *Name* (mandatory). This is the name of an interface. Interface name must be + unique in an entity. Same name can be used by multiple interfaces as long as + they belong to separate entities. +* *Description* (optional). This is the interface description. This is a + free-form field, and it can be filled-up by user as needed. +* *Entity* (mandatory). This is the entity that the interface will belong + to. The entity will have a fixed value. +* *Address* (mandatory). This is the IP address of an interface. +* *Netmask* (mandatory). This is the netmask associated with the interface IP + address. If the entity address is not a subnet (i.e. it's supposed to be a + single IP address), netmask should be set to `255.255.255.255`. Conntrackt + takes into account the difference between single IP address and subnet, + producing slightly different *iptables* rules based on this (for single IP + addresses, the netmask of *255.255.255.255* is omitted). + +Once the mandatory fields have been filled-up, click on the **Add** button to +add the interface. This will take you back to the *entity details page*. + +Removing an interface +~~~~~~~~~~~~~~~~~~~~~ + +Location can be removed via the *entity details page*. + +Navigate to the *entity details page*, and click on the **remove icon** (small cross) next +to the interface name in the interface listing. + +You will be prompted to confirm the removal of interface. Keep in mind that +removing an interface will also remove any communications associated with that +interface. +Updating an interface +~~~~~~~~~~~~~~~~~~~~~ + +Basic interface information can be updated via *entity details page*. + +In order to update an interface, navigate to *entity details page*, and click on +the **edit icon** (small pen) next to the interface name in the interface +listing. + +This will take you to the update page for an interface where you can edit the +*name*, *description*, *entity*, *address*, and *netmask* of an existing +interface. In order to apply the changes you made, click on the **Update** +button. + +Managing communications +----------------------- + +Adding a communication +~~~~~~~~~~~~~~~~~~~~~~ + +New communications can be added to a project via *project details page* or via +*entity details page*. + +In order to add a communication via *project details page*, navigate to it, and +click on the **Add communication** button. + +In order to add a communication via *entity details page*, navigate to it, and +click on one of the **Add communication** buttons located in incoming/outgoing +communication listings. + +In both cases this will take you to a page where communication information can +be provided: -Managing data -------------- +* *Source* (mandatory). This is the source interface from which the + communication originates. +* *Destination* (mandatory). This is the destination interface at which the + communication terminates. +* *Protocol* (mandatory). This is the protocol used for the communication (*TCP*, + *UDP*, or *ICMP*). +* *Port* (mandatory). This is the port used for communication (in case of + TCP/ICMP), or packet type (in case of ICMP). +* *Description* (optional). This is the communication description. This is a + free-form field, and it can be filled-up by user as needed. The communication + description will be visible in the generated *iptables* rules as well (just + above the rule). + +Once the mandatory fields have been filled-up, click on the **Add** button to +add the communication. + +.. tip:: + Using the **Add communication** buttons from the *entity details page* means + that the form will have pre-selected the source or destination to be the + first interface of the entity at hand. This can be quite useful when adding a + lot of communications that affect a specific entity (for example, database + server). + +Removing a communication +~~~~~~~~~~~~~~~~~~~~~~~~ + +Location can be removed via the *entity details page*. + +Navigate to the *entity details page*, and click on the **remove icon** (small cross) next +to the communcation in the incoming/outgoing communication listing. + +You will be prompted to confirm the removal of communication. + +Updating a communication +~~~~~~~~~~~~~~~~~~~~~~~~ + +Communication can be updated via *entity details page*. + +In order to update a location navigate to *entity details page*, and click on +the **edit icon** (small pen) next to the communication in the incoming/outgoing +communication listing. + +This will take you to the update page for a communication where you can edit the +*source*, *destination*, *protocol*, *port*, and *description* of an existing +communication. In order to apply the changes you made, click on the **Update** +button. + +Generating and downloading *iptables* rules +------------------------------------------- -Data for Conntrackt can be added and modified using Django's built-in -administration GUI. You can easily access the administration GUI from -Conntrackt's pages, by clicking on the *Administration* link in the navigation -bar. +In addition to tracking the communications across a project, one of the main +features of Conntrackt is its ability to generate the *iptables* rules for all +entities in a project based on provided communications data. + +These *iptables* rules can then be easily applied to *GNU/Linux* entities. The +rules are generated with the following restrictions in mind: + +* Default target for *INPUT* chain is *DROP*. +* Default target for *FORWARD* chain is *DROP*. +* Default target for *OUTPUT* chain is *ALLOW*. +* No limits are imposed on the *OUTPUT* chain. +* Rules for the *INPUT* chain are applied using a whitelist. Only explicitly + defined communications in the *iptables* will be used to generate the *ACCEPT* + rules. The matching is performed based on *source*, *protocol*, and + destination *port*. +* The *INPUT* chain will contain the following default rules as well:: + + -A INPUT -i lo -j ACCEPT + -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT + + This will allow all incoming connections from the localhost itself, as well as + any incoming packages of previously-established connections. -From there you can add new projects, locations, interfaces, entities, and -communications. You can also click on links towards them to get a full listing -from where you can modify existing entries. +Rules can be downloaded either induvidually, for a specific entity, or in +bulk. If downloaded in bulk, the *iptables* rules can be downloaded either for +an entire project, or for a specific location of a project. + +The bulk download results in a ZIP archive which contains the *iptables* rules +for each entity in a separate file. + +The *iptables* rules for a specific entity can be downloaded both from a +`Project details page`_ (the **download entity iptables link** that looks like a +small list icon, right next to the entity name), or via `Entity details page`_ +(the **get iptables** button at top, and **download** button just below the +iptables listing). + +Project *iptables* rules can be downloaded either via the *Main page* (**download +project iptables link** that looks like a small book next to the project), or +through the project details page (**download iptables** button at top). + +Project *iptables* rules for a specific location can be downloaded from `Project +details page`_, via the small **download location iptables link** (small book +icon), located right next to the location name. + +Managaing data through django.contrib.admin +------------------------------------------- + +Although the preferred interface for managing data in Conntrackt is through its +own pages, it is possible to make modifications to the data through Django's +built-in administration interface (*django.contrib.admin*). It is possible to +both add new data, as well as modify the existing information. The admin interface for Conntrackt behaves the same as for every Django application, except for some convenience functionality that helps speed-up @@ -157,98 +576,26 @@ adding or modification of some data. The interfaces, entities, and communications pages allow editing most of the data inline, which can speed-up the process quite a bit. In addition, all three pages provide filters that allow you to easily view data specific to a -particular project and/or location. The filters are available on the right -side. +particular project and/or location. The filters are available on the right side. -Although interfaces can be managed separately, you may find it much easier to +While interfaces can be managed separately, you may find it much easier to manage them from within the entity pages. When adding or modifying an entity, you will have some inline forms for specifying entity's interfaces. This is the recommended way to add and modify the interfaces for entities. -Projects -~~~~~~~~ - -For every project you can provide the following information: - -* *Name* of a project. -* *Description* of a project. - -Locations -~~~~~~~~~ - -For every location you can provide the following information: - -* *Name* of a location. -* *Description* of a location. - -Entities -~~~~~~~~ - -For every entity you can provide the following information: - -* *Name* of an entity. -* *Description* of an entity. -* *Project* to which the entity belongs. -* *Location* at which the entity is available. - -In addtion, you can easily add and modify the interfaces of an entity through an -inline form. - -On an entity listing page you can also reassign the entities easily to different -locations and/or projects using the inline fields. - -Managing interfaces data -~~~~~~~~~~~~~~~~~~~~~~~~ - -For every interface you can provide the following information: - -* *Name* of an interface. This should usually by system-specific name, for example *eth0*. -* *Description* of an interface. -* *Entity* to which an interface belongs. -* *Address* of an interface. This is usually an IP address. -* *Netmask* of an interface. When specifying a single specific IP address, this - should be set to 255.255.255.255 (the default). - -When an interface is representing a single IP address, the *address* should be -set to interface's IP address, and *netmask* should be set to -*255.255.255.255*. If specifying the subnet, the *address* and *netmask* will be -used to denote the subnet of format *address*/*netmask*. Conntrackt -distinguishes between these two types of *address* and *netmask* combination, -and produces appropriate iptables rules in both cases. - -In addition to specifying an interface from the dedicated interface pages, a -more convenient way to add them is when adding or modifying the end -entities. Each end entity will have inline forms where you can provide the -information about its interfaces. - -Another useful way to modify the interface information is using the inline -fields on the interface listing page (especially when making changes to a large -number of entities due to subnet changes for the in the project). - -Managing communications data -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -For every communication you can provide the following information: - -* *Source* of communication, which denotes a specific interface (of a specific - entity) **from** which the communication is established. -* *Destination* of communication, which denotes a specific interface (of a - specific entity) **to** which the communication is established. -* *Protocol* used for the communication. Supported protocols currently include - *TCP*, *UDP*, and *ICMP*. -* *Port* used for the communication. In case of *TCP* and *UDP*, this value - denotes the actual port, while in case of *ICMP* protocol, this value will - denote the **ICMP package type** - specified as **numeric** value. +Wherever possible, inline fields are used in order to allow easier updates to +existing information. This is particularly useful in case of communications, and +to lesser effect entities and interfaces. When editing communications you may find it particularly useful to add them through the communications list page by first specifying a filter (by project -and/or location), and then clicking on the *Add communication* link. This way +and/or location), and then clicking on the **Add communication** link. This way the filter will be applied to *source* and *destination* fields. -For example, if you choose project **Test**, and location **Main site**, and then click -on the *Add communication* button, the *source* and *destination* fields will be -limited to entity interfaces that specificaly belong to the **Test** project and -location **Main site**. +For example, if you choose project **Test**, and location **Main site**, and +then click on the **Add communication** button, the *source* and *destination* +fields will be limited to entity interfaces that specificaly belong to the +**Test** project and location **Main site**. You can also easily modify existing communications using the communication listing page. From there you can easily modify source, destination, protocol, @@ -256,25 +603,3 @@ and port. Similarly to adding a new comm will narrow-down the selection for source and destination. It is highly recommended to apply the filter in this way. -Iptables generation -------------------- - -In addition to tracking the communications across a project, one of the main -features of Conntrackt is its ability to generate the *iptables* rules for all -entities in project based on provided communications data. - -These *iptables* rules can then be easily applied to *GNU/Linux* entities. The -rules are generated with the following rules in mind: - -* Default target for *INPUT* chain is *DROP*. -* Default target for *FORWARD* chain is *DROP*. -* Default target for *OUTPUT* chain is *ALLOW*. -* No limits are imposed on the *OUTPUT* chain. -* Rules for the *INPUT* chain are applied using a whitelist basis. Only - explicitly defined communications in the iptables will be used to generate the - *ACCEPT* rules. The matching is performed based on *source*, *protocol*, and - destination *port*. -* The *INPUT* chain will contain the following default rules as well:: - - -A INPUT -i lo -j ACCEPT - -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT