# Generated by Network Security Policy Compiler, version 2.453

# [ BEGIN router:big1 ]
# [ Model = Linux ]
# [ IP = 10.10.1.2 ]
# [ Routing ]
! route network:management -> interface:mngt.service_lan
ip route add 10.1.11.0/24 via 10.10.1.6
# [ ACL ]
#!/sbin/iptables-restore <<EOF
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
:eth0_self -
:eth0_in -
:eth1_self -
:eth1_in -
:c1 -
:c2 -
:c3 -
:c4 -
:c5 -
:c6 -
:droplog -
-A droplog -j LOG --log-level debug
-A droplog -j DROP
-A c1 -j ACCEPT -p icmp --icmp-type 0
-A c1 -j ACCEPT -p icmp --icmp-type 8
-A c2 -g c1 -d 10.1.1.2 -p icmp
-A c2 -g c1 -d 10.1.1.1 -p icmp
-A c3 -j ACCEPT -s 10.1.11.111 -d 10.10.1.2 -p tcp --dport 23
-A c3 -j ACCEPT -s 10.1.11.111 -d 10.10.1.1 -p tcp --dport 23
-A c4 -j ACCEPT -p icmp --icmp-type 0
-A c4 -j ACCEPT -p icmp --icmp-type 8
-A c5 -j c4 -p icmp
-A c5 -j ACCEPT -s 10.1.11.111 -p icmp --icmp-type 8
-A c6 -g c5 -d 10.10.1.2
-A c6 -g c5 -d 10.10.1.1

# interface:big1.big_customer.virtual
-A eth0_self -j ACCEPT -s 10.1.1.0/24 -d 224.0.0.18 -p 112
-A eth0_self -g c2 -d 10.1.1.0/30 -p icmp

# interface:big1.service_lan.virtual
-A eth1_self -j ACCEPT -s 10.10.1.0/24 -d 224.0.0.18 -p 112
-A eth1_self -g c3 -d 10.10.1.0/30 -p tcp
-A eth1_self -g c6 -d 10.10.1.0/30 -p icmp

-A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
-A INPUT -j eth0_self -i eth0 
-A INPUT -j eth1_self -i eth1 
-A INPUT -j droplog
-A FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED
-A FORWARD -j eth0_in -i eth0
-A FORWARD -j eth1_in -i eth1
-A FORWARD -j droplog
COMMIT
EOF
# [ END router:big1 ]

