-
Notifications
You must be signed in to change notification settings - Fork 1
/
iptables
101 lines (83 loc) · 3.33 KB
/
iptables
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
# Author: Michael Bitokhov
# License: The Unlicense
#
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:ALLOWED_PORTS_IN - [0:0]
:ALLOWED_PORTS_OUT - [0:0]
:ALLOWED_IPS_IN - [0:0]
:ALLOWED_IPS_OUT - [0:0]
# Allow established connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow the allowed ports (See below for more details)
-A INPUT -j ALLOWED_PORTS_IN
-A OUTPUT -j ALLOWED_PORTS_OUT
# Allow the allowed ips (See below for more details)
-A INPUT -j ALLOWED_IPS_IN
-A OUTPUT -j ALLOWED_IPS_OUT
# Allow Loopback
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
# Allow ICMP protocol (IE: ping)
-A INPUT -p icmp -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
# Allow NTP traffic outwards
-A OUTPUT -p udp -m udp --sport ntp --dport ntp -j ACCEPT
# DNS queries
-A OUTPUT -p udp -m udp --dport domain -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport domain -j ACCEPT
# Log all attempts to access other ports
-A INPUT -m limit --limit 30/min -j LOG --log-prefix="[IPTABLES IN]"
-A OUTPUT -m limit --limit 30/min -j LOG --log-prefix="[IPTABLES OUT]"
# HTTP/HTTPS traffic
-A ALLOWED_PORTS_IN -p tcp -m tcp --dport http -j ACCEPT
-A ALLOWED_PORTS_IN -p tcp -m tcp --dport https -j ACCEPT
-A ALLOWED_PORTS_OUT -p tcp -m tcp --sport http -j ACCEPT
-A ALLOWED_PORTS_OUT -p tcp -m tcp --sport https -j ACCEPT
## Mail imap/imaps
#-A ALLOWED_PORTS_IN -p tcp -m tcp --dport imap -j ACCEPT
#-A ALLOWED_PORTS_IN -p tcp -m tcp --dport imaps -j ACCEPT
#-A ALLOWED_PORTS_OUT -p tcp -m tcp --sport imap -j ACCEPT
#-A ALLOWED_PORTS_OUT -p tcp -m tcp --sport imaps -j ACCEPT
#
## Mail pop3/pop3s
#-A ALLOWED_PORTS_IN -p tcp -m tcp --dport pop3 -j ACCEPT
#-A ALLOWED_PORTS_IN -p tcp -m tcp --dport pop3s -j ACCEPT
#-A ALLOWED_PORTS_OUT -p tcp -m tcp --sport pop3 -j ACCEPT
#-A ALLOWED_PORTS_OUT -p tcp -m tcp --sport pop3s -j ACCEPT
#
## Mail smtp/smtps
#-A ALLOWED_PORTS_IN -p tcp -m tcp --dport smtp -j ACCEPT
#-A ALLOWED_PORTS_IN -p tcp -m tcp --dport smtps -j ACCEPT
#-A ALLOWED_PORTS_OUT -p tcp -m tcp --sport smtp -j ACCEPT
#-A ALLOWED_PORTS_OUT -p tcp -m tcp --sport smtps -j ACCEPT
## ftp/ftps
#-A ALLOWED_PORTS_IN -p tcp -m tcp --dport ftp -j ACCEPT
#-A ALLOWED_PORTS_IN -p tcp -m tcp --dport ftps -j ACCEPT
#-A ALLOWED_PORTS_OUT -p tcp -m tcp --sport ftp -j ACCEPT
#-A ALLOWED_PORTS_OUT -p tcp -m tcp --sport ftps -j ACCEPT
## ftp-data/ftps-data
#-A ALLOWED_PORTS_IN -p tcp -m tcp --dport ftp-data -j ACCEPT
#-A ALLOWED_PORTS_IN -p tcp -m tcp --dport ftps-data -j ACCEPT
#-A ALLOWED_PORTS_OUT -p tcp -m tcp --sport ftp-data -j ACCEPT
#-A ALLOWED_PORTS_OUT -p tcp -m tcp --sport ftps-data -j ACCEPT
# SSH
# Remove this if you use a static IP
# This is dangerous to keep open, so you might want to download fail2ban
# if you're like me and don't have a static ip
-A ALLOWED_PORTS_IN -p tcp -m tcp --dport ssh -j ACCEPT
-A ALLOWED_PORTS_OUT -p tcp -m tcp --sport ssh -j ACCEPT
## Place your static ips here
#-A ALLOWED_IPS_IN -s x.x.x.x -j ACCEPT
#-A ALLOWED_IPS_OUT -s x.x.x.x -j ACCEPT
# Internal network
# disable if you don't really have a use case
-A ALLOWED_IPS_IN -s 192.168.0.0/16 -j ACCEPT
-A ALLOWED_IPS_IN -s 172.16.0.0/12 -j ACCEPT
-A ALLOWED_IPS_IN -s 10.0.0.0/8 -j ACCEPT
-A ALLOWED_IPS_OUT -s 192.168.0.0/16 -j ACCEPT
-A ALLOWED_IPS_OUT -s 172.16.0.0/12 -j ACCEPT
-A ALLOWED_IPS_OUT -s 10.0.0.0/8 -j ACCEPT
COMMIT