Blame
| 627a66 | Steven Anderson | 2024-12-30 11:11:48 | 1 | # iptables |
| 2 | ||||
| 3 | #### list rules with line numbers |
|||
| 4 | sudo iptables --list --line-numbers |
|||
| 5 | ||||
| 6 | #### delete a rule with number |
|||
| 7 | sudo iptables -D INPUT <number> |
|||
| 8 | ||||
| 9 | #### add an input rule |
|||
| 10 | sudo iptables -A INPUT -p tcp --dport 25 -j ACCEPT |
|||
| 11 | ||||
| 12 | #### make iptables persistent |
|||
| 13 | sudo apt install iptables-persistent |
|||
| 14 | sudo netfilter-persistent save |
|||
| 15 | ||||
| 16 | #### only allow communication when connected to VPN |
|||
| 17 | iptables config to prevent communication unless connected to a VPN. |
|||
| 18 | ``` bash |
|||
| 19 | #!/bin/sh |
|||
| 20 | ||||
| 21 | IPT="/sbin/iptables" |
|||
| 22 | ||||
| 23 | # Allow loopback device |
|||
| 24 | $IPT -A INPUT -i lo -j ACCEPT |
|||
| 25 | $IPT -A OUTPUT -o lo -j ACCEPT |
|||
| 26 | ||||
| 27 | # Allow all local traffic. |
|||
| 28 | $IPT -A INPUT -s 192.168.1.0/24 -j ACCEPT |
|||
| 29 | $IPT -A OUTPUT -d 192.168.1.0/24 -j ACCEPT |
|||
| 30 | $IPT -A INPUT -s 10.0.1.0/24 -j ACCEPT |
|||
| 31 | $IPT -A OUTPUT -d 10.0.1.0/24 -j ACCEPT |
|||
| 32 | ||||
| 33 | # Allow VPN establishment |
|||
| 34 | $IPT -A OUTPUT -p udp --dport 1194 -j ACCEPT |
|||
| 35 | $IPT -A INPUT -p udp --sport 1194 -j ACCEPT |
|||
| 36 | ||||
| 37 | # Accept all TUN connections (tun = VPN tunnel) |
|||
| 38 | $IPT -A OUTPUT -o tun+ -j ACCEPT |
|||
| 39 | $IPT -A INPUT -i tun+ -j ACCEPT |
|||
| 40 | ||||
| 41 | # Set default policies to drop all communication unless specifically allowed |
|||
| 42 | $IPT -P INPUT DROP |
|||
| 43 | $IPT -P OUTPUT DROP |
|||
| 44 | $IPT -P FORWARD DROP |
|||
| 45 | ``` |
|||
| 46 | ||||
| 47 | #### ipv4 iptables rules for a VPS |
|||
| 48 | ``` iptables |
|||
| 49 | *filter |
|||
| 50 | ||||
| 51 | # Allow all loopback (lo0) traffic and reject traffic |
|||
| 52 | # to localhost that does not originate from lo0. |
|||
| 53 | -A INPUT -i lo -j ACCEPT |
|||
| 54 | -A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT |
|||
| 55 | ||||
| 56 | # Allow ping. |
|||
| 57 | -A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT |
|||
| 58 | ||||
| 59 | # Allow SSH connections. |
|||
| 60 | -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT |
|||
| 61 | ||||
| 62 | # Allow HTTP and HTTPS connections from anywhere |
|||
| 63 | # (the normal ports for web servers). |
|||
| 64 | -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT |
|||
| 65 | -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT |
|||
| 66 | ||||
| 67 | # Allow inbound traffic from established connections. |
|||
| 68 | # This includes ICMP error returns. |
|||
| 69 | -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
|||
| 70 | ||||
| 71 | # Log what was incoming but denied (optional but useful). |
|||
| 72 | #-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 7 |
|||
| 73 | ||||
| 74 | # Reject all other inbound. |
|||
| 75 | -A INPUT -j REJECT |
|||
| 76 | ||||
| 77 | # Log any traffic that was sent to you |
|||
| 78 | # for forwarding (optional but useful). |
|||
| 79 | -A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables_FORWARD_denied: " --log-level 7 |
|||
| 80 | ||||
| 81 | # Reject all traffic forwarding. |
|||
| 82 | -A FORWARD -j REJECT |
|||
| 83 | ||||
| 84 | # Block docker access |
|||
| 85 | -A DOCKER-USER -m state --state ESTABLISHED,RELATED -j ACCEPT |
|||
| 86 | -A DOCKER-USER -i eth0 ! -s 127.0.0.1 -j DROP |
|||
| 87 | ||||
| 88 | COMMIT |
|||
| 89 | ``` |