Home A - Z
Page Index

iptables

list rules with line numbers

sudo iptables --list --line-numbers

delete a rule with number

sudo iptables -D INPUT <number>

add an input rule

sudo iptables -A INPUT -p tcp --dport 25 -j ACCEPT

make iptables persistent

sudo apt install iptables-persistent
sudo netfilter-persistent save

only allow communication when connected to VPN

iptables config to prevent communication unless connected to a VPN.

bash
#!/bin/sh

IPT="/sbin/iptables"

# Allow loopback device
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# Allow all local traffic.
$IPT -A INPUT -s 192.168.1.0/24 -j ACCEPT
$IPT -A OUTPUT -d 192.168.1.0/24 -j ACCEPT
$IPT -A INPUT -s 10.0.1.0/24 -j ACCEPT
$IPT -A OUTPUT -d 10.0.1.0/24 -j ACCEPT

# Allow VPN establishment
$IPT -A OUTPUT -p udp --dport 1194 -j ACCEPT
$IPT -A INPUT -p udp --sport 1194 -j ACCEPT

# Accept all TUN connections (tun = VPN tunnel)
$IPT -A OUTPUT -o tun+ -j ACCEPT
$IPT -A INPUT -i tun+ -j ACCEPT

# Set default policies to drop all communication unless specifically allowed
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

ipv4 iptables rules for a VPS

iptables
*filter

# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT

# Allow ping.
-A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT

# Allow SSH connections.
-A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

# Allow HTTP and HTTPS connections from anywhere
# (the normal ports for web servers).
-A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

# Allow inbound traffic from established connections.
# This includes ICMP error returns.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log what was incoming but denied (optional but useful).
#-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 7

# Reject all other inbound.
-A INPUT -j REJECT

# Log any traffic that was sent to you
# for forwarding (optional but useful).
-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables_FORWARD_denied: " --log-level 7

# Reject all traffic forwarding.
-A FORWARD -j REJECT

# Block docker access
-A DOCKER-USER -m state --state ESTABLISHED,RELATED -j ACCEPT
-A DOCKER-USER -i eth0 ! -s 127.0.0.1 -j DROP

COMMIT