Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
iptables rules for coreOS on DigitalOcea
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:Leet-Firewall-1 - [0:0]
# Allow access to Ghost instances over private network
-A INPUT -i eth1 -p tcp -s 10.132.0.0/16,172.17.0.0/16,127.0.0.1 --dport 2368 -j ACCEPT
# Allow private etcd ports
-A INPUT -i eth1 -p tcp -s 10.132.0.0/16,172.17.0.0/16,127.0.0.1 --dport 4001 -j ACCEPT
-A INPUT -i eth1 -p tcp -s 10.132.0.0/16 --dport 7001 -j ACCEPT
# Allow containers access to etcd API
-A INPUT -i docker0 -p tcp -s 172.17.0.0/16 -j ACCEPT
#Sane Firewall rules
-A INPUT -j Leet-Firewall-1
-A FORWARD -j Leet-Firewall-1
-A Leet-Firewall-1 -i lo -j ACCEPT
-A Leet-Firewall-1 -p icmp --icmp-type echo-reply -j ACCEPT
-A Leet-Firewall-1 -p icmp --icmp-type destination-unreachable -j ACCEPT
-A Leet-Firewall-1 -p icmp --icmp-type time-exceeded -j ACCEPT
# Accept Pings
-A Leet-Firewall-1 -p icmp --icmp-type echo-request -j ACCEPT
# Accept any established connections
-A Leet-Firewall-1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Accept ssh, http, https - add other tcp traffic ports here
-A Leet-Firewall-1 -m conntrack --ctstate NEW -m multiport -p tcp --dports 22,80,443 -j ACCEPT
#Log and drop everything else
-A Leet-Firewall-1 -j LOG
-A Leet-Firewall-1 -j REJECT --reject-with icmp-host-prohibited
COMMIT
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.