Created
December 20, 2022 20:24
-
-
Save Dreded/3cd323b1e9cd360b3dbe907c04d7ccab to your computer and use it in GitHub Desktop.
iptables for deny all except SSH and 80/443( webserver )
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# flush all current rules | |
sudo iptables -F | |
# allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 | |
sudo iptables -A INPUT -i lo -j ACCEPT | |
sudo iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT | |
# accepts all established inbound connections | |
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
# allows all outbound traffic | |
sudo iptables -A OUTPUT -j ACCEPT | |
# allows HTTP and HTTPS from anywhere | |
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT | |
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT | |
# allows SSH connections, sugest you change your default SSH port in /etc/sshd_config | |
sudo iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT | |
# allow ping | |
sudo iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT | |
# reject everything else | |
sudo iptables -A INPUT -j REJECT | |
sudo iptables -A FORWARD -j REJECT | |
# log all denied packets(connections) | |
sudo iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 | |
# save for use with iptables-persistent package | |
sudo iptables-save | sudo tee /etc/iptables/rules.v4 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment