-
-
Save Maxopoly/6c925a1f18f9e2f3b9818d1c1582b17e to your computer and use it in GitHub Desktop.
| #You probably want to do this in root to reduce the amount of sudos required | |
| su - | |
| #Install iptables if you haven't already | |
| #Alternatively use packet manager of your choice | |
| apt-get install iptables | |
| #Allow all incoming traffic to begin with | |
| iptables -P INPUT ACCEPT | |
| #Clean out any existing input rules. You may also remove the "INPUT" argument and run only "iptables -F" to clear all chains. When doing so, make sure there are no rules in other chains that you still need (list via "iptables -L"), for example Oracle cloud servers will have preset rules, which should not be removed. | |
| iptables -F INPUT | |
| #Allow all internal connections | |
| iptables -A INPUT -i lo -j ACCEPT | |
| #Allow continuing setup connections | |
| iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| #Allow ssh, adjust port if you run it on non-default | |
| iptables -A INPUT -p tcp --dport 22 -j ACCEPT | |
| #Allow minecraft, adjust port if you run it on non-default | |
| iptables -A INPUT -p tcp --dport 25565 -j ACCEPT | |
| #Disallow all input not whitelisted | |
| #DO NOT RUN THIS IF YOU HAVEN'T VERIFIED YOU WHITELISTED SSH, YOU WILL LOCK YOURSELF OUT | |
| iptables -P INPUT DROP | |
| #Block all forwarding | |
| iptables -P FORWARD DROP | |
| #Allow all outgoing | |
| iptables -P OUTPUT ACCEPT | |
| #Save rules, they won't be persisted past restart of the machine otherwise | |
| apt-get install iptables-persistent | |
| #iptables-persistent will load from this file automatically | |
| iptables-save > /etc/iptables/rules.v4 | |
| #Optional stuff from here on: | |
| #If you have other internal servers for backups etc. you can use this to allow any connections from them | |
| iptables -A INPUT -p tcp -s XXX.XXX.XXX.XXX -j ACCEPT | |
| #Whitelist mumble | |
| iptables -A INPUT -p tcp --dport 64738 -j ACCEPT | |
| iptables -A INPUT -p udp --dport 64738 -j ACCEPT | |
| #Whitelist Jenkins | |
| iptables -A INPUT -p tcp --dport 8080 -j ACCEPT | |
| #Whitelist Votifier | |
| iptables -A INPUT -p tcp --dport 8192 -j ACCEPT | |
| iptables -A INPUT -p udp --dport 8192 -j ACCEPT | |
| #Allow ICMP, this also makes server health check tools from various hosting providers happier | |
| iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT |
When cleaning out existing rules you might want to specify the INPUT chain like iptables -F INPUT to prevent important rules from being cleared. For example servers from Oracle Cloud have several rules under the InstanceServices chain that should not be removed. Also adding rules for IPv6 would be nice. Otherwise this is really helpful, thanks!
wow that literally saved me plenty of time, thanks to this I figured out why I could not connect to the server anymore, it was the continuing setup connections ^^
When cleaning out existing rules you might want to specify the INPUT chain like
iptables -F INPUTto prevent important rules from being cleared. For example servers from Oracle Cloud have several rules under the InstanceServices chain that should not be removed. Also adding rules for IPv6 would be nice. Otherwise this is really helpful, thanks!
I changed the flushing of existing chains and added a note about what you mentioned. Good comment, thanks.
I've never used ip6tables, it seems very similar to normal iptables, but I'm not sure whether it's just a drop in replacement with v6 addresses instead. I don't have a IPv6 testing setup on hand either, so I won't add anything about it for now to avoid possibly wrong advice.
Thanks! 🔥
🔥
This really is amazing. Can't believe anyone else hasn't commented on this because this is super helpful!