andybeak/iptables.sh

## iptables.sh
#!/bin/bash
logger Configuring iptables

# Flush existing rules
sudo iptables -F

# Allow SSH from bastion server
sudo iptables -A INPUT -p tcp -s 172.31.23.163/32 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Allow loopback traffic
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT

# Allow established and related incoming connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow established outgoing connections
sudo iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Drop invalid packets
sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

# Allow incoming HTTP and HTTPS from the reverse proxy private IP address
sudo iptables -A INPUT -p tcp -s 172.31.23.163/32 -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp -s 172.31.23.163/32 -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Allow incoming HTTP and HTTPS from the reverse proxy public IP address
# You'll need this for AWS which routes traffic between instances through the ACL, but depending on your networking rules
# this will not always be required.
sudo iptables -A INPUT -p tcp -s 18.130.249.66/32 -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp -s 18.130.249.66/32 -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT


# Drop traffic we're not allowing
sudo iptables -A INPUT -j DROP
	#!/bin/bash
	logger Configuring iptables

	# Flush existing rules
	sudo iptables -F

	# Allow SSH from bastion server
	sudo iptables -A INPUT -p tcp -s 172.31.23.163/32 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
	sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

	# Allow loopback traffic
	sudo iptables -A INPUT -i lo -j ACCEPT
	sudo iptables -A OUTPUT -o lo -j ACCEPT

	# Allow established and related incoming connections
	sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

	# Allow established outgoing connections
	sudo iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

	# Drop invalid packets
	sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

	# Allow incoming HTTP and HTTPS from the reverse proxy private IP address
	sudo iptables -A INPUT -p tcp -s 172.31.23.163/32 -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
	sudo iptables -A OUTPUT -p tcp -s 172.31.23.163/32 -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT

	# Allow incoming HTTP and HTTPS from the reverse proxy public IP address
	# You'll need this for AWS which routes traffic between instances through the ACL, but depending on your networking rules
	# this will not always be required.
	sudo iptables -A INPUT -p tcp -s 18.130.249.66/32 -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
	sudo iptables -A OUTPUT -p tcp -s 18.130.249.66/32 -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT


	# Drop traffic we're not allowing
	sudo iptables -A INPUT -j DROP