Last active
April 2, 2020 22:57
-
-
Save andybeak/67d1bd9630c1a03db532ce9fc59823f9 to your computer and use it in GitHub Desktop.
Set up firewall for webserver behind a reverse proxy #book #course
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
logger Configuring iptables | |
# Flush existing rules | |
sudo iptables -F | |
# Allow SSH from bastion server | |
sudo iptables -A INPUT -p tcp -s 172.31.23.163/32 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
# Allow loopback traffic | |
sudo iptables -A INPUT -i lo -j ACCEPT | |
sudo iptables -A OUTPUT -o lo -j ACCEPT | |
# Allow established and related incoming connections | |
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
# Allow established outgoing connections | |
sudo iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
# Drop invalid packets | |
sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP | |
# Allow incoming HTTP and HTTPS from the reverse proxy private IP address | |
sudo iptables -A INPUT -p tcp -s 172.31.23.163/32 -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
sudo iptables -A OUTPUT -p tcp -s 172.31.23.163/32 -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
# Allow incoming HTTP and HTTPS from the reverse proxy public IP address | |
# You'll need this for AWS which routes traffic between instances through the ACL, but depending on your networking rules | |
# this will not always be required. | |
sudo iptables -A INPUT -p tcp -s 18.130.249.66/32 -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT | |
sudo iptables -A OUTPUT -p tcp -s 18.130.249.66/32 -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT | |
# Drop traffic we're not allowing | |
sudo iptables -A INPUT -j DROP |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment