Skip to content

Instantly share code, notes, and snippets.

@der-hugo

der-hugo/iptables.up.rules

Last active November 10, 2017 10:26
Show Gist options
  • Save der-hugo/228fab033ee515ebaca78a4cf81c2c87 to your computer and use it in GitHub Desktop.
Save der-hugo/228fab033ee515ebaca78a4cf81c2c87 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
iptables.up.rules
*filter
:OUTPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:UDP - [0:0]
:INPUT DROP [0:0]
:TCP - [0:0]
:ICMP - [0:0]
# Acceptable TCP traffic
-A TCP -p tcp --dport 22 -j ACCEPT
-A TCP -p tcp --dport 10000 -j ACCEPT
# Acceptable ICMP traffic
-A ICMP -p icmp -j ACCEPT
# Boilerplate acceptance policy
-A INPUT -m conntrack -j ACCEPT --ctstate ESTABLISHED,RELATED
-A INPUT -i lo -j ACCEPT
# Drop invalid packets
-A INPUT -m conntrack -j DROP --ctstate INVALID
# Pass traffic to protocol-specific chains
# Only allow new connections (established and related should already be handled)
# For TCP, additionally only allow new SYN packets since that is the only valid
# method for establishing a new TCP connection
-A INPUT -p udp -m conntrack -j UDP --ctstate NEW
-A INPUT -p tcp -m conntrack -j TCP --syn --ctstate NEW
-A INPUT -p icmp -m conntrack -j ICMP --ctstate NEW
# Reject anything that's fallen through to this point
# Try to be protocol-specific w/ rejection message
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp -m tcp --dport 25 -j ACCEPT
COMMIT
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*security
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment