Skip to content

Instantly share code, notes, and snippets.

@kiprasmel

kiprasmel/iptables_reset.sh

Last active February 9, 2021 14:42
Show Gist options
  • Save kiprasmel/e9c61f20b49dbcd5ef6b32585fe3d0d8 to your computer and use it in GitHub Desktop.
Save kiprasmel/e9c61f20b49dbcd5ef6b32585fe3d0d8 to your computer and use it in GitHub Desktop.
Download ZIP
iptables_reset.sh - whitelist must-haves, block everything else 🥳
Raw
iptables_reset.sh
#!/usr/bin/env sh
# iptables_reset.sh
# get via e.g. curl ifconfig.me
MY_LOCAL_IP=""
[ -z "$MY_LOCAL_IP" ] && {
printf "
usage:
add your local ip inside to the script, then
sudo ./iptables_reset.sh
"
}
sleep 1
iptables -F
iptables -X
#iptables -t nat -F
#iptables -t nat -X
#iptables -t mangle -F
#iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# local network (localhost / loopback)
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# nginx (& everything else inside it)
iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
# ssh
# iptables -A INPUT -s $MY_LOCAL_IP/24 -p tcp -m conntrack --dport 22 --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -s $MY_LOCAL_IP/32 -p tcp -m conntrack --dport 22 --ctstate NEW,ESTABLISHED -j ACCEPT
# ping
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# umami postgres db
iptables -A INPUT -s $MY_LOCAL_IP/32 -p tcp -m tcp --dport 5555 -j ACCEPT
# misc
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
# everything else (INPUT-wise)
iptables -A INPUT -j REJECT
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment