|
# CLOUD_IMG: This file was created/modified by the Cloud Image build process |
|
# iptables configuration for Oracle Cloud Infrastructure |
|
|
|
# See the Oracle-Provided Images section in the Oracle Cloud Infrastructure |
|
# documentation for security impact of modifying or removing these rule |
|
|
|
*filter |
|
:INPUT ACCEPT [0:0] |
|
:FORWARD ACCEPT [0:0] |
|
:OUTPUT ACCEPT [463:49013] |
|
:InstanceServices - [0:0] |
|
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
|
-A INPUT -p icmp -j ACCEPT |
|
-A INPUT -i lo -j ACCEPT |
|
-A INPUT -p udp --sport 123 -j ACCEPT |
|
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT |
|
-A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT |
|
-A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT |
|
#-A INPUT -j REJECT --reject-with icmp-host-prohibited |
|
#-A FORWARD -j REJECT --reject-with icmp-host-prohibited |
|
-A OUTPUT -d 169.254.0.0/16 -j InstanceServices |
|
-A InstanceServices -d 169.254.0.2/32 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or re$ |
|
-A InstanceServices -d 169.254.2.0/24 -p tcp -m owner --uid-owner 0 -m tcp --dport 3260 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or re$ |
|
#-A InstanceServices -d 169.254.0.2/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACC$ |
|
-A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 53 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j $ |
|
-A InstanceServices -d 169.254.169.254/32 -p tcp -m tcp --dport 53 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j $ |
|
#-A InstanceServices -d 169.254.0.3/32 -p tcp -m owner --uid-owner 0 -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or rem$ |
|
#-A InstanceServices -d 169.254.0.4/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACC$ |
|
#-A InstanceServices -d 169.254.169.254/32 -p tcp -m tcp --dport 80 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j$ |
|
-A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 67 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j $ |
|
-A InstanceServices -d 169.254.169.254/32 -p udp -m udp --dport 69 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j $ |
|
-A InstanceServices -d 169.254.169.254/32 -p udp --dport 123 -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j ACCEPT |
|
#-A InstanceServices -d 169.254.0.0/16 -p tcp -m tcp -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j REJECT --rejec$ |
|
#-A InstanceServices -d 169.254.0.0/16 -p udp -m udp -m comment --comment "See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule" -j REJECT --rejec$ |
|
COMMIT |
I somehow stumbled across this old Gist and have some tips for future wanderers.
INPUT
rules above it pointless.state
module with--state
, notconntrack
with--ctstate
. It also doesn't need to explicitly allowESTABLISHED
packets because the rule on line 12 already takes care of that.169.254.0.0/16
).FORWARD ACCEPT
policy on line 9. All packets will be forwarded indiscriminately.InstanceServices
rules shouldn't be modified. The Oracle Cloud docs explicitly state rules having to do with port3260
should be left alone, but I think you can extend that to all the rules in that chain unless you know what you're doing. Regardless, modifying them is unnecessary if the only goal is running a simple web server.If you need to open up ports
80
and443
, just adddirectly below
and you're ready to go!
And remember to update the Security List for your Compute instance's VNC, too.