Skip to content

Instantly share code, notes, and snippets.

@qrpike

qrpike/IPTables - rancher nodes

Last active February 3, 2016 22:29
Show Gist options
  • Save qrpike/af4f6ea07a5322eacfc6 to your computer and use it in GitHub Desktop.
Save qrpike/af4f6ea07a5322eacfc6 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
IPTables - rancher nodes
#!/bin/bash
# Clear all current rules:
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
# Allow out/in thats by us:
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow basic ports:
iptables -A INPUT -p tcp -m multiport --dports 22,80,443 -j ACCEPT
# Accept all internal traffic?
iptables -A INPUT -i enp5s0f0 -p all -j ACCEPT
iptables -A INPUT -i enp5s0f1 -p all -j ACCEPT
iptables -A INPUT -i enp3s0f0 -p all -j ACCEPT
iptables -A INPUT -i enp3s0f1 -p all -j ACCEPT
# Accept pings:
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# Accept loopback traffic:
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Block private IPs on public interfaces:
iptables -A INPUT -i eno1 -s 192.168.0.0/24 -j DROP
iptables -A INPUT -i eno1 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i eno1 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i eno1 -s 224.0.0.0/4 -j DROP
iptables -A INPUT -i eno1 -s 240.0.0.0/5 -j DROP
iptables -A INPUT -i eno1 -s 127.0.0.0/8 -j DROP
# Otherwise deny:
iptables -P INPUT DROP
# Save these settings:
apt-get install iptables-persistent -y
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment