-
-
Save ralexandr/244beeb8316f487949991f1c5247d92a to your computer and use it in GitHub Desktop.
IPv4 firewall setup
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
*filter | |
# Default policy is to drop all traffic | |
-P INPUT DROP | |
-P FORWARD DROP | |
-P OUTPUT DROP | |
# Allow all loopback traffic | |
-A INPUT -i lo -j ACCEPT | |
-A OUTPUT -o lo -j ACCEPT | |
# Allow ping. | |
-A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT | |
# Allow incoming SSH, HTTP and HTTPS traffic | |
-A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT | |
-A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT | |
# Allow inbound traffic from established connections. | |
# This includes ICMP error returns. | |
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
# Log what was incoming but denied (optional but useful). | |
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 7 | |
# Allow outgoing SSH, HTTP and HTTPS traffic | |
# This is useful because we won't be able to download and install | |
# NPM packages otherwise and use git over SSH | |
-A OUTPUT -o eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT | |
-A INPUT -i eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT | |
# Allow dns lookup | |
-A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT | |
-A INPUT -p udp -i eth0 --sport 53 -j ACCEPT | |
# Set rate limits for DOS attack prevention (optional) | |
# The rates here greatly depend on your application | |
-A INPUT -p tcp -m multiport --dports 80,443 -m limit --limit 250/minute --limit-burst 1000 -j ACCEPT | |
# Log any traffic which was sent to you | |
# for forwarding (optional but useful). | |
-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables_FORWARD_denied: " --log-level 7 | |
COMMIT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment