Created
December 24, 2015 19:29
-
-
Save ryanthegiantlion/581ffd622c8318d67e2e to your computer and use it in GitHub Desktop.
Firewall rules I used on my single node elasticsearch instance
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# flush existing rules | |
iptables -F | |
ip6tables -F | |
# ssh rule. always add this first ! | |
# TODO: Consider rate limiting? (e.g http://www.digitalsanctuary.com/tech-blog/debian/using-iptables-to-prevent-ssh-brute-force-attacks.html) | |
# Still need to read up on implications... | |
iptables -A INPUT -p tcp --dport ssh -j ACCEPT | |
iptables -A OUTPUT -p tcp --sport ssh -j ACCEPT | |
# allow elasticsearch traffic from these hosts | |
iptables -A INPUT -s 10.x.x.x -p tcp --dport 9200:9300 -j ACCEPT | |
iptables -A INPUT -s 10.x.x.x -p tcp --dport 9200:9300 -j ACCEPT | |
iptables -A INPUT -s 10.x.x.x -p tcp --dport 9200:9300 -j ACCEPT | |
iptables -A OUTPUT -d 10.x.x.x -p tcp --sport 9200:9300 -j ACCEPT | |
iptables -A OUTPUT -d 10.x.x.x -p tcp --sport 9200:9300 -j ACCEPT | |
iptables -A OUTPUT -d 10.x.x.x -p tcp --sport 9200:9300 -j ACCEPT | |
# allow all on localhost | |
iptables -A INPUT -i lo -j ACCEPT | |
iptables -A OUTPUT -o lo -j ACCEPT | |
# allow host to be pinged | |
iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | |
iptables -A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
# outgoing dns rules | |
iptables -A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT | |
iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT | |
iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT | |
iptables -A INPUT -p tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT | |
# new relic monitoring | |
sudo iptables -A OUTPUT -d 162.247.240.0/22 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT | |
sudo iptables -A OUTPUT -d 50.31.164.0/24 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT | |
sudo iptables -A INPUT -s 162.247.240.0/22 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT | |
sudo iptables -A INPUT -s 50.31.164.0/24 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT | |
sudo iptables -A OUTPUT -d 162.247.240.0/22 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT | |
sudo iptables -A OUTPUT -d 50.31.164.0/24 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT | |
sudo iptables -A INPUT -s 162.247.240.0/22 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT | |
sudo iptables -A INPUT -s 50.31.164.0/24 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT | |
# drop all other packets | |
iptables -A INPUT -j DROP | |
iptables -A OUTPUT -j DROP | |
iptables -A FORWARD -j DROP | |
# drop all ipv6 | |
ip6tables -A INPUT -j DROP | |
ip6tables -A OUTPUT -j DROP | |
ip6tables -A FORWARD -j DROP | |
# persist firewall rules | |
iptables-save > /etc/iptables.conf | |
echo "iptables-restore < /etc/iptables.conf" > /etc/rc.local |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment