Skip to content

Instantly share code, notes, and snippets.

@sammy007 sammy007/iptables.sh Secret
Last active Apr 23, 2019

Embed
What would you like to do?
Securing your ETH node
#!/bin/sh
echo "Flush all rules"
# Flush all rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
echo "iptables INPUT DROP policy"
# Chains
iptables -N TCP
iptables -N UDP
# Drop ALL
iptables -P INPUT DROP
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
ipset restore -f /home/username/ipset/whitelist.txt -! # Restore from ipset dump file
# Open UDP ports
iptables -A UDP -p udp --dport 30303 -j ACCEPT
# Open TCP ports
iptables -A TCP -p tcp --dport 22 -j ACCEPT # SSH
iptables -A TCP -p tcp --dport 30303 -j ACCEPT
iptables -A TCP -p tcp -s XX.XX.XX.XX --dport 8545 -j ACCEPT # Allow RPC from single IP
# Allow RPC from all IPs in a whitelist
iptables -I INPUT -m set --match-set whitelist src -p TCP --match multiport --dports 8545 -j ACCEPT
create whitelist hash:ip family inet hashsize 1024 maxelem 65536
add whitelist 127.0.0.1
add whitelist 192.168.0.1
@sammy007

This comment has been minimized.

Copy link
Owner Author

commented Aug 29, 2015

sudo ipset create whitelist hash:ip family inet hashsize 1024 maxelem 65536 -!
sudo ipset add whitelist 127.0.0.1
sudo ipset add whitelist 192.168.0.1
...
sudo ipset save > /home/username/ipset/whitelist.txt
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.