Last active
December 11, 2015 12:38
-
-
Save terrywang/4601870 to your computer and use it in GitHub Desktop.
Generic iptables rules template, ready to be used;-)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
*filter | |
# Allow all loopback (lo) traffic and drop all traffic to 127.0.0.0/8 that doesn't use lo | |
-A INPUT -i lo -j ACCEPT | |
-A INPUT -d 127.0.0.0/8 -j REJECT | |
# Accept all established inbound connections | |
# -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
# conntrack match is recommended | |
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT | |
# Allow all outbound traffic | |
# It can be modified to allow certain traffic ONLY | |
-A OUTPUT -j ACCEPT | |
# Allow SSH connections | |
# The -dport number should be the same port number set in sshd_config | |
# -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT | |
-A INPUT -p tcp -m conntrack --ctstate NEW --dport 22 -j ACCEPT | |
# -A INPUT -p tcp --dport 22 -j ACCEPT | |
# Allow HTTP and HTTPS connections from anywhere | |
-A INPUT -p tcp --dport 80 -j ACCEPT | |
# -A INPUT -p tcp --dport 443 -j ACCEPT | |
# Allow ping | |
-A INPUT -p icmp -j ACCEPT | |
# Log iptables denied calls | |
# -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 | |
# Drop all other inbound - default deny unless explicitly allowed policy | |
# -A INPUT -j DROP | |
-P INPUT DROP | |
# -A FORWARD -j DROP | |
# -P FORWARD DROP | |
COMMIT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment