Last active
May 23, 2019 14:46
-
-
Save zigguratt/bf1365bcfbb37c95d49c0a3d86881205 to your computer and use it in GitHub Desktop.
This demonstrates a minimal but secure firewall configuration to protect an Ethereum client node.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ################################################################################ | |
| ### The Filter table | |
| ################################################################################ | |
| *filter | |
| # ============================================================================== | |
| # Set default policies to DROP. | |
| -P INPUT DROP | |
| -P OUTPUT DROP | |
| -P FORWARD DROP | |
| # ============================================================================== | |
| # The ICMP chain | |
| -N icmp-chain | |
| -A icmp-chain -p icmp --icmp-type echo-reply -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| -A icmp-chain -p icmp --icmp-type destination-unreachable -m state --state NEW -j ACCEPT | |
| -A icmp-chain -p icmp --icmp-type source-quench -m state --state NEW -j ACCEPT | |
| -A icmp-chain -p icmp --icmp-type echo-request -m limit --limit 2/s -m state --state NEW -j ACCEPT | |
| -A icmp-chain -p icmp --icmp-type time-exceeded -m state --state NEW -j ACCEPT | |
| -A icmp-chain -p icmp --icmp-type parameter-problem -m state --state NEW -j ACCEPT | |
| # ============================================================================== | |
| # The INPUT chain | |
| # Allow all loopback traffic and drop all traffic to 127/8 that doesn't use lo0. | |
| -A INPUT -i lo -s 127.0.0.1 -j ACCEPT | |
| -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT | |
| # Accept established inbound connections. | |
| -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| # Accept SSH connections. | |
| -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT | |
| # Accept connections to Ethereum node. | |
| -A INPUT -p tcp --dport 30303 -j ACCEPT | |
| -A INPUT -p udp --dport 30303 -j ACCEPT | |
| # Accept ICMP connections. | |
| -A INPUT -p icmp -j icmp-chain | |
| # Reject everything else. | |
| -A INPUT -j REJECT | |
| # ============================================================================== | |
| # The OUTPUT chain | |
| # Accept all outbound traffic. | |
| -A OUTPUT -j ACCEPT | |
| # ============================================================================== | |
| # The FORWARD chain | |
| # Reject everything. | |
| -A FORWARD -j REJECT | |
| ################################################################################ | |
| ### Commit the Filter table configuration | |
| COMMIT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment