Iptables-firewalls

1. allow all traffic on local interface

iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT

1. allow related traffic in and out

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

1. drop invalid packages

iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

1. allow ssh access

iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

1. allow https and http traffic

iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT

1. allow smtp access

iptables -A INPUT -p tcp --dport 25 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 25 -m conntrack --ctstate ESTABLISHED -j ACCEPT

1. allow IMAP access

iptables -A INPUT -p tcp --dport 143 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 143 -m conntrack --ctstate ESTABLISHED -j ACCEPT

1. allow IMAPS access

iptables -A INPUT -p tcp --dport 993 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 993 -m conntrack --ctstate ESTABLISHED -j ACCEPT

1. NFS

iptables -A INPUT -s 172.18.0.1 -p udp -m multiport --dports 10053,111,2049,32769,875,892  -j REJECT
iptables -A INPUT -s 172.18.0.1 -p udp -m multiport --dports 10053,111,2049,32769,875,892 -j REJECT
iptables -A INPUT -s 172.18.0.1 -p tcp -m multiport --dports 10053,111,2049,32769,875,892 -j REJECT
iptables -A INPUT -s 172.18.0.1 -p tcp -m multiport --dports 10053,111,2049,32769,875,892 -j REJECT
iptables -A INPUT -s 172.18.0.0/24 -d 172.18.0.0/24 -p udp -m multiport --dports 10053,111,2049,32769,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT 
iptables -A INPUT -s 172.18.0.0/24 -d 172.18.0.0/24 -p tcp -m multiport --dports 10053,111,2049,32803,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT 
iptables -A OUTPUT -s 172.18.0.0/24 -d 172.18.0.0/24 -p udp -m multiport --sports 10053,111,2049,32769,875,892 -m state --state ESTABLISHED -j ACCEPT 
iptables -A OUTPUT -s 172.18.0.0/24 -d 172.18.0.0/24 -p tcp -m multiport --sports 10053,111,2049,32803,875,892 -m state --state ESTABLISHED -j ACCEPT

1. cifs
The router doesn't need SMB access.

iptables -A INPUT -s 172.18.0.1 -p udp --dport 137 -j REJECT
iptables -A INPUT -s 172.18.0.1 -p udp --dport 138 -j REJECT
iptables -A INPUT -s 172.18.0.1 -p tcp --dport 139 -j REJECT
iptables -A INPUT -s 172.18.0.1 -p tcp --dport 445 -j REJECT

Actual Samba ports

iptables -A INPUT -s 172.18.0.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
iptables -A INPUT -s 172.18.0.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT
iptables -A INPUT -s 172.18.0.0/24 -m state --state NEW -p udp --dport 137 -j ACCEPT
iptables -A INPUT -s 172.18.0.0/24 -m state --state NEW -p udp --dport 138 -j ACCEPT
iptables -A INPUT -s 172.18.0.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -s 172.18.0.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT

Note to remove junkt from your iptables like after uninstalling ufw.

for ufw in `iptables -n -L | grep -E  ^Chain.*ufw | awk '{ print $2 }'`; do iptables -F $ufw; done
iptables-save | grep -v ufw > /tmp/iptables
## verify that the /tmp/iptables are as you want it to be
iptables-restore < /tmp/iptables
for ufw in `iptables -n -L | grep -E  ^Chain.*ufw | awk '{ print $2 }'`; do iptables -X $ufw; done

<b> now validate that the rules are as you want them to be </b>

Iptables-firewalls

Navigation menu

Search