Iptables-firewalls: Difference between revisions

Revision as of 10:00, 23 March 2023

1. allow all traffic on local interface

iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT

1. allow related traffic in and out

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

1. drop invalid packages

iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

1. allow ssh access

iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

1. allow https and http traffic

iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT

1. allow smtp access

iptables -A INPUT -p tcp --dport 25 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 25 -m conntrack --ctstate ESTABLISHED -j ACCEPT

1. allow IMAP access

iptables -A INPUT -p tcp --dport 143 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 143 -m conntrack --ctstate ESTABLISHED -j ACCEPT

1. allow IMAPS access

iptables -A INPUT -p tcp --dport 993 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 993 -m conntrack --ctstate ESTABLISHED -j ACCEPT

1. NFS

iptables -A INPUT -s 172.18.0.1 -p udp -m multiport --dports 10053,111,2049,32769,875,892  -j REJECT
iptables -A INPUT -s 172.18.0.1 -p udp -m multiport --dports 10053,111,2049,32769,875,892 -j REJECT
iptables -A INPUT -s 172.18.0.1 -p tcp -m multiport --dports 10053,111,2049,32769,875,892 -j REJECT
iptables -A INPUT -s 172.18.0.1 -p tcp -m multiport --dports 10053,111,2049,32769,875,892 -j REJECT
iptables -A INPUT -s 172.18.0.0/24 -d 172.18.0.0/24 -p udp -m multiport --dports 10053,111,2049,32769,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT 
iptables -A INPUT -s 172.18.0.0/24 -d 172.18.0.0/24 -p tcp -m multiport --dports 10053,111,2049,32803,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT 
iptables -A OUTPUT -s 172.18.0.0/24 -d 172.18.0.0/24 -p udp -m multiport --sports 10053,111,2049,32769,875,892 -m state --state ESTABLISHED -j ACCEPT 
iptables -A OUTPUT -s 172.18.0.0/24 -d 172.18.0.0/24 -p tcp -m multiport --sports 10053,111,2049,32803,875,892 -m state --state ESTABLISHED -j ACCEPT

1. cifs
The router doesn't need SMB access.

iptables -A INPUT -s 172.18.0.1 -p udp --dport 137 -j REJECT
iptables -A INPUT -s 172.18.0.1 -p udp --dport 138 -j REJECT
iptables -A INPUT -s 172.18.0.1 -p tcp --dport 139 -j REJECT
iptables -A INPUT -s 172.18.0.1 -p tcp --dport 445 -j REJECT

Actual Samba ports

iptables -A INPUT -s 172.18.0.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
iptables -A INPUT -s 172.18.0.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT
iptables -A INPUT -s 172.18.0.0/24 -m state --state NEW -p udp --dport 137 -j ACCEPT
iptables -A INPUT -s 172.18.0.0/24 -m state --state NEW -p udp --dport 138 -j ACCEPT
iptables -A INPUT -s 172.18.0.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -s 172.18.0.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT

Iptables-firewalls: Difference between revisions

Revision as of 10:00, 23 March 2023

Navigation menu

Search