Iptables-firewalls

From Mike's wiki
Revision as of 10:00, 23 March 2023 by Mike (talk | contribs) (Created page with "## allow all traffic on local interface iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT ## allow related traffic in and out iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT ## drop invalid packages iptables -A INPUT -m conntrack --ctstate INVALID -j DROP ## allow ssh access iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptab...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
    1. allow all traffic on local interface

iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT

    1. allow related traffic in and out

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

    1. drop invalid packages

iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

    1. allow ssh access

iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

    1. allow https and http traffic

iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT

    1. allow smtp access

iptables -A INPUT -p tcp --dport 25 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 25 -m conntrack --ctstate ESTABLISHED -j ACCEPT

    1. allow IMAP access

iptables -A INPUT -p tcp --dport 143 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 143 -m conntrack --ctstate ESTABLISHED -j ACCEPT

    1. allow IMAPS access

iptables -A INPUT -p tcp --dport 993 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 993 -m conntrack --ctstate ESTABLISHED -j ACCEPT


    1. NFS

iptables -A INPUT -s 172.18.0.1 -p udp -m multiport --dports 10053,111,2049,32769,875,892 -j REJECT iptables -A INPUT -s 172.18.0.1 -p udp -m multiport --dports 10053,111,2049,32769,875,892 -j REJECT iptables -A INPUT -s 172.18.0.1 -p tcp -m multiport --dports 10053,111,2049,32769,875,892 -j REJECT iptables -A INPUT -s 172.18.0.1 -p tcp -m multiport --dports 10053,111,2049,32769,875,892 -j REJECT iptables -A INPUT -s 172.18.0.0/24 -d 172.18.0.0/24 -p udp -m multiport --dports 10053,111,2049,32769,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -s 172.18.0.0/24 -d 172.18.0.0/24 -p tcp -m multiport --dports 10053,111,2049,32803,875,892 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -s 172.18.0.0/24 -d 172.18.0.0/24 -p udp -m multiport --sports 10053,111,2049,32769,875,892 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -s 172.18.0.0/24 -d 172.18.0.0/24 -p tcp -m multiport --sports 10053,111,2049,32803,875,892 -m state --state ESTABLISHED -j ACCEPT

    1. cifs
  2. The router doesn't need SMB access.

iptables -A INPUT -s 172.18.0.1 -p udp --dport 137 -j REJECT iptables -A INPUT -s 172.18.0.1 -p udp --dport 138 -j REJECT iptables -A INPUT -s 172.18.0.1 -p tcp --dport 139 -j REJECT iptables -A INPUT -s 172.18.0.1 -p tcp --dport 445 -j REJECT

  1. Actual Samba ports

iptables -A INPUT -s 172.18.0.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT iptables -A INPUT -s 172.18.0.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT iptables -A INPUT -s 172.18.0.0/24 -m state --state NEW -p udp --dport 137 -j ACCEPT iptables -A INPUT -s 172.18.0.0/24 -m state --state NEW -p udp --dport 138 -j ACCEPT iptables -A INPUT -s 172.18.0.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT iptables -A INPUT -s 172.18.0.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT

Retrieved from "https://wiki.ttsh.dk/index.php?title=Iptables-firewalls&oldid=63"