Difference between revisions of "Basic iptables firewall template"

From DevOps Notebook
(Created page with "<pre> # Flush INPUT/OUTPUT/FORWARD chains iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD # Drop invalid packets iptables -A INPUT -m conntrack --ctstate INVALID -j...")
 
(No difference)

Latest revision as of 09:59, 14 December 2021

# Flush INPUT/OUTPUT/FORWARD chains
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD

# Drop invalid packets
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

# Pass everything on loopback
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Accept incoming packets for established connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Accept incoming ICMP
iptables -A INPUT -p icmp -j ACCEPT

# Accept incoming SSH 
iptables -A INPUT -p tcp --dport 2020 -j ACCEPT

# Allow HTTP and HTTPS
iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT


# Accept SQL Connections on specific interface
iptables -A INPUT -i ens19 -p tcp --dport 3306 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o ens19 -p tcp --sport 3306 -m conntrack --ctstate ESTABLISHED -j ACCEPT


# Accept outgoing connections
iptables -P OUTPUT ACCEPT

# Drop everything else on INPUT/FORWARD
iptables -P INPUT   DROP
iptables -P FORWARD DROP
Retrieved from "https://devopsnotebook.com/index.php?title=Basic_iptables_firewall_template&oldid=351"