Basic iptables firewall template

From DevOps Notebook
Revision as of 09:59, 14 December 2021 by MilosZ (talk | contribs) (Created page with "<pre> # Flush INPUT/OUTPUT/FORWARD chains iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD # Drop invalid packets iptables -A INPUT -m conntrack --ctstate INVALID -j...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
# Flush INPUT/OUTPUT/FORWARD chains
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD

# Drop invalid packets
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

# Pass everything on loopback
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Accept incoming packets for established connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Accept incoming ICMP
iptables -A INPUT -p icmp -j ACCEPT

# Accept incoming SSH 
iptables -A INPUT -p tcp --dport 2020 -j ACCEPT

# Allow HTTP and HTTPS
iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT


# Accept SQL Connections on specific interface
iptables -A INPUT -i ens19 -p tcp --dport 3306 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o ens19 -p tcp --sport 3306 -m conntrack --ctstate ESTABLISHED -j ACCEPT


# Accept outgoing connections
iptables -P OUTPUT ACCEPT

# Drop everything else on INPUT/FORWARD
iptables -P INPUT   DROP
iptables -P FORWARD DROP