iptable rules
commit
54189e64dc
@ -0,0 +1,67 @@
|
||||
##########################
|
||||
# Rules for table FILTER #
|
||||
##########################
|
||||
*filter
|
||||
# Delault policies for chains
|
||||
:INPUT DROP [118:6794]
|
||||
:FORWARD DROP [135:8672]
|
||||
:OUTPUT ACCEPT [585300:650020709]
|
||||
|
||||
# Allow SSH and Wireguard traffic
|
||||
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
|
||||
-A INPUT -p udp -m udp --dport 51820 -j ACCEPT
|
||||
|
||||
# Allow ICMP for debugging
|
||||
-A INPUT -p icmp -j ACCEPT
|
||||
-A OUTPUT -p icmp -j ACCEPT
|
||||
|
||||
# Allow a return path for any outgoing traffic initiated by local processes
|
||||
-A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
|
||||
|
||||
# Allow established and related connections for FORWARD chain
|
||||
-A FORWARD -o wg0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
-A FORWARD -i wg0 -j ACCEPT
|
||||
|
||||
# Allow new connections for all services on iota
|
||||
# Nginx
|
||||
-A FORWARD -i eth0 -o wg0 -p tcp -m multiport --dports 80,443,8222 -m conntrack --ctstate NEW -j ACCEPT
|
||||
# SSH
|
||||
-A FORWARD -i eth0 -o wg0 -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
|
||||
# Ejabberd
|
||||
-A FORWARD -i eth0 -o wg0 -p tcp -m multiport --dports 5222,5223,5269,5280,5443,5349 -m conntrack --ctstate NEW -j ACCEPT
|
||||
-A FORWARD -i eth0 -o wg0 -p udp --dport 3478 -m conntrack --ctstate NEW -j ACCEPT
|
||||
# Gitea SSH
|
||||
-A FORWARD -i eth0 -o wg0 -p tcp --dport 22222 -m conntrack --ctstate NEW -j ACCEPT
|
||||
|
||||
COMMIT
|
||||
|
||||
#######################
|
||||
# Rules for table NAT #
|
||||
#######################
|
||||
*nat
|
||||
# Default policies for chains
|
||||
:PREROUTING ACCEPT [3303:233473]
|
||||
:INPUT ACCEPT [2173:121219]
|
||||
:OUTPUT ACCEPT [851:52598]
|
||||
:POSTROUTING ACCEPT [1807:110254]
|
||||
|
||||
# SNAT and DNAT for services on iota
|
||||
# To make this rules valid you should allow new connections to corresponding ports above
|
||||
|
||||
# Port forwarding for services
|
||||
#
|
||||
# Nginx
|
||||
-A PREROUTING -i eth0 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 10.1.0.2
|
||||
-A PREROUTING -i eth0 -p tcp --dport 8223 -j DNAT --to-destination 10.1.0.2:8222
|
||||
# SSH
|
||||
-A PREROUTING -i eth0 -p tcp --dport 8222 -j DNAT --to-destination 10.1.0.2:22
|
||||
# Ejabberd
|
||||
-A PREROUTING -i eth0 -p tcp -m multiport --dports 5222,5223,5269,5280,5443,5349 -j DNAT --to-destination 10.1.0.2
|
||||
-A PREROUTING -i eth0 -p udp --dport 3478 -j DNAT --to-destination 10.1.0.2
|
||||
# Gitea SSH
|
||||
-A PREROUTING -i eth0 -p tcp --dport 22222 -j DNAT --to-destination 10.1.0.2
|
||||
|
||||
# For all traffic came from wg0 interface we rewrite source IP with IP of the gateway
|
||||
-A POSTROUTING -o eth0 -s 10.1.0.0/24 -j SNAT --to-source 45.89.228.240
|
||||
|
||||
COMMIT
|
Loading…
Reference in New Issue