iptable rules

master
nihonium 2 years ago
commit 54189e64dc
No known key found for this signature in database
GPG Key ID: 0251623741027CFC

@ -0,0 +1,67 @@
##########################
# Rules for table FILTER #
##########################
*filter
# Delault policies for chains
:INPUT DROP [118:6794]
:FORWARD DROP [135:8672]
:OUTPUT ACCEPT [585300:650020709]
# Allow SSH and Wireguard traffic
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 51820 -j ACCEPT
# Allow ICMP for debugging
-A INPUT -p icmp -j ACCEPT
-A OUTPUT -p icmp -j ACCEPT
# Allow a return path for any outgoing traffic initiated by local processes
-A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow established and related connections for FORWARD chain
-A FORWARD -o wg0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wg0 -j ACCEPT
# Allow new connections for all services on iota
# Nginx
-A FORWARD -i eth0 -o wg0 -p tcp -m multiport --dports 80,443,8222 -m conntrack --ctstate NEW -j ACCEPT
# SSH
-A FORWARD -i eth0 -o wg0 -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
# Ejabberd
-A FORWARD -i eth0 -o wg0 -p tcp -m multiport --dports 5222,5223,5269,5280,5443,5349 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -i eth0 -o wg0 -p udp --dport 3478 -m conntrack --ctstate NEW -j ACCEPT
# Gitea SSH
-A FORWARD -i eth0 -o wg0 -p tcp --dport 22222 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
#######################
# Rules for table NAT #
#######################
*nat
# Default policies for chains
:PREROUTING ACCEPT [3303:233473]
:INPUT ACCEPT [2173:121219]
:OUTPUT ACCEPT [851:52598]
:POSTROUTING ACCEPT [1807:110254]
# SNAT and DNAT for services on iota
# To make this rules valid you should allow new connections to corresponding ports above
# Port forwarding for services
#
# Nginx
-A PREROUTING -i eth0 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 10.1.0.2
-A PREROUTING -i eth0 -p tcp --dport 8223 -j DNAT --to-destination 10.1.0.2:8222
# SSH
-A PREROUTING -i eth0 -p tcp --dport 8222 -j DNAT --to-destination 10.1.0.2:22
# Ejabberd
-A PREROUTING -i eth0 -p tcp -m multiport --dports 5222,5223,5269,5280,5443,5349 -j DNAT --to-destination 10.1.0.2
-A PREROUTING -i eth0 -p udp --dport 3478 -j DNAT --to-destination 10.1.0.2
# Gitea SSH
-A PREROUTING -i eth0 -p tcp --dport 22222 -j DNAT --to-destination 10.1.0.2
# For all traffic came from wg0 interface we rewrite source IP with IP of the gateway
-A POSTROUTING -o eth0 -s 10.1.0.0/24 -j SNAT --to-source 45.89.228.240
COMMIT
Loading…
Cancel
Save