Firewall - iptables

Thu 03 Oct 2024

🎉 Hi: ... 🎉

iptables rules

bash

# https://jodies.de/ipcalc?host=10.8.12.224&mask1=28&mask2=
# APT Update
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# SSH
iptables -A INPUT -s 192.168.27.0/24 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 10.66.76.0/22 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 10.66.80.0/22 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 10.8.12.224/28 -p tcp --dport 22 -j ACCEPT
# Webmin
iptables -A INPUT -s 192.168.27.0/24 -p tcp --dport 10000 -j ACCEPT
iptables -A INPUT -s 10.66.76.0/22 -p tcp --dport 10000 -j ACCEPT
iptables -A INPUT -s 10.66.80.0/22 -p tcp --dport 10000 -j ACCEPT
# portainer_agent
iptables -A INPUT -s 10.8.12.230/32 -p tcp --dport 9001 -j ACCEPT
# prometheus
iptables -A INPUT -s 10.8.12.230/32 -p tcp --dport 9090 -j ACCEPT
# node_exporter
iptables -A INPUT -s 10.8.12.230/32 -p tcp --dport 9100 -j ACCEPT
# cadvisor
iptables -A INPUT -s 10.8.12.230/32 -p tcp --dport 8080 -j ACCEPT
# Postgres
iptables -A INPUT -s 10.8.12.224/28 -p tcp --dport 5342 -j ACCEPT
iptables -A INPUT -s 192.168.27.0/24 -p tcp --dport 5342 -j ACCEPT
iptables -A INPUT -s 10.66.76.0/22 -p tcp --dport 5342 -j ACCEPT
iptables -A INPUT -s 10.66.80.0/22 -p tcp --dport 5342 -j ACCEPT
# MySQL v8
iptables -A INPUT -s 10.8.12.224/28 -p tcp --dport 3306 -j ACCEPT
iptables -A INPUT -s 192.168.27.0/24 -p tcp --dport 3306 -j ACCEPT
iptables -A INPUT -s 10.66.76.0/22 -p tcp --dport 3306 -j ACCEPT
iptables -A INPUT -s 10.66.80.0/22 -p tcp --dport 3306 -j ACCEPT
# MySQL v8 (Dev.)
iptables -A INPUT -s 10.8.12.224/28 -p tcp --dport 3366 -j ACCEPT
iptables -A INPUT -s 192.168.27.0/24 -p tcp --dport 3366 -j ACCEPT
iptables -A INPUT -s 10.66.76.0/22 -p tcp --dport 3366 -j ACCEPT
iptables -A INPUT -s 10.66.80.0/22 -p tcp --dport 3366 -j ACCEPT
# MySQL v5
iptables -A INPUT -s 10.8.12.224/28 -p tcp --dport 3307 -j ACCEPT
iptables -A INPUT -s 192.168.27.0/24 -p tcp --dport 3307 -j ACCEPT
iptables -A INPUT -s 10.66.76.0/22 -p tcp --dport 3307 -j ACCEPT
iptables -A INPUT -s 10.66.80.0/22 -p tcp --dport 3307 -j ACCEPT
# Mongodb v4
iptables -A INPUT -s 10.8.12.224/28 -p tcp --dport 27017 -j ACCEPT
iptables -A INPUT -s 192.168.27.0/24 -p tcp --dport 27017 -j ACCEPT
iptables -A INPUT -s 10.66.76.0/22 -p tcp --dport 27017 -j ACCEPT
iptables -A INPUT -s 10.66.80.0/22 -p tcp --dport 27017 -j ACCEPT
# Redis v7
iptables -A INPUT -s 10.8.12.224/28 -p tcp --dport 6379 -j ACCEPT
iptables -A INPUT -s 192.168.27.0/24 -p tcp --dport 6379 -j ACCEPT
iptables -A INPUT -s 10.66.76.0/22 -p tcp --dport 6379 -j ACCEPT
iptables -A INPUT -s 10.66.80.0/22 -p tcp --dport 6379 -j ACCE
# DNS
iptables -A INPUT -p udp --dport 53 -j ACCEPT
# Log
iptables -A INPUT -j LOG
# Drop All
iptables -A INPUT -p tcp -j DROP
iptables -A INPUT -p udp -j DROP

Service	Chain	Protocal	Source ip	Destination port	Rule
ssh	INPUT	tcp	10.8.12.224/28 192.168.27.0/24 10.66.76.0/22 10.66.80.0/22	22	ACCEPT
Webmin	INPUT	tcp	192.168.27.0/24 10.66.76.0/22 10.66.80.0/22	10000	ACCEPT
portainer_agent	INPUT	tcp	10.8.12.230/32	9001	ACCEPT
prometheus	INPUT	tcp	10.8.12.230/32	9090	ACCEPT
node_exporter	INPUT	tcp	10.8.12.230/32	9100	ACCEPT
cadvisor	INPUT	tcp	10.8.12.230/32	8080	ACCEPT
Postgres	INPUT	tcp	10.8.12.224/28 192.168.27.0/24 10.66.76.0/22 10.66.80.0/22	5342	ACCEPT
MySQL v8	INPUT	tcp	10.8.12.224/28 192.168.27.0/24 10.66.76.0/22 10.66.80.0/22	3306	ACCEPT
MySQL v8 (Dev.)	INPUT	tcp	10.8.12.224/28 192.168.27.0/24 10.66.76.0/22 10.66.80.0/22	3366	ACCEPT
MySQL v5	INPUT	tcp	10.8.12.224/28 192.168.27.0/24 10.66.76.0/22 10.66.80.0/22	3307	ACCEPT
Mongodb v4	INPUT	tcp	10.8.12.224/28 192.168.27.0/24 10.66.76.0/22 10.66.80.0/22	27017	ACCEPT
Redis v7	INPUT	tcp	10.8.12.224/28 192.168.27.0/24 10.66.76.0/22 10.66.80.0/22	6379	ACCEPT

iptables list

bash

iptables -L -n --line-numbers

# Chain INPUT (policy ACCEPT)
# num  target     prot opt source               destination
# 1    ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
# 2    ACCEPT     6    --  192.168.27.0/24      0.0.0.0/0            tcp dpt:22
# 3    ACCEPT     6    --  10.8.12.224/28       0.0.0.0/0            tcp dpt:22
# 4    ACCEPT     6    --  10.66.80.0/22        0.0.0.0/0            tcp dpt:22
# 5    ACCEPT     6    --  10.66.76.0/22        0.0.0.0/0            tcp dpt:22
# 6    ACCEPT     6    --  192.168.27.0/24      0.0.0.0/0            tcp dpt:10000
# 7    ACCEPT     6    --  10.66.80.0/22        0.0.0.0/0            tcp dpt:10000
# 8    ACCEPT     6    --  10.66.76.0/22        0.0.0.0/0            tcp dpt:10000
# 9    ACCEPT     6    --  10.8.12.230          0.0.0.0/0            tcp dpt:9001
# 10   ACCEPT     6    --  10.8.12.230          0.0.0.0/0            tcp dpt:9090
# 11   ACCEPT     6    --  10.8.12.230          0.0.0.0/0            tcp dpt:9100
# 12   ACCEPT     6    --  10.8.12.230          0.0.0.0/0            tcp dpt:8080
# 13   ACCEPT     6    --  10.8.12.224/28       0.0.0.0/0            tcp dpt:5342
# 14   ACCEPT     6    --  192.168.27.0/24      0.0.0.0/0            tcp dpt:5342
# 15   ACCEPT     6    --  10.66.80.0/22        0.0.0.0/0            tcp dpt:5342
# 16   ACCEPT     6    --  10.66.76.0/22        0.0.0.0/0            tcp dpt:5342
# 17   ACCEPT     6    --  10.8.12.224/28       0.0.0.0/0            tcp dpt:3306
# 18   ACCEPT     6    --  192.168.27.0/24      0.0.0.0/0            tcp dpt:3306
# 19   ACCEPT     6    --  10.66.80.0/22        0.0.0.0/0            tcp dpt:3306
# 20   ACCEPT     6    --  10.66.76.0/22        0.0.0.0/0            tcp dpt:3306
# 21   ACCEPT     6    --  10.8.12.224/28       0.0.0.0/0            tcp dpt:3366
# 22   ACCEPT     6    --  192.168.27.0/24      0.0.0.0/0            tcp dpt:3366
# 23   ACCEPT     6    --  10.66.80.0/22        0.0.0.0/0            tcp dpt:3366
# 24   ACCEPT     6    --  10.66.76.0/22        0.0.0.0/0            tcp dpt:3366
# 25   ACCEPT     6    --  10.8.12.224/28       0.0.0.0/0            tcp dpt:3307
# 26   ACCEPT     6    --  192.168.27.0/24      0.0.0.0/0            tcp dpt:3307
# 27   ACCEPT     6    --  10.66.80.0/22        0.0.0.0/0            tcp dpt:3307
# 28   ACCEPT     6    --  10.66.76.0/22        0.0.0.0/0            tcp dpt:3307
# 29   ACCEPT     6    --  10.8.12.224/28       0.0.0.0/0            tcp dpt:27017
# 30   ACCEPT     6    --  10.66.80.0/22        0.0.0.0/0            tcp dpt:27017
# 31   ACCEPT     6    --  10.66.76.0/22        0.0.0.0/0            tcp dpt:27017
# 32   ACCEPT     6    --  10.66.0.0/16         0.0.0.0/0            tcp dpt:27017
# 33   ACCEPT     6    --  10.8.12.224/28       0.0.0.0/0            tcp dpt:6379
# 34   ACCEPT     6    --  192.168.27.0/24      0.0.0.0/0            tcp dpt:6379
# 35   ACCEPT     6    --  10.66.80.0/22        0.0.0.0/0            tcp dpt:6379
# 36   ACCEPT     6    --  10.66.76.0/22        0.0.0.0/0            tcp dpt:6379
# 37   ACCEPT     17   --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
# 38   LOG        0    --  0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4
# 39   DROP       6    --  0.0.0.0/0            0.0.0.0/0
# 40   DROP       17   --  0.0.0.0/0            0.0.0.0/0

Notes:
- 10.8.12.224/28 KYL Nutanix Range IP Address
- 10.66.76.0/22 10.66.80.0/22 PSU VPN IP Address

kyl-ebook-backend

kyl-ebook-frontend

kyl-payment

kyl-backup

kyl-ha-01

kyl-ha-02

kyl-www-01

kyl-www-02

kyl-db-01

psu12-fog

Firewall - iptables

iptables rules

iptables list

Firewall - iptables ​

iptables rules ​

iptables list ​

Firewall - iptables

iptables rules

iptables list