Firewall - iptables
Thu 31 Oct 2024
🎉 Hi: ... 🎉
iptables rules
bash
# https://jodies.de/ipcalc?host=10.8.12.224&mask1=28&mask2=
# APT Update
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# SSH
iptables -A INPUT -s 192.168.27.0/24 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 10.66.76.0/22 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 10.66.80.0/22 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 10.8.12.224/28 -p tcp --dport 22 -j ACCEPT
# Kong API
iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 8001 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 8444 -j ACCEPT
# Konga
iptables -A INPUT -s 192.168.27.0/24 -p tcp --dport 1337 -j ACCEPT
# Webmin
iptables -A INPUT -s 192.168.27.0/24 -p tcp --dport 10000 -j ACCEPT
iptables -A INPUT -s 10.66.76.0/22 -p tcp --dport 10000 -j ACCEPT
iptables -A INPUT -s 10.66.80.0/22 -p tcp --dport 10000 -j ACCEPT
# node_exporter
iptables -A INPUT -s 10.8.12.230/32 -p tcp --dport 9100 -j ACCEPT
# prometheus
iptables -A INPUT -s 10.8.12.230/32 -p tcp --dport 9090 -j ACCEPT
# portainer_agent
iptables -A INPUT -s 10.8.12.230/32 -p tcp --dport 9080 -j ACCEPT
# LDAP
iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 636 -j ACCEPT
# www
iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 443 -j ACCEPT
# Postgres
iptables -A INPUT -s 192.168.27.0/24 -p tcp --dport 5432 -j ACCEPT
iptables -A INPUT -s 10.8.12.224/28 -p tcp --dport 5432 -j ACCEPT
# DNS
iptables -A INPUT -p udp --dport 53 -j ACCEPT
# Log
iptables -A INPUT -j LOG
# Drop All
iptables -A INPUT -p tcp -j DROP
iptables -A INPUT -p udp -j DROP| Service | Chain | Protocal | Source ip | Destination port | Rule |
|---|---|---|---|---|---|
| ssh | INPUT | tcp | 10.8.12.224/28 192.168.27.0/24 10.66.76.0/22 10.66.80.0/22 | 22 | ACCEPT |
| Webmin | INPUT | tcp | 192.168.27.0/24 10.66.76.0/22 10.66.80.0/22 | 10000 | ACCEPT |
| portainer_agent | INPUT | tcp | 10.8.12.230/32 | 9080 | ACCEPT |
| prometheus | INPUT | tcp | 10.8.12.230/32 | 9090 | ACCEPT |
| node_exporter | INPUT | tcp | 10.8.12.230/32 | 9100 | ACCEPT |
| Kong API | INPUT | tcp | 192.168.27.0/24 | 8001 | ACCEPT |
| Kong API | INPUT | tcp | 192.168.27.0/24 | 8444 | ACCEPT |
| Konga | INPUT | tcp | 192.168.27.0/24 | 1337 | ACCEPT |
| LDAP | INPUT | tcp | 0.0.0.0/0 | 636 | ACCEPT |
| www | INPUT | tcp | 0.0.0.0/0 | 80 | ACCEPT |
| Postgres | INPUT | tcp | 192.168.27.0/24 10.8.12.224/28 | 5432 | ACCEPT |
iptables list
bash
iptables -L -n --line-numbers
# Chain INPUT (policy ACCEPT)
# num target prot opt source destination
# 1 PSAD_BLOCK_INPUT all -- 0.0.0.0/0 0.0.0.0/0
# 2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
# 3 DROP all -- 0.0.0.0/0 224.0.0.1
# 4 ACCEPT tcp -- 192.168.27.0/24 0.0.0.0/0 tcp dpt:22
# 5 ACCEPT tcp -- 10.66.76.0/22 0.0.0.0/0 tcp dpt:22
# 6 ACCEPT tcp -- 10.66.80.0/22 0.0.0.0/0 tcp dpt:22
# 7 ACCEPT tcp -- 10.8.12.224/28 0.0.0.0/0 tcp dpt:22
# 8 ACCEPT tcp -- 192.168.27.0/24 0.0.0.0/0 tcp dpt:1337
# 9 ACCEPT tcp -- 192.168.27.0/24 0.0.0.0/0 tcp dpt:10000
# 10 ACCEPT tcp -- 10.66.76.0/22 0.0.0.0/0 tcp dpt:10000
# 11 ACCEPT tcp -- 10.66.80.0/22 0.0.0.0/0 tcp dpt:10000
# 12 ACCEPT tcp -- 10.8.12.230 0.0.0.0/0 tcp dpt:9100
# 13 ACCEPT tcp -- 10.8.12.230 0.0.0.0/0 tcp dpt:9090
# 14 ACCEPT tcp -- 10.8.12.230 0.0.0.0/0 tcp dpt:9080
# 15 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:636
# 16 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
# 17 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
# 18 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8001
# 19 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8444
# 20 ACCEPT tcp -- 192.168.27.0/24 0.0.0.0/0 tcp dpt:5432
# 21 ACCEPT tcp -- 10.8.12.224/28 0.0.0.0/0 tcp dpt:5432
# 22 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
# 23 LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
# 24 DROP tcp -- 0.0.0.0/0 0.0.0.0/0
# 25 DROP udp -- 0.0.0.0/0 0.0.0.0/0Notes:
10.8.12.224/28KYL Nutanix Range IP Address10.66.76.0/2210.66.80.0/22PSU VPN IP Address