Firewall - iptables

Thu 03 Oct 2024

🎉 Hi: ... 🎉

iptables rules

bash

# https://jodies.de/ipcalc?host=10.8.12.224&mask1=28&mask2=
# APT Update
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# SSH
iptables -A INPUT -s 192.168.27.0/24 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 10.66.76.0/22 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 10.66.80.0/22 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 10.8.12.224/28 -p tcp --dport 22 -j ACCEPT
# Webmin
iptables -A INPUT -s 192.168.27.0/24 -p tcp --dport 10000 -j ACCEPT
iptables -A INPUT -s 10.66.76.0/22 -p tcp --dport 10000 -j ACCEPT
iptables -A INPUT -s 10.66.80.0/22 -p tcp --dport 10000 -j ACCEPT
# Docker container
iptables -A INPUT -s 10.0.88.0/24 -p tcp -j ACCEPT
# portainer_agent
iptables -A INPUT -s 10.8.12.230/32 -p tcp --dport 9080 -j ACCEPT
# prometheus
iptables -A INPUT -s 10.8.12.230/32 -p tcp --dport 9090 -j ACCEPT
# node_exporter
iptables -A INPUT -s 10.8.12.230/32 -p tcp --dport 9100 -j ACCEPT
# cadvisor
iptables -A INPUT -s 10.8.12.230/32 -p tcp --dport 8080 -j ACCEPT
# nginx_exporter
iptables -A INPUT -s 10.8.12.230/32 -p tcp --dport 9113 -j ACCEPT
# Green GDC
iptables -A INPUT -s 10.8.12.224/28 -p tcp --dport 8802 -j ACCEPT
iptables -A INPUT -s 10.8.12.224/28 -p tcp --dport 5002 -j ACCEPT
# authentik
iptables -A INPUT -s 10.8.12.224/28 -p tcp --dport 8810 -j ACCEPT
# websocket-backend
iptables -A INPUT -s 10.8.12.224/28 -p tcp --dport 5006 -j ACCEPT
# LibX
iptables -A INPUT -s 10.8.12.224/28 -p tcp --dport 8808 -j ACCEPT
iptables -A INPUT -s 10.8.12.224/28 -p tcp --dport 9000 -j ACCEPT
# OAuth
iptables -A INPUT -s 10.8.12.224/28 -p tcp --dport 8800 -j ACCEPT
iptables -A INPUT -s 10.8.12.224/28 -p tcp --dport 5001 -j ACCEPT
# Apps clib
iptables -A INPUT -s 10.8.12.224/28 -p tcp --dport 8801 -j ACCEPT
iptables -A INPUT -s 10.8.12.224/28 -p tcp --dport 5005 -j ACCEPT
# Dev clib
iptables -A INPUT -s 10.8.12.224/28 -p tcp --dport 8881 -j ACCEPT
iptables -A INPUT -s 10.8.12.224/28 -p tcp --dport 9089 -j ACCEPT
# tserve
iptables -A INPUT -s 10.8.12.224/28 -p tcp --dport 8803 -j ACCEPT
iptables -A INPUT -s 10.8.12.224/28 -p tcp --dport 5003 -j ACCEPT
# studyroom-api
iptables -A INPUT -s 10.8.12.224/28 -p tcp --dport 5004 -j ACCEPT
# vitepress
iptables -A INPUT -s 10.8.12.224/28 -p tcp --dport 5007 -j ACCEPT
# Hoppscotch
iptables -A INPUT -s 10.8.12.224/28 -p tcp --dport 3000 -j ACCEPT
iptables -A INPUT -s 10.8.12.224/28 -p tcp --dport 3100 -j ACCEPT
iptables -A INPUT -s 10.8.12.224/28 -p tcp --dport 3170 -j ACCEPT
# DNS
iptables -A INPUT -p udp --dport 53 -j ACCEPT
# Log
iptables -A INPUT -j LOG
# Drop All
iptables -A INPUT -p tcp -j DROP
iptables -A INPUT -p udp -j DROP

Service	Chain	Protocal	Source ip	Destination port	Rule
ssh	INPUT	tcp	10.8.12.224/28 192.168.27.0/24 10.66.76.0/22 10.66.80.0/22	22	ACCEPT
Webmin	INPUT	tcp	192.168.27.0/24 10.66.76.0/22 10.66.80.0/22	10000	ACCEPT
Docker container	INPUT	tcp	10.0.88.0/24	All port	ACCEPT
portainer_agent	INPUT	tcp	10.8.12.230/32	9080	ACCEPT
prometheus	INPUT	tcp	10.8.12.230/32	9090	ACCEPT
node_exporter	INPUT	tcp	10.8.12.230/32	9100	ACCEPT
cadvisor	INPUT	tcp	10.8.12.230/32	8080	ACCEPT
nginx_exporter	INPUT	tcp	10.8.12.230/32	9113	ACCEPT
Green GDC Frontend	INPUT	tcp	10.8.12.224/28	8802	ACCEPT
Green GDC Backend	INPUT	tcp	10.8.12.224/28	5002	ACCEPT
authentik	INPUT	tcp	10.8.12.224/28	8810	ACCEPT
websocket-backend	INPUT	tcp	10.8.12.224/28	5006	ACCEPT
LibX Frontend	INPUT	tcp	10.8.12.224/28	8808	ACCEPT
LibX Backend	INPUT	tcp	10.8.12.224/28	9000	ACCEPT
OAuth	INPUT	tcp	10.8.12.224/28	8800	ACCEPT
OAuth php-fpm	INPUT	tcp	10.8.12.224/28	5001	ACCEPT
Apps clib Frontend	INPUT	tcp	10.8.12.224/28	8801	ACCEPT
Apps clib Backend	INPUT	tcp	10.8.12.224/28	5005	ACCEPT
Dev clib	INPUT	tcp	10.8.12.224/28	8881	ACCEPT
Dev clib Dev clib	INPUT	tcp	10.8.12.224/28	9089	ACCEPT
tserve Frontend	INPUT	tcp	10.8.12.224/28	8803	ACCEPT
tserve Backend	INPUT	tcp	10.8.12.224/28	5003	ACCEPT
studyroom-api	INPUT	tcp	10.8.12.224/28	5004	ACCEPT
vitepress	INPUT	tcp	10.8.12.224/28	5007	ACCEPT
Hoppscotch Frontend	INPUT	tcp	10.8.12.224/28	3000	ACCEPT
Hoppscotch Admin	INPUT	tcp	10.8.12.224/28	3100	ACCEPT
Hoppscotch Backend	INPUT	tcp	10.8.12.224/28	3170	ACCEPT

iptables list

bash

iptables -L -n --line-numbers

# Chain INPUT (policy ACCEPT)
# num  target     prot opt source               destinatio
# 1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
# 2    DROP       all  --  0.0.0.0/0            255.255.255.255
# 3    DROP       all  --  0.0.0.0/0            192.168.100.255
# 4    ACCEPT     tcp  --  192.168.27.0/24      0.0.0.0/0            tcp dpt:22
# 5    ACCEPT     tcp  --  10.66.76.0/22        0.0.0.0/0            tcp dpt:22
# 6    ACCEPT     tcp  --  10.66.80.0/22        0.0.0.0/0            tcp dpt:22
# 7    ACCEPT     tcp  --  10.8.12.224/28       0.0.0.0/0            tcp dpt:22
# 8    ACCEPT     tcp  --  192.168.27.0/24      0.0.0.0/0            tcp dpt:10000
# 9    ACCEPT     tcp  --  10.66.76.0/22        0.0.0.0/0            tcp dpt:10000
# 10   ACCEPT     tcp  --  10.66.80.0/22        0.0.0.0/0            tcp dpt:10000
# 11   ACCEPT     tcp  --  10.0.88.0/24         0.0.0.0/0
# 12   ACCEPT     tcp  --  10.8.12.230          0.0.0.0/0            tcp dpt:9080
# 13   ACCEPT     tcp  --  10.8.12.230          0.0.0.0/0            tcp dpt:9090
# 14   ACCEPT     tcp  --  10.8.12.230          0.0.0.0/0            tcp dpt:9100
# 15   ACCEPT     tcp  --  10.8.12.230          0.0.0.0/0            tcp dpt:8080
# 16   ACCEPT     tcp  --  10.8.12.230          0.0.0.0/0            tcp dpt:9113
# 17   ACCEPT     tcp  --  10.8.12.224/28       0.0.0.0/0            tcp dpt:8802
# 18   ACCEPT     tcp  --  10.8.12.224/28       0.0.0.0/0            tcp dpt:5002
# 19   ACCEPT     tcp  --  10.8.12.224/28       0.0.0.0/0            tcp dpt:8810
# 20   ACCEPT     tcp  --  10.8.12.224/28       0.0.0.0/0            tcp dpt:5006
# 21   ACCEPT     tcp  --  10.8.12.224/28       0.0.0.0/0            tcp dpt:8808
# 22   ACCEPT     tcp  --  10.8.12.224/28       0.0.0.0/0            tcp dpt:9000
# 23   ACCEPT     tcp  --  10.8.12.224/28       0.0.0.0/0            tcp dpt:8800
# 24   ACCEPT     tcp  --  10.8.12.224/28       0.0.0.0/0            tcp dpt:5001
# 25   ACCEPT     tcp  --  10.8.12.224/28       0.0.0.0/0            tcp dpt:8801
# 26   ACCEPT     tcp  --  10.8.12.224/28       0.0.0.0/0            tcp dpt:5005
# 27   ACCEPT     tcp  --  10.8.12.224/28       0.0.0.0/0            tcp dpt:8881
# 28   ACCEPT     tcp  --  10.8.12.224/28       0.0.0.0/0            tcp dpt:9089
# 29   ACCEPT     tcp  --  10.8.12.224/28       0.0.0.0/0            tcp dpt:8803
# 30   ACCEPT     tcp  --  10.8.12.224/28       0.0.0.0/0            tcp dpt:5003
# 31   ACCEPT     tcp  --  10.8.12.224/28       0.0.0.0/0            tcp dpt:5004
# 32   ACCEPT     tcp  --  10.8.12.224/28       0.0.0.0/0            tcp dpt:5007
# 33   ACCEPT     tcp  --  10.8.12.224/28       0.0.0.0/0            tcp dpt:3000
# 34   ACCEPT     tcp  --  10.8.12.224/28       0.0.0.0/0            tcp dpt:3100
# 35   ACCEPT     tcp  --  10.8.12.224/28       0.0.0.0/0            tcp dpt:3170
# 36   ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
# 37   LOG        all  --  0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4
# 38   DROP       tcp  --  0.0.0.0/0            0.0.0.0/0
# 39   DROP       udp  --  0.0.0.0/0            0.0.0.0/0

Notes:
- 10.0.88.0/24 IP inside docker container
- 10.8.12.224/28 KYL Nutanix IP Address
- 10.66.76.0/22 10.66.80.0/22 PSU VPN IP Address

kyl-ebook-backend

kyl-ebook-frontend

kyl-payment

kyl-backup

kyl-ha-01

kyl-ha-02

kyl-www-01

kyl-www-02

kyl-db-01

psu12-fog

Firewall - iptables

iptables rules

iptables list

Firewall - iptables ​

iptables rules ​

iptables list ​

Firewall - iptables

iptables rules

iptables list