Firewall - iptables

Thu 03 Oct 2024

🎉 Hi: ... 🎉

iptables rules

bash

# https://jodies.de/ipcalc?host=10.8.12.224&mask1=28&mask2=
# APT Update
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# SSH
iptables -A INPUT -s 192.168.27.0/24 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 10.66.76.0/22 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 10.66.80.0/22 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 10.8.12.224/28 -p tcp --dport 22 -j ACCEPT
# Webmin
iptables -A INPUT -s 192.168.27.0/24 -p tcp --dport 10000 -j ACCEPT
iptables -A INPUT -s 10.66.76.0/22 -p tcp --dport 10000 -j ACCEPT
iptables -A INPUT -s 10.66.80.0/22 -p tcp --dport 10000 -j ACCEPT
# Docker container
iptables -A INPUT -s 10.0.88.0/24 -p tcp -j ACCEPT
# portainer_agent
iptables -A INPUT -s 10.8.12.230/32 -p tcp --dport 9080 -j ACCEPT
# prometheus
iptables -A INPUT -s 10.8.12.230/32 -p tcp --dport 9090 -j ACCEPT
# node_exporter
iptables -A INPUT -s 10.8.12.230/32 -p tcp --dport 9100 -j ACCEPT
# cadvisor
iptables -A INPUT -s 10.8.12.230/32 -p tcp --dport 8080 -j ACCEPT
# apache_exporter
iptables -A INPUT -s 10.8.12.230/32 -p tcp --dport 9117 -j ACCEPT
###
# Web server: web.kyl.psu.ac.th
iptables -A INPUT -s 10.8.12.224/28 -p tcp --dport 8809 -j ACCEPT
iptables -A INPUT -s 10.8.12.224/28 -p tcp --dport 9001 -j ACCEPT
# Web server: clib.psu.ac.th
iptables -A INPUT -s 10.8.12.224/28 -p tcp --dport 8804 -j ACCEPT
# Web server: archive.clib.psu.ac.th
iptables -A INPUT -s 10.8.12.224/28 -p tcp --dport 8806 -j ACCEPT
# Web server: clibin.psu.ac.th
iptables -A INPUT -s 10.8.12.224/28 -p tcp --dport 8805 -j ACCEPT
# Web server: download.clib.psu.ac.th
iptables -A INPUT -s 10.8.12.224/28 -p tcp --dport 8807 -j ACCEPT
# DNS
iptables -A INPUT -p udp --dport 53 -j ACCEPT
# Log
iptables -A INPUT -j LOG
# Drop All
iptables -A INPUT -p tcp -j DROP
iptables -A INPUT -p udp -j DROP

Service	Chain	Protocal	Source ip	Destination port	Rule
ssh	INPUT	tcp	10.8.12.224/28 192.168.27.0/24 10.66.76.0/22 10.66.80.0/22	22	ACCEPT
Webmin	INPUT	tcp	192.168.27.0/24 10.66.76.0/22 10.66.80.0/22	10000	ACCEPT
Docker container	INPUT	tcp	10.0.88.0/24	All port	ACCEPT
portainer_agent	INPUT	tcp	10.8.12.230/32	9080	ACCEPT
prometheus	INPUT	tcp	10.8.12.230/32	9090	ACCEPT
node_exporter	INPUT	tcp	10.8.12.230/32	9100	ACCEPT
cadvisor	INPUT	tcp	10.8.12.230/32	8080	ACCEPT
apache_exporter	INPUT	tcp	10.8.12.230/32	9117	ACCEPT
web.kyl.psu.ac.th	INPUT	tcp	10.8.12.224/28	8809	ACCEPT
web.kyl.psu.ac.th (php-fpm)	INPUT	tcp	10.8.12.224/28	9001	ACCEPT
clib.psu.ac.th	INPUT	tcp	10.8.12.224/28	8804	ACCEPT
archive.clib.psu.ac.th	INPUT	tcp	10.8.12.224/28	8806	ACCEPT
clibin.psu.ac.th	INPUT	tcp	10.8.12.224/28	8805	ACCEPT
download.clib.psu.ac.th	INPUT	tcp	10.8.12.224/28	8807	ACCEPT

iptables list

bash

iptables -L -n --line-numbers

# Chain INPUT (policy ACCEPT)
# num  target     prot opt source               destination
# 1    ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
# 2    ACCEPT     6    --  192.168.27.0/24      0.0.0.0/0            tcp dpt:22
# 3    ACCEPT     6    --  10.66.76.0/22        0.0.0.0/0            tcp dpt:22
# 4    ACCEPT     6    --  10.66.80.0/22        0.0.0.0/0            tcp dpt:22
# 5    ACCEPT     6    --  10.8.12.224/28       0.0.0.0/0            tcp dpt:22
# 6    ACCEPT     6    --  192.168.27.0/24      0.0.0.0/0            tcp dpt:10000
# 7    ACCEPT     6    --  10.66.76.0/22        0.0.0.0/0            tcp dpt:10000
# 8    ACCEPT     6    --  10.66.80.0/22        0.0.0.0/0            tcp dpt:10000
# 9    ACCEPT     6    --  10.0.88.0/24         0.0.0.0/0
# 10   ACCEPT     6    --  10.8.12.230          0.0.0.0/0            tcp dpt:9080
# 11   ACCEPT     6    --  10.8.12.230          0.0.0.0/0            tcp dpt:9090
# 12   ACCEPT     6    --  10.8.12.230          0.0.0.0/0            tcp dpt:9100
# 13   ACCEPT     6    --  10.8.12.230          0.0.0.0/0            tcp dpt:8080
# 14   ACCEPT     6    --  10.8.12.230          0.0.0.0/0            tcp dpt:9117
# 15   ACCEPT     6    --  10.8.12.224/28       0.0.0.0/0            tcp dpt:8809
# 16   ACCEPT     6    --  10.8.12.224/28       0.0.0.0/0            tcp dpt:9001
# 17   ACCEPT     6    --  10.8.12.224/28       0.0.0.0/0            tcp dpt:8804
# 18   ACCEPT     6    --  10.8.12.224/28       0.0.0.0/0            tcp dpt:8806
# 19   ACCEPT     6    --  10.8.12.224/28       0.0.0.0/0            tcp dpt:8805
# 20   ACCEPT     6    --  10.8.12.224/28       0.0.0.0/0            tcp dpt:8807
# 21   ACCEPT     17   --  0.0.0.0/0            0.0.0.0/0            udp dpt:53
# 22   LOG        0    --  0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4
# 23   DROP       6    --  0.0.0.0/0            0.0.0.0/0
# 24   DROP       17   --  0.0.0.0/0            0.0.0.0/0

Notes:
- 10.0.88.0/24 IP inside docker container
- 10.8.12.224/28 KYL Nutanix Range IP Address
- 10.66.76.0/22 10.66.80.0/22 PSU VPN IP Address

kyl-ebook-backend

kyl-ebook-frontend

kyl-payment

kyl-backup

kyl-ha-01

kyl-ha-02

kyl-www-01

kyl-www-02

kyl-db-01

psu12-fog

Firewall - iptables

iptables rules

iptables list

Firewall - iptables ​

iptables rules ​

iptables list ​

Firewall - iptables

iptables rules

iptables list