========================================================================= install iptables ------------------------------------------------------------------------- apt install iptables iptables-persistent ========================================================================= create /usr/local/bin/iptables and run after updating service changes ------------------------------------------------------------------------- #!/bin/sh private="enp0s3" public="enp0s8" # list all rules iptables -L -n -v iptables -S # flush everything iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -t nat -F iptables -t mangle -F iptables -F iptables -X # save rules after flushing netfilter-persistent save # load saved rules netfilter-persistent reload # base iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP # log and drop iptables -N log-drop iptables -A log-drop -j LOG --log-prefix 'iptables-log-drop: ' --log-level 4 iptables -A log-drop -j DROP # log and drop unwanted addresses (might overwhelm syslog!!!!) #iptables -I INPUT -s 12.34.56.78 -j log-drop #iptables -I INPUT -s 12.34.56.0/24 -j log-drop #iptables -I INPUT -s 12.34.0.0/16 -j log-drop #iptables -I INPUT -s 12.0.0.0/8 -j log-drop # established connections iptables -A INPUT -p all -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -p all -m state --state ESTABLISHED -j ACCEPT # related connections iptables -A INPUT -p all -m state --state RELATED -j ACCEPT iptables -A OUTPUT -p all -m state --state RELATED -j ACCEPT # loopback iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # OUTBOUND # ssh client iptables -A OUTPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT # ntp client iptables -A OUTPUT -p udp --dport 123 -m state --state NEW -j ACCEPT # dns client iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT # http client iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT # https client iptables -A OUTPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT # smtp client iptables -A OUTPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT # INBOUND # ssh server #iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT iptables -A INPUT -i $private -p tcp --dport 22 -m state --state NEW -j ACCEPT #iptables -A INPUT -i $public -p tcp --dport 22 -m state --state NEW -j ACCEPT # allow ssh from here iptables -A INPUT -i $public -p tcp --dport 22 -s 99.222.111.48 -m state --state NEW -j ACCEPT # allow ssh from here iptables -A INPUT -i $public -p tcp --dport 22 -s 111.222.123.234/29 -m state --state NEW -j ACCEPT # allow ssh from here iptables -A INPUT -i $public -p tcp --dport 22 -s 70.0.0.0/8,208.0.0.0/8,184.0.0.0/8,67.0.0.0/8,216.0.0.0/8 -m state --state NEW -j ACCEPT # dns server master #iptables -A INPUT -p udp --dport 53 -m state --state NEW -j ACCEPT # dns server slave #iptables -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT # http server iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT # https server iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT # smtp server #iptables -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT # smtps server #iptables -A INPUT -p tcp --dport 465 -m state --state NEW -j ACCEPT # esmtps server #iptables -A INPUT -p tcp --dport 587 -m state --state NEW -j ACCEPT # pop3 server #iptables -A INPUT -p tcp --dport 110 -m state --state NEW -j ACCEPT # pop3s server #iptables -A INPUT -p tcp --dport 995 -m state --state NEW -j ACCEPT # imap server #iptables -A INPUT -p tcp --dport 143 -m state --state NEW -j ACCEPT # imaps server #iptables -A INPUT -p tcp --dport 993 -m state --state NEW -j ACCEPT # vnc #iptables -A INPUT -p tcp --dport 5900 -m state --state NEW -j ACCEPT #iptables -A OUTPUT -p tcp --dport 5900 -m state --state NEW -j ACCEPT # icmp for ping and traceroute etc #iptables -A INPUT -i $private -p icmp -j ACCEPT # save rules after updating netfilter-persistent save # list all rules iptables -L -n -v iptables -S