-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathiptables.conf
151 lines (117 loc) · 4.18 KB
/
iptables.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
*filter
# Default is to DROP, we explicitly allow exceptions to this.
:INPUT DROP
:FORWARD DROP
:OUTPUT DROP
:DOCKER -
:DOCKER-ISOLATION-STAGE-1 -
:DOCKER-ISOLATION-STAGE-2 -
:DOCKER-USER -
:inputdrop -
:forwarddrop -
:outputdrop -
#
# INPUT chain.
#
# Allow packets on loopback device.
-A INPUT -i lo -j ACCEPT
# Accept SSH connections.
-A INPUT -p tcp -m tcp --dport 2285 -j ACCEPT
# Accept VNC connections.
-A INPUT -p tcp -m tcp --dport 5900 -j ACCEPT
# Accept HTTP and HTTPS requests.
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
# Allow DHCP discovery.
-A INPUT -p udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p udp --sport 68 --dport 67 -j ACCEPT
# Accept docker0 container traffic, going to shared bridge.
-A INPUT -m addrtype -p tcp -i docker0 --dst-type LOCAL -j ACCEPT
# Allow ICMP of type "Echo Reply", "Destination Unreachable", and "Echo", aka "ping".
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Allow established and related connections to persist. Useful to not lock ourselves out
# by accident!
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Anything else is dropped.
-A INPUT -j inputdrop
#
# FORWARD chain.
#
# Allow DNS query results to reach docker containers.
-A FORWARD -m udp -p udp -i docker0 --dport 53 -j ACCEPT
# Allow other docker rules which it put in here to stay.
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -j DOCKER-USER
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
# Allow established and related connections to persist. Useful to not lock ourselves out
# by accident!
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Anything else is dropped.
-A FORWARD -j forwarddrop
#
# DOCKER-ISOLATION-STAGE-1, DOCKER-ISOLATION-STAGE-2, DOCKER-USER chains.
#
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
#
# OUTPUT chain.
#
# Allow packets on loopback device.
-A OUTPUT -m tcp -p tcp -o lo -j ACCEPT
-A OUTPUT -m udp -p udp -o lo -j ACCEPT
# Allow docker0 traffic.
-A OUTPUT -o docker0 -j ACCEPT
# Allow SSH requests.
-A OUTPUT -p tcp -m tcp --sport 2285 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 2285 -j ACCEPT
# Allow HTTP / HTTPS requests.
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
# Accept VNC connections.
-A OUTPUT -p tcp -m tcp --dport 5900 -j ACCEPT
# Allow DHCP lookup requests.
-A OUTPUT -p udp --sport 67 --dport 68 -j ACCEPT
-A OUTPUT -p udp --sport 68 --dport 67 -j ACCEPT
# Allow DNS lookups.
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
# Allow NTP lookups.
-A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
# Allow ICMP requests of type "Echo Reply" and "Echo", aka "ping".
-A OUTPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Allow SSH requests.
-A OUTPUT -p tcp --dport 22 -j ACCEPT
# Allow HKP / GPG key requests.
-A OUTPUT -p tcp --dport 11371 -j ACCEPT
# Allow established and related connections to persist. Useful to not lock ourselves out
# by accident!
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Anything else is dropped.
-A OUTPUT -j outputdrop
# Create inputdrop, forwarddrop, outputdrop chains, which LOG and then DROP.
-A inputdrop -m limit --limit 2/min -j LOG --log-prefix "[INPUT] iptables-dropped: "
-A inputdrop -j DROP
-A forwarddrop -m limit --limit 2/min -j LOG --log-prefix "[FORWARD] iptables-dropped: "
-A forwarddrop -j DROP
-A outputdrop -m limit --limit 2/min -j LOG --log-prefix "[OUTPUT] iptables-dropped: "
-A outputdrop -j DROP
COMMIT
*nat
:PREROUTING ACCEPT
:INPUT ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
:DOCKER -
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
COMMIT