Created by
Ian R-P
last modified
| Use following command on a file with the iptable commands
iptables-restore < iptables_file.txt
Random Commands
# Required.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Required. Allow all loopback traffic
-A INPUT -i lo -j ACCEPT
# Required. Ensure any connections already made are accepted
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Required. Drop any invalid traffic.
-A INPUT -m conntrack --ctstate INVALID -j DROP
# Required. Allow Outgoing http connections (apt-get, curl, wget..etc)
-A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT
-A OUTPUT -o eth0 -p tcp --dport 443 -j ACCEPT
-A OUTPUT -o eth0 -p tcp --dport 25 -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Allow droplet to connect to mysql server in private network
-A INPUT -i eth1 -p tcp --dport 3306 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth1 -p tcp --sport 3306 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Allow world access to HTTP and HTTPS
-A INPUT -i eth0 -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m multiport --sports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Allow outside world ssh into droplet
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# Allow SSH from inside droplet to outside world
-A INPUT -i eth0 -p tcp -m tcp --sport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# Allow external IP address access via ssh into droplet
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -s 217.25.35.62 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 22 -d 217.25.35.62 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# Allow range of ports on private network only
-A INPUT -i eth1 -p tcp -m tcp --sport 9200:9400 -j ACCEPT
# Allow internal connection to amazon s3 service for backups
-A INPUT -i eth0 -p tcp -m tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# Allow git
-A INPUT -i eth0 -p tcp --sport 9418 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --dport 9418 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# Allow a random port 62349
-A INPUT -i eth0 -p tcp --dport 62349 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 62349 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Allow DNS lookups
-A INPUT -i eth0 -p udp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p udp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# Allow outgoing mail ports
-A OUTPUT -p tcp -m multiport --dports 110,143,465,587,995 -j ACCEPT
# Allow forwarding data from internal to external
-A FORWARD -i eth1 -o eth0 -j ACCEPT
# Allow outgoing pings
-A OUTPUT -o eth0 -p icmp --icmp-type echo-request -j ACCEPT
# Block all other traffic on eth0 (public network)
-A INPUT -i eth0 -j REJECT
-A OUTPUT -o eth0 -j DROP
|