Skip to content

Instantly share code, notes, and snippets.

@javierwilson

javierwilson/iptables

Created April 22, 2016 17:59
Show Gist options
  • Save javierwilson/4d4bc320ba7b0fdf2ed423cd0465dea3 to your computer and use it in GitHub Desktop.
Save javierwilson/4d4bc320ba7b0fdf2ed423cd0465dea3 to your computer and use it in GitHub Desktop.
Download ZIP
iptables - router
Raw
iptables
#
# /etc/sysconfig/iptables
#
# em1 - public IP connected to the Internet
# em2 - private IP, local area network (LAN)
#
# Allow NAT, MASQUERADEing...
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o em1 -j MASQUERADE
COMMIT
# Input filters and forwarding...
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
# ACCEPT only ssh and http from WAN
-A INPUT -i em1 -m conntrack --ctstate NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -i em1 -m conntrack --ctstate NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -i em1 -j REJECT
# ACCEPT any INPUT from LAN
-A INPUT -i em2 -j ACCEPT
# FORWARD all traffic from LAN
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -i em2 -j ACCEPT
# REJECT the rest...
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment