iptables_reset.sh - whitelist must-haves, block everything else 🥳

iptables_reset.sh

#!/usr/bin/env sh
# iptables_reset.sh

# get via e.g. curl ifconfig.me
MY_LOCAL_IP=""

[ -z "$MY_LOCAL_IP" ] && {
	printf "
usage:
add your local ip inside to the script, then

sudo ./iptables_reset.sh

"
}

sleep 1

iptables -F
iptables -X
#iptables -t nat -F
#iptables -t nat -X
#iptables -t mangle -F
#iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

# local network (localhost / loopback)
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# nginx (& everything else inside it)
iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
# ssh
# iptables -A INPUT -s $MY_LOCAL_IP/24 -p tcp -m conntrack --dport 22 --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -s $MY_LOCAL_IP/32 -p tcp -m conntrack --dport 22 --ctstate NEW,ESTABLISHED -j ACCEPT
# ping
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# umami postgres db
iptables -A INPUT -s $MY_LOCAL_IP/32 -p tcp -m tcp --dport 5555 -j ACCEPT

# misc
iptables -A INPUT  -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED         -j ACCEPT
iptables -A INPUT  -m conntrack --ctstate INVALID             -j DROP

# everything else (INPUT-wise)
iptables -A INPUT -j REJECT