iptables.conf

#
# iptables-restore -n /etc/iptables.conf
# https://unrouted.io/2017/08/15/docker-firewall/
#

*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:FILTERS - [0:0]
:DOCKER-USER - [0:0]

-F INPUT
-F DOCKER-USER
-F FILTERS

-A INPUT -i lo -j ACCEPT

# Accept inbound ICMP messages
-A INPUT -p icmp --icmp-type any -j ACCEPT

# chain INPUT and DOCKER-USER to FILTERS
-A INPUT -j FILTERS
# WARNING: set valid network interface
-A DOCKER-USER -i eth0 -j FILTERS

# Accept inbound TCP packets
-A FILTERS -m state --state ESTABLISHED,RELATED -j ACCEPT

# =========================================================
# CUSTOM rules

# Frontend public ports
#-A FILTERS -p tcp -m tcp -s 0.0.0.0/0 --dport http -j ACCEPT
#-A FILTERS -p tcp -m tcp -s 0.0.0.0/0 --dport https -j ACCEPT

# Developer public ports
#-A FILTERS -p tcp -m tcp -s 0.0.0.0/0 --dport 8080:8100 -j ACCEPT

# Allow ssh from outside (2022)
#-A FILTERS -p tcp -m tcp -s 0.0.0.0/0 --dport 2022 -j ACCEPT

# Nagios (5666) from Caronte (37.59.53.77)
#-A FILTERS -p tcp -m tcp -s 37.59.53.77 --dport 5666 -j ACCEPT

# tortuga
-A FILTERS -p tcp -m tcp -s 148.251.193.24 -j ACCEPT
# pelican
-A FILTERS -p tcp -m tcp -s 135.181.131.247 -j ACCEPT

# CUSTOM rules
# =========================================================

-A FILTERS -j REJECT --reject-with icmp-host-prohibited
COMMIT