Setup Iptables for RPKI with prerouting. - RIPE-NCC/rpki-validator-3 GitHub Wiki
This example is assuming your binding RPKI to localhost only and running an Apache or Nginx proxy, rather than listen on all IP addresses. You can change this by editing the "server.address" setting in the "application.properties" file.
IPV4 iptables
Before running the iptables rules, make sure you don't lock yourself out of the server. You can add a whitelisted ip range by doing:
sudo iptables -A INPUT -s 192.168.3.0/24 -j ACCEPT
Rules to Accept HTTPS only with port 323 for RTR protocol.
sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p icmp -j ACCEPT
sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT
sudo iptables -I INPUT -p tcp -m tcp --dport 323 -j ACCEPT
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 323 -j REDIRECT --to-port 8323
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -j REJECT
iptables-save > /etc/sysconfig/iptables
To make this change permanent, add the rules to the start up rc.local: For Centos 7
chmod +x /etc/rc.local
systemctl enable rc-local
systemctl start rc-local
systemctl status rc-local
Add at the end of /etc/rc.local:
iptables-restore < /etc/sysconfig/iptables
IPV6 ip6tables
Before running the iptables rules, make sure you don't lock yourself out of the server. You can add a whitelisted ip range by doing:
sudo ip6tables -A INPUT -s 2001:d00::/24 -j ACCEPT
Rules to Accept HTTPS only with port 323 for RTR protocol.
sudo ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo ip6tables -A INPUT -p icmp -j ACCEPT
sudo ip6tables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
sudo ip6tables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT
sudo ip6tables -I INPUT -p tcp -m tcp --dport 323 -j ACCEPT
sudo ip6tables -t nat -A PREROUTING -i eth0 -p tcp --dport 323 -j REDIRECT --to-port 8323
sudo ip6tables -A INPUT -i lo -j ACCEPT
sudo ip6tables -A INPUT -j REJECT
ip6tables-save > /etc/sysconfig/ip6tables
Add at the end of /etc/rc.local:
ip6tables-restore < /etc/sysconfig/ip6tables