Iptables - slopjong/w GitHub Wiki

Rules


#!/bin/sh

# http://www.howtoforge.com/blocking-ip-addresses-of-any-country-with-iptables
# http://forum.spamcop.net/forums/index.php?showtopic=9285
# http://www.countryipblocks.net/country-blocks/select-formats/

iptables -F
iptables -X

##########################################
# DEFAULT POLICY: DROP
#

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# define a new filter (is this called a filter?)
iptables -N ALLOWED_COUNTRIES

###########################################
# ALLOW GERMANY
#

if [ -f de.txt ]; then
  IPS=$(grep -Ev "^#" de.txt | grep -v '^[[:space:]]*$')
  for i in $IPS
  do
    iptables -A INPUT -s $i -j ALLOWED_COUNTRIES
  done
fi

###########################################
# ALLOW LUXEMBOURG
#

if [ -f lu.txt ]; then
  IPS=$(grep -Ev "^#" lu.txt | grep -v '^[[:space:]]*$')
  for i in $IPS
  do
    iptables -A INPUT -s $i -j ALLOWED_COUNTRIES
  done
fi

###########################################
# ALLOW LAN
#

iptables -A INPUT -m iprange --src-range 10.0.0.0-10.255.255.255 -j ALLOWED_COUNTRIES
iptables -A INPUT -m iprange --src-range 172.16.0.0-172.31.255.255 -j ALLOWED_COUNTRIES
iptables -A INPUT -m iprange --src-range 192.168.0.0-192.168.255.255 -j ALLOWED_COUNTRIES

###########################################
# INPUT
#

# SSH
iptables -A ALLOWED_COUNTRIES  -p tcp --dport 16789 -j ACCEPT

# WEB SERVERS
iptables -A ALLOWED_COUNTRIES -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A ALLOWED_COUNTRIES -p tcp --dport 3000 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#iptables -A INPUT -p tcp --match multiport --dport 80,3000 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -s 192.168.1.227
#iptables -A INPUT -p udp --match multiport --dport 80,3000 -m state --state NEW,ESDTABLISHED,RELATED -j ACCEPT

###########################################
# OUTPUT
#

iptables -A OUTPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT

De Marc mengt:


iptables -F
iptables -X

## di eischt muss weg (seet de Marc)
#iptables -I INPUT 1 -d 127.0.0.1 -j ACCEPT
iptables -I INPUT 2 -s 127.0.0.1 -j ACCEPT

....

#... OUTPUT
iptables -A OUTPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT

Speider mengt de Marc:


- -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

dei regel muss de an platz fun den anneren wou connection tracking
dran as setzen... dann misst et goen

Iptables - slopjong/w GitHub Wiki

Links

Rules

⚠️ GitHub.com Fallback ⚠️

Iptables - slopjong/w GitHub Wiki

Links

Rules

⚠️ **GitHub.com Fallback** ⚠️

⚠️ GitHub.com Fallback ⚠️