You are not logged in.

#1 2022-06-09 18:52:35

Registered: 2022-06-08
Posts: 1

workstation computer - iptables

Hi all,
Needs: ssh to/from with sshguard, dns quering and udp openvpn ports. (Explicit Allow)

Also, is there a way to force the ssh service to bypass the vpn entirely?

#!/bin/env sh
iptables -F && iptables -X

iptables -N TCP
iptables -N UDP
iptables -N sshguard

iptables -P FORWARD DROP
iptables -P INPUT DROP

# Allow Established and Related incoming connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Accept all traffic on loopback interface
iptables -A INPUT -i lo -j ACCEPT

# Drop all packets with invalid headers/checksums/tcp flags,icmp msgs)
iptables -A INPUT -m conntrack --cstate INVALID -j DROP
iptables -A OUTPUT -o lo -j ACCEPT

# Allow incoming ICMP echo requests
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT

# Attach TCP and UDP chains to the INPUT chains to handle incoming traffic
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP

# Reject tcp/udp traffic with icmp port unreachable messages
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

# Allow outgoing connections
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Block whatever SSHguard says it's bad
iptables -A TCP -j sshguard
iptables -A UDP -j sshguard

# Allow SSH
iptables -A TCP -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Allow HTTP and HTTPS
#iptables -A TCP -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -p tcp -m multiport --sports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Allow OpenVPN/ProtonVPN Access on udp on port 1194
#iptables -A UDP -p udp -m multiport --dports 1194,4569,5060 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -m multiport --sports 1194,4569,5060 -m conntrack --ctstate ESTABLISHED -j ACCEPT

# Anti-spoof
iptables -t raw -I PREROUTING -m rpfilter --invert -j DROP
# Start the firewall
iptables-save -f /etc/iptables/iptables.rules
systemctl start iptables

# Check the status of the firewall
systemctl status iptables
# Done

Last edited by alohapine (2022-06-09 20:46:42)


Board footer

Powered by FluxBB