Ubuntu/Bespin/Iptables
From charlesreid1
Up: Ubuntu/Bespin
Previous: Ubuntu/Bespin/PiHole
iptables script for Ubuntu/Bespin:
#!/bin/bash set -e ipt="sudo /sbin/iptables" # Set default policies $ipt -P INPUT DROP $ipt -P FORWARD DROP $ipt -P OUTPUT ACCEPT # Flush and clear everything $ipt -t nat -F $ipt -t mangle -F $ipt -F $ipt -X # Name of main wifi connection device WLAN="wlan0" # Name of PIA VPN tunnel device PIATUN="tun1" # Name of tinc tunnel device TINCTUN="master" # Name of loopback interface for PiHole DNS server PHDNS="lo:1" # Name of loopback interface for dnsmasq DNS server DDNS="lo" ########### LOOPBACK ########## $ipt -A INPUT -i lo -j ACCEPT $ipt -A INPUT -i lo:1 -j ACCEPT ########### INCOMING ########## # Allow any established connection to come in or out $ipt -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $ipt -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ########### PING ############## # Allow incoming ping requests $ipt -A INPUT -p icmp --icmp-type echo-request -j ACCEPT ########### SSH ############### # Allow incoming SSH sessions, new or established $ipt -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT # Allow incoming SSH traffic, if part of established conversation $ipt -A INPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT ########### VPN ############### # Allow incoming VPN sessions destined for 1194, new or established $ipt -A INPUT -p udp --dport 1194 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT # Allow incoming VPN traffic coming from 1194, part of established conversation $ipt -A INPUT -p udp --sport 1194 -m conntrack --ctstate ESTABLISHED -j ACCEPT ########### HTTP/HTTPS ######## # Allow incoming HTTP/HTTPS traffic, part of established conversation $ipt -A INPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT $ipt -A INPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT # Allow incoming HTTP/HTTPS requests from tinc tunnel $ipt -A INPUT -p tcp -i ${TINCTUN} --dport 80 -j ACCEPT $ipt -A INPUT -p tcp -i ${TINCTUN} --dport 443 -j ACCEPT ########### DHCP ############## # Allow any DHCP traffic to come in or out $ipt -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT $ipt -A OUTPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT ########### DNS ############### PROTOCOLS="tcp udp" for prot in $PROTOCOLS; do # General DNS Traffic: # Allow incoming DNS traffic coming from 53, part of established conversation $ipt -A INPUT -p $prot --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT # PiHole self-accept traffic from port 53 $ipt -A INPUT -p $prot -i ${PHDNS} --dport 53 -j ACCEPT # PiHole DNS (lo:1) <-> PIA VPN Tunnel (tun0): # PiHole can always send DNS queries out through tunnel $ipt -A FORWARD -p $prot -i ${PHDNS} -o ${PIATUN} --dport 53 -j ACCEPT # Responses to PiHole can always return via tunnel $ipt -A FORWARD -p $prot -i ${PIATUN} -o ${PHDNS} --dport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT # dnsmasq DNS (lo) <-> PiHole DNS (lo:1) # Allow all DNS traffic from local dnsmasq DNS server to local PiHole DNS server $ipt -A FORWARD -p $prot -i ${DDNS} -o ${PHDNS} --dport 53 -j ACCEPT # Allow responses to dnsmasq to return via the PiHole DNS server $ipt -A FORWARD -p $prot -i ${PHDNS} -o ${DDNS} --dport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT done # Enable logging $ipt -N LOGGING $ipt -A INPUT -j LOGGING $ipt -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "iptables dropped: " --log-level 4 $ipt -A LOGGING -j DROP # Make rules persistent sudo netfilter-persistent save # Restore docker iptables rules sudo service docker restart