Allow admin to specify exceptions to blocklist

[max/glocker.git] / iptables.rules

# This set of IPTABLES rules is adapted from:
# https://wiki.archlinux.org/index.php/Simple_stateful_firewall
# Retrieved: 2018-09-11
# Generated by iptables-save v1.8.0 on Tue Sep 11 14:41:53 2018
*mangle
:PREROUTING ACCEPT [40249:20804765]
:INPUT ACCEPT [39481:20735931]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8471:887466]
:POSTROUTING ACCEPT [8392:882867]
COMMIT
# Completed on Tue Sep 11 14:41:53 2018
# Generated by iptables-save v1.8.0 on Tue Sep 11 14:41:53 2018
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [317:30781]
:TCP - [0:0]
:UDP - [0:0]

# First allow all related connections.  Avoids the overhead
# of checking thousands of IP addresses first
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Packets on the loopback interface cannot come from the outside world
-A INPUT -i lo -j ACCEPT
# Invalid packets are always dropped
-A INPUT -m conntrack --ctstate INVALID -j DROP
# Drop all packets coming from the ban list
-A INPUT -m set --match-set glocker src -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
# Explicitly allow outgoing traffic to the following IP addresses.  This is
# for things like Google cloud addresses which are owned by but not operated
# by google.
-A OUTPUT -m set --match-set glocker-except dst -j ACCEPT
# Prevent all outgoing traffic to banned IP addresses also
-A OUTPUT -m set --match-set glocker dst -j DROP

-A TCP -p tcp -m tcp --dport 22 -j ACCEPT

COMMIT
# Completed on Tue Sep 11 14:41:53 2018