Last active
August 29, 2015 14:19
-
-
Save knowncolor/4556c80287b4e8084671 to your computer and use it in GitHub Desktop.
Default-Deny iptables Firewall Rules for Raspberry Pi Webserver
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
*filter | |
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 | |
-A INPUT -i lo -j ACCEPT | |
-A INPUT -d 127.0.0.0/8 -j REJECT | |
# Accept all established inbound & outbound connections | |
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
# Allow HTTP, HTTPS connections from anywhere | |
-A INPUT -p tcp --dport 80 -j ACCEPT | |
-A INPUT -p tcp --dport 443 -j ACCEPT | |
# Allow HTTP, HTTPS, DNS, NTP only for root | |
-A OUTPUT -p tcp --dport 80 -m owner --uid-owner root -j ACCEPT | |
-A OUTPUT -p tcp --dport 443 -m owner --uid-owner root -j ACCEPT | |
-A OUTPUT -p udp --dport 53 -m owner --uid-owner root -j ACCEPT | |
-A OUTPUT -p udp --dport 123 -m owner --uid-owner root -j ACCEPT | |
# Allow SSH connections | |
-A INPUT -p tcp --dport 22 -j ACCEPT | |
-A OUTPUT -p tcp --sport 22 -j ACCEPT | |
# Allow ping | |
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT | |
# Drop all other traffic - default deny | |
-A INPUT -j DROP | |
-A OUTPUT -j DROP | |
-A FORWARD -j DROP | |
COMMIT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment