Simple linux iptables configuration script

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedIn

I had the necessity to firewall some VMs after installing a cluster of the awesome CockroachDB, since I couldn’t find out how to password protect the admin interface.

 

The idea is to drop all connections by default from all machines not in the cluster pool, while allowing unrestricted communication between machines within the pool from any port.

The script, found here, isn’t actually that complicated and since I’m not an expert I might have missed something, but it does includes many of the little details non-professional sysdamin like me tend to miss out:

  • ipv6 icmp ports
  • outgoing dns rules
  • ipv4:6 passtrough rules
  • a proper “reset all” option

 

The configuration is really simple and tuned toward making adding/removing machines from the pool easy across each of them without maintaining dozen lines for each input/output/protocol tuple, i.e

 

#allow input/output communication trough port 80
ALLOW 80
ALLOW 443
#allow all communication from the specific host
HOST 192.0.2.23
#same but for ipv6 addresses
HOST6 2001:DB8::4860:3242

 

 

Hope you find this useful! It’s already in init.d format. Please do tell if you see any improvement/suggestion to make it more robust/secure!

A word of warning: do not use this with Docker! The reset option will nuke its port forwarding rules.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked *