mirror of
https://github.com/kp2pml30/dotfiles.git
synced 2026-02-16 23:34:42 +04:00
49 lines
1.1 KiB
Text
49 lines
1.1 KiB
Text
% # run it like this: `erb ports='[]' iptables.erb | iptables-restore`
|
|
% # NOTE: it discards docker iptable rules
|
|
*filter
|
|
|
|
-N DOCKER-USER
|
|
-N DOCKER-ISOLATION-STAGE-1
|
|
|
|
# don't restrict output at all
|
|
-A OUTPUT -j ACCEPT
|
|
|
|
# allow all loopback
|
|
-A INPUT -i lo -j ACCEPT
|
|
-A FORWARD -i lo -j ACCEPT
|
|
|
|
# allow all established
|
|
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
|
-A DOCKER-USER -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
# allow wireguard
|
|
-A INPUT -i wg0 -j ACCEPT
|
|
-A FORWARD -i wg0 -j ACCEPT
|
|
-A DOCKER-USER -i wg0 -j ACCEPT
|
|
|
|
# allow all docker
|
|
-A DOCKER-USER -i docker0 -j DOCKER-ISOLATION-STAGE-1
|
|
|
|
% require 'json'
|
|
% prts = [22, 80, 443] + JSON.parse(ports)
|
|
# apply it with `iptables-restore < ./iptables`
|
|
|
|
# allow all loopback
|
|
-A INPUT -i lo -j ACCEPT
|
|
|
|
# custom ports
|
|
% prts.each { |port|
|
|
% ['tcp', 'udp'].each { |proto|
|
|
-A FORWARD -p <%= proto %> --dport <%= port %> -j ACCEPT
|
|
-A INPUT -p <%= proto %> --dport <%= port %> -j ACCEPT
|
|
-A DOCKER-USER -p <%= proto %> -m conntrack --ctorigdstport <%= port %> --ctdir ORIGINAL -j ACCEPT
|
|
% }
|
|
|
|
% }
|
|
%
|
|
# disallow all other
|
|
-A INPUT -j DROP
|
|
-A FORWARD -j DROP
|
|
-A DOCKER-USER -j DROP
|
|
|
|
COMMIT
|