Iptables on sudoscience https://sudoscience.de/tags/iptables/ Recent content in Iptables on sudoscience Hugo -- 0.162.1 de-DE Vanderley Industries Mon, 30 Mar 2026 00:00:00 +0000 Iptables-Script IPv4 https://sudoscience.de/posts/iptables_ipv4/ Mon, 30 Mar 2026 00:00:00 +0000Art Vanderleyhttps://sudoscience.de/posts/iptables_ipv4/ 
#!/usr/bin/env bash

# 1. Clear current configuration
iptables -F
iptables -X
iptables -Z
iptables -Z -t nat
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F
iptables -t raw -X

# 2. Create chains.
iptables -N TCP
iptables -N UDP

# 3. Set default policy.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# 4. Standard rules.
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT

# 5. Dispatch new connections chains.
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
iptables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP

# 6. Allow inbound TCP traffic.
# iptables -A TCP -p tcp --dport 22 -j ACCEPT
# iptables -A TCP -p tcp --dport 53 -j ACCEPT
# iptables -A TCP -p tcp --dport 80 -j ACCEPT
# iptables -A TCP -p tcp --dport 139 -j ACCEPT
# iptables -A TCP -p tcp --dport 443 -j ACCEPT
# iptables -A TCP -p tcp --dport 445 -j ACCEPT
# iptables -A TCP -p tcp --dport 1081 -j ACCEPT
# iptables -A TCP -p tcp --dport 3128 -j ACCEPT
# iptables -A TCP -p tcp --dport 8118 -j ACCEPT

# 7. Allow inbound UDP traffic.
# iptables -A UDP_$IF1 -p udp --dport 53 -j ACCEPT
# iptables -A UDP_$IF1 -p udp --dport 137 -j ACCEPT
# iptables -A UDP_$IF1 -p udp --dport 138 -j ACCEPT
# iptables -A UDP_$IF1 -p udp --dport 139 -j ACCEPT

# 10. Reject/Log everything else.
iptables -A INPUT -p udp -j LOG --log-prefix "[iptables_ipv4_udp]: " --log-level 7 --log-uid
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p tcp -j LOG --log-prefix "[iptables_ipv4_tcp]: " --log-level 7 --log-uid
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -j LOG --log-prefix "[iptables_ipv4]: " --log-level 7 --log-uid
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable

# 11. Persist rules.
mkdir -p /etc/iptables
iptables-save > /etc/iptables/rules.v4

# 12. Display info in terminal.
echo ""
echo "[IPv4] packets will be FILTERED."
echo ""
]]> Iptables-Script IPv6 https://sudoscience.de/posts/iptables_ipv6/ Sun, 29 Mar 2026 00:00:00 +0000Art Vanderleyhttps://sudoscience.de/posts/iptables_ipv6/ 
#!/usr/bin/env bash

# 1. Clear current configuration.
ip6tables -F
ip6tables -F -t nat
ip6tables -X
ip6tables -Z
ip6tables -Z -t nat
ip6tables -t nat -F
ip6tables -t nat -X
ip6tables -t mangle -F
ip6tables -t mangle -X
ip6tables -t raw -F
ip6tables -t raw -X

# 2. Create chains.
ip6tables -N TCP
ip6tables -N UDP

# 3. Set default policy.
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT ACCEPT

# 4. Standard rules.
ip6tables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP

# Rules for ICMPv6 und DHCPv6.
ip6tables -A INPUT -s fe80::/10 -p ipv6-icmp -j ACCEPT
ip6tables -A INPUT -p udp --sport 547 --dport 546 -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m conntrack --ctstate NEW -j ACCEPT

# 5. Dispatch new connections to chains.
ip6tables -A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
ip6tables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP

# 6. Allow inbound TCP traffic.
# ip6tables -A TCP -p tcp --dport 22 -j ACCEPT
# ip6tables -A TCP -p tcp --dport 80 -j ACCEPT
# ip6tables -A TCP -p tcp --dport 139 -j ACCEPT
# ip6tables -A TCP -p tcp --dport 443 -j ACCEPT
# ip6tables -A TCP -p tcp --dport 445 -j ACCEPT
# ip6tables -A TCP -p tcp --dport 1081 -j ACCEPT
# ip6tables -A TCP -p tcp --dport 3128 -j ACCEPT
# ip6tables -A TCP -p tcp --dport 8118 -j ACCEPT

# 8. Allow inbound UDP traffic.
# ip6tables -A UDP -p udp --dport 53 -j ACCEPT
# ip6tables -A UDP -p udp --dport 138 -j ACCEPT
# ip6tables -A UDP -p udp --dport 138 -j ACCEPT
# ip6tables -A UDP -p udp --dport 139 -j ACCEPT

# 8. Reject/Log everything else.
ip6tables -A INPUT -p udp -j LOG --log-prefix "[iptables_ipv6_udp]: " --log-level 7 --log-uid
ip6tables -A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
ip6tables -A INPUT -p tcp -j LOG --log-prefix "[iptables_ipv6_tcp]: " --log-level 7 --log-uid
ip6tables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
ip6tables -A INPUT -j LOG --log-prefix "[iptables_ipv6]: " --log-level 7 --log-uid
ip6tables -A INPUT -j REJECT --reject-with icmp6-adm-prohibited

# 9. Persist rules.
mkdir -p /etc/iptables
ip6tables-save > /etc/iptables/rules.v6

# 10. Display info in terminal.
echo ""
echo "[IPv6] packets will be FILTERED."
echo ""
]]>