Administration - Debian OS
      Back to home
      1. ggCircuit Help Center
      2. ggRock User Manual
      3. Administration - Debian OS

      ggRock IPTABLES firewall configuration

      This article is meant as a reference for how to configure the iptables firewall to permit ggRock functionality.

      Replace any placeholder values such as X.X.X.X/X and Y.Y.Y.Y/Y with appropriate CIDR notation values for your organization.

      # Reset Firewall
      iptables -P INPUT ACCEPT
      iptables -P OUTPUT ACCEPT
      iptables -X
      iptables -F


      # Disable Acting as a Router
      iptables -P FORWARD DROP


      # Allow Expected Traffic
      iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
      iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
      iptables -A INPUT -i lo -j ACCEPT

      # Allow DHCP
      iptables -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT

      # Remote Management
      iptables -A INPUT -p tcp -s X.X.X.X/X --dport 9090 -j ACCEPT
      iptables -A INPUT -p tcp -s X.X.X.X/X --dport 443 -j ACCEPT
      iptables -A INPUT -p udp -s X.X.X.X/X --dport 443 -j ACCEPT

      # Allow All from Subnet (ggRock PCs)
      iptables -A INPUT -p icmp -s Y.Y.Y.Y/Y -j ACCEPT
      iptables -A INPUT -p tcp -s Y.Y.Y.Y/Y -j ACCEPT
      iptables -A INPUT -p udp -s Y.Y.Y.Y/Y -j ACCEPT

      # ggCircuit VPN Port Allowances
      iptables -A INPUT -p tcp -s 34.255.111.148/25 --dport 9090 -j ACCEPT
      iptables -A INPUT -p tcp -s 34.255.111.148/25 --dport 443 -j ACCEPT
      iptables -A INPUT -p udp -s 34.255.111.148/25 --dport 443 -j ACCEPT
      iptables -A INPUT -p tcp -s 54.228.150.30/25 --dport 9090 -j ACCEPT
      iptables -A INPUT -p tcp -s 54.228.150.30/25 --dport 443 -j ACCEPT
      iptables -A INPUT -p udp -s 54.228.150.30/25 --dport 443 -j ACCEPT


      # Block (and Log) Other Ingress
      # iptables -A INPUT -j LOG
      iptables -P INPUT DROP

      # Allow Expected Egress
      iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
      iptables -A OUTPUT -o lo -j ACCEPT
      iptables -A OUTPUT -p icmp -j ACCEPT

      # DHCP
      iptables -A OUTPUT -p udp --dport 67 --sport 68 -j ACCEPT

      # DNS
      iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
      iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT

      # NTP
      iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
      iptables -A OUTPUT -p tcp --dport 123 -j ACCEPT

      # HTTP/S for Updates, etc.
      iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
      iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
      iptables -A OUTPUT -p udp --dport 443 -j ACCEPT

      # Allow (and Log) All Egress
      # iptables -A OUTPUT -j LOG
      iptables -P OUTPUT ACCEPT