ggRock IPTABLES firewall configuration

This article is meant as a reference for how to configure the iptables firewall to permit ggRock functionality.

Replace any placeholder values such as X.X.X.X/X and Y.Y.Y.Y/Y with appropriate CIDR notation values for your organization.

# Reset Firewall
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -X
iptables -F


# Disable Acting as a Router
iptables -P FORWARD DROP


# Allow Expected Traffic
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

# Allow DHCP
iptables -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT

# Remote Management
iptables -A INPUT -p tcp -s X.X.X.X/X --dport 9090 -j ACCEPT
iptables -A INPUT -p tcp -s X.X.X.X/X --dport 443 -j ACCEPT
iptables -A INPUT -p udp -s X.X.X.X/X --dport 443 -j ACCEPT

# Allow All from Subnet (ggRock PCs)
iptables -A INPUT -p icmp -s Y.Y.Y.Y/Y -j ACCEPT
iptables -A INPUT -p tcp -s Y.Y.Y.Y/Y -j ACCEPT
iptables -A INPUT -p udp -s Y.Y.Y.Y/Y -j ACCEPT

# ggCircuit VPN Port Allowances
iptables -A INPUT -p tcp -s 34.255.111.148/25 --dport 9090 -j ACCEPT
iptables -A INPUT -p tcp -s 34.255.111.148/25 --dport 443 -j ACCEPT
iptables -A INPUT -p udp -s 34.255.111.148/25 --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -s 54.228.150.30/25 --dport 9090 -j ACCEPT
iptables -A INPUT -p tcp -s 54.228.150.30/25 --dport 443 -j ACCEPT
iptables -A INPUT -p udp -s 54.228.150.30/25 --dport 443 -j ACCEPT


# Block (and Log) Other Ingress
# iptables -A INPUT -j LOG
iptables -P INPUT DROP

# Allow Expected Egress
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

# DHCP
iptables -A OUTPUT -p udp --dport 67 --sport 68 -j ACCEPT

# DNS
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT

# NTP
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 123 -j ACCEPT

# HTTP/S for Updates, etc.
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p udp --dport 443 -j ACCEPT

# Allow (and Log) All Egress
# iptables -A OUTPUT -j LOG
iptables -P OUTPUT ACCEPT