I spent some time thinking about two things about this iptables: most of those who look for these tutorials are beginners and secondly, many are already looking for something fairly simple and already elaborated.
This example is for a web server, but you can easily add more rules and adapt it to your needs.
When you see "x" change for your ip's
#!/bin/bash
#We clean iptables tables -F iptables -X # We clean NAT iptables -t nat -F iptables -t nat -X # mangle table for things like PPPoE, PPP, and ATM iptables -t mangle -F iptables -t mangle -X # Policies I think this is the best way for beginners and # still not bad, I'll explain output all because they are outgoing connections #, input we discard everything, and no server should forward. iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP #Intranet LAN intranet = eth0 #Extranet wan extranet = eth1 # Keep state. Everything that is already connected (established) is left like this: iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT # Loop device. iptables -A INPUT -i lo -j ACCEPT # http, https, we do not specify the interface because # we want it to be for all iptables -A INPUT -p tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp - dport 443 -j ACCEPT # ssh only internally and from this range of ip's iptables -A INPUT -p tcp -s 192.168.xx / 24 -i $ intranet --dport 7659 -j ACCEPT # monitoring for example if they have zabbix or some other snmp service iptables -A INPUT -p tcp -s 192.168.xx / 24 -i $ intranet --dport 10050 -j ACCEPT # icmp, ping well it's up to you iptables -A INPUT -p icmp -s 192.168.xx / 24 - i $ intranet -j ACCEPT #mysql with postgres is port 5432 iptables -A INPUT -p tcp -s 192.168.xx --sport 3306 -i $ intranet -j ACCEPT #sendmail bueeeh if you want to send some mail #iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT # Anti-SPOOFING 09/07/2014 # SERVER_IP = "190.xxx" # server IP - the real wan ip of your server LAN_RANGE = "192.168.xx / 21" # LAN range of your network or your vlan # Ip's that should never enter the extranet,is to use a bit of # logic if we have a purely WAN interface it should never enter # LAN type traffic through that interface SPOOF_IPS = "0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0 / 16 "# Default action - to be performed when any rule matches ACTION =" DROP "# Packets with the same ip of my server through the wan iptables -A INPUT -i $ extranet -s $ SERVER_IP -j $ ACTION # iptables -A OUTPUT -o $ extranet -s $ SERVER_IP -j $ ACTION # Packets with the LAN Range for the wan, I put it like this in case you have # any particular network, but this is redundant with the following # rule inside the loop " for "iptables -A INPUT -i $ extranet -s $ LAN_RANGE -j $ ACTION iptables -A OUTPUT -o $ extranet -s $ LAN_RANGE -j $ ACTION ## All SPOOF Networks not allowed by the wan for ip in $ SPOOF_IPS do iptables -A INPUT -i $ extranet -s $ ip -j $ ACTION iptables -A OUTPUT -o $ extranet -s $ ip -j $ ACTION done
As always I await your comments, stay tuned in this blog, Thank you