Appearance
Iptables restoring
Iptables rules should only be managed from /etc/iptables/rules.v4 files.
Default configuration
With this configuration docker rules work after restoring. For fail2ban rules to restore the service must be restarted. The user managed rules should set in FILTERS chain.
# Restore with "systemctl restart iptables" command
# Format explained here: https://unix.stackexchange.com/a/400203
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:FILTERS - [0:0]
:DOCKER-USER - [0:0]
# Flush chains
-F INPUT
-F DOCKER-USER
-F FILTERS
# INPUT CHAIN RULES
# Accept localhost
-A INPUT -i lo -j ACCEPT
# ICMP
-A INPUT -p icmp -j ACCEPT
-A INPUT -j FILTERS
# DOCKER-USER CHAIN RULES
-A DOCKER-USER -i enp2s0 -j FILTERS
# ===== USER RULES HERE ===== #
# FILTERS CHAIN RULES (user rules)
# Allow SSH
-A FILTERS -p tcp -m tcp --dport 22 -j ACCEPT
# Allow HTTP and HTTPS
-A FILTERS -p tcp -m tcp --dport 80 -j ACCEPT
-A FILTERS -p tcp -m tcp --dport 443 -j ACCEPT
# Fail2ban
-A FILTERS -p tcp -m multiport --dports 22 -j f2b-sshd
# ===== USER RULES END ===== #
# Allow all traffic that is part of an established connection or is related to an established connection
-A FILTERS -m state --state ESTABLISHED,RELATED -j ACCEPT
COMMIT
# Restore with "systemctl restart iptables" command
# Format explained here: https://unix.stackexchange.com/a/400203
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:FILTERS - [0:0]
:DOCKER-USER - [0:0]
# Flush chains
-F INPUT
-F DOCKER-USER
-F FILTERS
# INPUT CHAIN RULES
# Accept localhost
-A INPUT -i lo -j ACCEPT
# ICMP
-A INPUT -p icmp -j ACCEPT
-A INPUT -j FILTERS
# DOCKER-USER CHAIN RULES
-A DOCKER-USER -i enp2s0 -j FILTERS
# ===== USER RULES HERE ===== #
# FILTERS CHAIN RULES (user rules)
# Allow SSH
-A FILTERS -p tcp -m tcp --dport 22 -j ACCEPT
# Allow HTTP and HTTPS
-A FILTERS -p tcp -m tcp --dport 80 -j ACCEPT
-A FILTERS -p tcp -m tcp --dport 443 -j ACCEPT
# Fail2ban
-A FILTERS -p tcp -m multiport --dports 22 -j f2b-sshd
# ===== USER RULES END ===== #
# Allow all traffic that is part of an established connection or is related to an established connection
-A FILTERS -m state --state ESTABLISHED,RELATED -j ACCEPT
COMMIT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
Sources:
- https://unrouted.io/2017/08/15/docker-firewall/
- https://medium.com/swlh/manage-iptables-firewall-for-docker-kubernetes-daa5870aca4d
- https://medium.com/swlh/fix-a-random-network-connection-reset-issue-in-docker-kubernetes-5c57a11de170
- https://blog.donnex.net/docker-and-iptables-filtering/
Adding service
Create script for restoring rules to /opt/scripts/iptables/restore.sh.
bash
#!/bin/bash
# Restores iptables rules from rules.v4 file
/usr/sbin/iptables-restore -n < /etc/iptables/rules.v4
#!/bin/bash
# Restores iptables rules from rules.v4 file
/usr/sbin/iptables-restore -n < /etc/iptables/rules.v4
1
2
3
4
5
2
3
4
5
The -n flag prevents iptables from flushing previous contents of the table. If not given all content from table will be deleted.
Add new service for iptables to /etc/systemd/system/iptables.service.
[Unit]
Description=Restore iptables firewall rules
Before=network-pre.target
[Service]
Type=oneshot
ExecStart=/opt/scripts/iptables/restore.sh
[Install]
WantedBy=multi-user.target
[Unit]
Description=Restore iptables firewall rules
Before=network-pre.target
[Service]
Type=oneshot
ExecStart=/opt/scripts/iptables/restore.sh
[Install]
WantedBy=multi-user.target
1
2
3
4
5
6
7
8
9
10
2
3
4
5
6
7
8
9
10
Enable and start the iptables service with
bash
systemctl enable --now iptables
systemctl enable --now iptables
1