PRIVATE_SUBNET="10.200.100.0/24"# Reset/Flush iptablesiptables -Fiptable

1. PRIVATE_SUBNET="10.200.100.0/24"
2.  
3. # Reset/Flush iptables
4. iptables -F
5. iptables -X
6. iptables -t nat -F
7. iptables -t nat -X
8. iptables -t mangle -F
9. iptables -t mangle -X
10. iptables -P INPUT ACCEPT
11. iptables -P FORWARD ACCEPT
12. iptables -P OUTPUT ACCEPT
13.  
14.  
15. # Make sure ip forwarding is enabled
16. sysctl -w net.ipv4.ip_forward=1
17.  
18. # Allow loopback
19. iptables -A INPUT -i lo -j ACCEPT
20. iptables -A OUTPUT -o lo -j ACCEPT
21.  
22. # Allow already established connections
23. iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
24.  
25. # Allow managment IPs this server via SSH (port 22) over ens192
26. iptables -A INPUT -i ens192 -p tcp -s x.x.x.x.x/26 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
27. # Allow Wireguard connections in from anywhere because we don't necessarily know who our peers are in advance
28. iptables -A INPUT -i ens192 -p udp --dport 51822 -j ACCEPT
29.  
30.  
31. # Mark packets coming in from wg0. Example 1.1.1.1.1. no need to mark 10.200.100.0/24 since it will
32. # already return through wg0. We just want to mark traffic that would otherwise go out the wrong interface
33. # This works but I haven't gotten the ip routing rules working with it yet
34. #iptables -t mangle -A PREROUTING -i wg0 -p tcp --dport 4444 -j LOG --log-level 4 --log-prefix "MARKING PKT WITH 4444: "
35. #iptables -t mangle -A PREROUTING -i wg0 -p tcp --dport 4444 -j MARK --set-mark 4
36.  
37. # Allow traffic coming down from the VPS' into this server on port 4444. 4444 is for testing
38. # but the production goal is to push ALL traffic from the VPS down.
39. iptables -A INPUT -i wg0 -p tcp --dport 4444 -j LOG --log-prefix "ALLOWING INPUT 4444: " --log-level 4
40. iptables -A INPUT -i wg0 -p tcp --dport 4444 -j ACCEPT
41.  
42.  
43. # For now allow anything into wg0 and log for debugging
44. #iptables -A INPUT -i wg0 -j LOG --log-prefix "IPTABLES-ALLOW-WG0-IN: " --log-level 4
45. iptables -A INPUT -i wg0 -j ACCEPT
46.  
47. # Be explicit allowing forwarded established connections
48. iptables -A FORWARD -i ens192 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
49. iptables -A FORWARD -i wg0 -o ens192 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
50. iptables -A FORWARD -i ens192 -o wg0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
51. iptables -A FORWARD -i wg0 -o ens192 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
52.  
53.  
54. # Explicitly allow everything out wg0. this isn't necessary as the default OUTPUT rule is ALLOW
55. #iptables -A OUTPUT -o wg0 -j LOG --log-prefix "IPTABLES-wg0-OUTPUT ALLOW: " --log-level 4
56. iptables -A OUTPUT -o wg0 -j ACCEPT
57. iptables -A OUTPUT -o ens192 -j ACCEPT
58.  
59.  
60. iptables -N LOGGING
61. iptables -A INPUT -j LOGGING
62. iptables -A INPUT -j DROP
63. iptables -A OUTPUT -j LOG
64. iptables -A OUTPUT -o wg0 -j ACCEPT
65. iptables -A FORWARD -j LOG
66. iptables -t nat -A PREROUTING -j LOG
67. iptables -t nat -A POSTROUTING -j LOG
68. iptables -A LOGGING -m limit --limit 20/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
69. iptables -A LOGGING -j DROP