Home Blog CV Projects Patterns Notes Book Colophon Search

IP Routing Rules

28 Oct, 2016

These are the IP routing rules I used to use when I ran a server on Hetzner. Thought they might come in handy one day...

*nat
:PREROUTING ACCEPT [6:774]
:POSTROUTING ACCEPT [43:3724]
:OUTPUT ACCEPT [42:3320]
-A POSTROUTING -s 192.168.100.0/24 -o eth0 -j SNAT --to-source 10.157.222.82

# Bind
-A PREROUTING -d 10.157.222.82/32 -i eth0 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.100.20:53
-A PREROUTING -d 10.157.222.82/32 -i eth0 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.100.20:53
#-A PREROUTING -d 10.157.222.82/32 -i eth0 -p tcp -m tcp --dport 953 -j DNAT --to-destination 192.168.100.20:953
#-A PREROUTING -d 10.157.222.82/32 -i eth0 -p udp -m udp --dport 953 -j DNAT --to-destination 192.168.100.20:953


# Gluster FS
#-A PREROUTING -d 10.157.222.82/32 -i eth0 -p tcp -m tcp --dport 24007 -j DNAT --to-destination 192.168.100.17:24007
#-A PREROUTING -d 10.157.222.82/32 -i eth0 -p tcp -m tcp --dport 24008 -j DNAT --to-destination 192.168.100.17:24008
#-A PREROUTING -d 10.157.222.82/32 -i eth0 -p tcp -m tcp --dport 24009 -j DNAT --to-destination 192.168.100.17:24009
#-A PREROUTING -d 10.157.222.82/32 -i eth0 -p tcp -m tcp --dport 111 -j DNAT --to-destination 192.168.100.17:111
#-A PREROUTING -d 10.157.222.82/32 -i eth0 -p udp -m udp --dport 111 -j DNAT --to-destination 192.168.100.17:111
#-A PREROUTING -d 10.157.222.82/32 -i eth0 -p tcp -m tcp --dport 38465:38467 -j DNAT --to-destination 192.168.100.17

-A PREROUTING -d 10.157.222.82/32 -i eth0 -p tcp -m tcp --dport 30014 -j DNAT --to-destination 192.168.100.14:22
-A PREROUTING -d 10.157.222.82/32 -i eth0 -p tcp -m tcp --dport 30015 -j DNAT --to-destination 192.168.100.15:22
-A PREROUTING -d 10.157.222.82/32 -i eth0 -p tcp -m tcp --dport 30016 -j DNAT --to-destination 192.168.100.16:22
#-A PREROUTING -d 10.157.222.82/32 -i eth0 -p tcp -m tcp --dport 30020 -j DNAT --to-destination 192.168.100.20:22

-A PREROUTING -d 10.157.222.82/32 -i eth0 -p tcp -m tcp --dport 9001 -j DNAT --to-destination 192.168.100.14:9001
#-A PREROUTING -d 10.157.222.82/32 -i eth0 -p tcp -m tcp --dport 30016 -j DNAT --to-destination 192.168.100.19:22
-A PREROUTING -d 10.157.222.82/32 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.100.12:80
#-A PREROUTING -d 10.157.222.82/32 -i eth0 -p tcp -m tcp --dport 8000 -j DNAT --to-destination 192.168.100.19:8000
-A PREROUTING -d 10.157.222.82/32 -i eth0 -p tcp -m tcp --dport 2025 -j DNAT --to-destination 192.168.100.19:25
COMMIT
*mangle
:PREROUTING ACCEPT [686:69307]
:INPUT ACCEPT [438:37769]
:FORWARD ACCEPT [244:30990]
:OUTPUT ACCEPT [349:42626]
:POSTROUTING ACCEPT [593:73616]
COMMIT
*filter
:INPUT ACCEPT [438:37769]

# Allow loopback traffic but drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i lo ! -d 127.0.0.0/8 -j REJECT

# Allow all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow HTTP and HTTPS connections from anywhere
#-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 3000 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

# Allow SSH connections (make sure --dport is the same as the one in your `/etc/ssh/sshd_config' file or you will not be able to SSH in)
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A INPUT -p tcp --dport 3142 --source 127.0.0.0/32,192.168.100.0/24 -j ACCEPT
-A INPUT -p tcp --dport 3142  -j REJECT --reject-with tcp-reset


# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT

:FORWARD ACCEPT [244:30990]

:OUTPUT ACCEPT [349:42626]
# Allow all outbound traffic (modify to only allow certain traffic if you like)
-A OUTPUT -j ACCEPT

COMMIT

Copyright James Gardner 1996-2020 All Rights Reserved. Admin.