Can I drop :INPUT and :FORWARD?
by Jason.nix from LinuxQuestions.org on (#6J0T8)
Hello,
In Linux, I have installed Tor and am using it as a remote proxy, and at the same time I have tunneled OpenVPN on Tor. My iptables rules are as follows:
Code:# Generated by iptables-save v1.8.9 (nf_tables) on Sun Jan 21 10:16:31 2024
*filter
:INPUT ACCEPT [862:113997]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [76190:79547849]
-A INPUT -p udp -m udp --dport 2024 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9050 -j ACCEPT
-A INPUT -s 172.21.50.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 2/sec -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -s 10.10.0.0/24 -i tun2 -m state --state NEW -j ACCEPT
-A FORWARD -i enX1 -o tun2 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.10.0.0/24 -o enX1 -j ACCEPT
COMMIT
# Completed on Sun Jan 21 10:16:31 2024
# Generated by iptables-save v1.8.9 (nf_tables) on Sun Jan 21 10:16:31 2024
*nat
:PREROUTING ACCEPT [5964:400656]
:INPUT ACCEPT [4042:236895]
:OUTPUT ACCEPT [7:1508]
:POSTROUTING ACCEPT [7:1508]
-A PREROUTING -s 10.10.0.0/24 -i tun2 -p udp -m udp --dport 53 -j DNAT --to-destination 10.10.0.1:53530
-A PREROUTING -s 10.10.0.0/24 -i tun2 -p tcp -j DNAT --to-destination 10.10.0.1:9040
-A PREROUTING -s 10.10.0.0/24 -i tun2 -p udp -j DNAT --to-destination 10.10.0.1:9040
-A POSTROUTING -s 10.10.0.0/24 -o enX1 -j MASQUERADE
COMMIT
# Completed on Sun Jan 21 10:16:31 2024Can I drop the :INPUT and :FORWARD policies?
Thank you.
In Linux, I have installed Tor and am using it as a remote proxy, and at the same time I have tunneled OpenVPN on Tor. My iptables rules are as follows:
Code:# Generated by iptables-save v1.8.9 (nf_tables) on Sun Jan 21 10:16:31 2024
*filter
:INPUT ACCEPT [862:113997]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [76190:79547849]
-A INPUT -p udp -m udp --dport 2024 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9050 -j ACCEPT
-A INPUT -s 172.21.50.0/24 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 2/sec -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -s 10.10.0.0/24 -i tun2 -m state --state NEW -j ACCEPT
-A FORWARD -i enX1 -o tun2 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.10.0.0/24 -o enX1 -j ACCEPT
COMMIT
# Completed on Sun Jan 21 10:16:31 2024
# Generated by iptables-save v1.8.9 (nf_tables) on Sun Jan 21 10:16:31 2024
*nat
:PREROUTING ACCEPT [5964:400656]
:INPUT ACCEPT [4042:236895]
:OUTPUT ACCEPT [7:1508]
:POSTROUTING ACCEPT [7:1508]
-A PREROUTING -s 10.10.0.0/24 -i tun2 -p udp -m udp --dport 53 -j DNAT --to-destination 10.10.0.1:53530
-A PREROUTING -s 10.10.0.0/24 -i tun2 -p tcp -j DNAT --to-destination 10.10.0.1:9040
-A PREROUTING -s 10.10.0.0/24 -i tun2 -p udp -j DNAT --to-destination 10.10.0.1:9040
-A POSTROUTING -s 10.10.0.0/24 -o enX1 -j MASQUERADE
COMMIT
# Completed on Sun Jan 21 10:16:31 2024Can I drop the :INPUT and :FORWARD policies?
Thank you.