About

iptables default drop firewall (whitelist mode)

Don’t forget to save your rules (you can use the iptables-persistent package on Ubuntu)

And don’t blindly run it, this is a template that you need to alter to fit your needs.

IPv4

# default policy allow so we don't block ourselves
iptables -P INPUT ACCEPT

# delete old rules
iptables -F

# whitelist essentials
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# whitelist IPs
iptables -A INPUT -s 127.0.0.0/8 -j ACCEPT
iptables -A INPUT -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT

# whitelist ports
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# default policy drop for incoming connections
iptables -P INPUT DROP

# default policy allow for outgoing connections
iptables -P OUTPUT ACCEPT

IPv6

# default policy allow so we don't block ourselves
ip6tables -P INPUT ACCEPT

# delete old rules
ip6tables -F

# whitelist essentials
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -p icmp -j ACCEPT
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# whitelist IPs
ip6tables -A INPUT -s ::1/128 -j ACCEPT

# whitelist ports
ip6tables -A INPUT -p tcp --dport 65535 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT
ip6tables -A INPUT -p tcp --dport 25 -j ACCEPT

# default policy drop for incoming connections
ip6tables -P INPUT DROP

# default policy allow for outgoing connections
ip6tables -P OUTPUT ACCEPT