iAmSaugata
New Member
Hi,
I am trying to block all the incoming traffic towards my Pi, which is exposed to my static public IP on port 80 and 443, and my public IP configured in CloudFlare proxy. I have docker installed, and multiple container running on it. I am trying to set rules in iptables which will DROP all the traffic on port 80 and 443 if it is not originated from CloudFalre and my local LAN/VPN, I have applied the rules by downloading all the IPv4 from CloudFlare.
Unfortunately it is not dropping the direct external traffic on port 443 and 80, if I am trying to access it from AWS EC2.I have also saved the iptables permanently, but it is same.
I am not very much comfortable with iptables, but I would like to use this. Please help me fixing this.
This is the output of my Pi from sudo iptables -L
Regards,
Saugata D.
I am trying to block all the incoming traffic towards my Pi, which is exposed to my static public IP on port 80 and 443, and my public IP configured in CloudFlare proxy. I have docker installed, and multiple container running on it. I am trying to set rules in iptables which will DROP all the traffic on port 80 and 443 if it is not originated from CloudFalre and my local LAN/VPN, I have applied the rules by downloading all the IPv4 from CloudFlare.
Unfortunately it is not dropping the direct external traffic on port 443 and 80, if I am trying to access it from AWS EC2.I have also saved the iptables permanently, but it is same.
I am not very much comfortable with iptables, but I would like to use this. Please help me fixing this.
This is the output of my Pi from sudo iptables -L
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 131.0.72.0/22 anywhere multiport dports http,https
ACCEPT tcp -- 172.64.0.0/13 anywhere multiport dports http,https
ACCEPT tcp -- 104.24.0.0/14 anywhere multiport dports http,https
ACCEPT tcp -- 104.16.0.0/13 anywhere multiport dports http,https
ACCEPT tcp -- 162.158.0.0/15 anywhere multiport dports http,https
ACCEPT tcp -- 198.41.128.0/17 anywhere multiport dports http,https
ACCEPT tcp -- 197.234.240.0/22 anywhere multiport dports http,https
ACCEPT tcp -- 188.114.96.0/20 anywhere multiport dports http,https
ACCEPT tcp -- 190.93.240.0/20 anywhere multiport dports http,https
ACCEPT tcp -- 108.162.192.0/18 anywhere multiport dports http,https
ACCEPT tcp -- 141.101.64.0/18 anywhere multiport dports http,https
ACCEPT tcp -- 103.31.4.0/22 anywhere multiport dports http,https
ACCEPT tcp -- 103.22.200.0/22 anywhere multiport dports http,https
ACCEPT tcp -- 103.21.244.0/22 anywhere multiport dports http,https
ACCEPT tcp -- 173.245.48.0/20 anywhere multiport dports http,https
ACCEPT tcp -- 10.8.0.0/24 anywhere multiport dports http,https
ACCEPT tcp -- 192.168.0.0/24 anywhere multiport dports http,https
DROP tcp -- anywhere anywhere multiport dports http,https
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere 10.8.0.0/24 ctstate RELATED,ESTABLISHED /* openvpn-forward-rule */
ACCEPT all -- 10.8.0.0/24 anywhere /* openvpn-forward-rule */
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (11 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.27.0.2 tcp dpt:8200
ACCEPT tcp -- anywhere 172.26.0.2 tcp dpt:5005
ACCEPT tcp -- anywhere 172.28.0.2 tcp dpt:http
ACCEPT tcp -- anywhere 172.18.0.3 tcp dpt:https
ACCEPT tcp -- anywhere 172.24.0.2 tcp dpt:3001
ACCEPT tcp -- anywhere 172.17.0.3 tcp dpt:9000
ACCEPT tcp -- anywhere 172.18.0.3 tcp dpt:81
ACCEPT tcp -- anywhere 172.18.0.3 tcp dpt:http
ACCEPT tcp -- anywhere 172.21.0.4 tcp dpt:3000
ACCEPT tcp -- anywhere 172.31.0.3 tcp dpt:http
ACCEPT tcp -- anywhere 172.17.0.4 tcp dpt:8182
ACCEPT tcp -- anywhere 172.17.0.5 tcp dpt:http
ACCEPT tcp -- anywhere 172.17.0.6 tcp dpt:http
ACCEPT tcp -- anywhere 172.17.0.6 tcp dpt:https
ACCEPT udp -- anywhere 172.17.0.6 udp dpt:bootps
ACCEPT tcp -- anywhere 172.17.0.6 tcp dpt:domain
ACCEPT udp -- anywhere 172.17.0.6 udp dpt:domain
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (10 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhereRegards,
Saugata D.
