/
🔥 Configuring iptables for ggRock Functionality

🔥 Configuring iptables for ggRock Functionality

This guide provides a reference configuration for setting up the iptables firewall to permit proper ggRock server and client functionality.

📝 Note:
Replace any placeholder IP ranges (e.g., X.X.X.X/X, Y.Y.Y.Y/Y) with the appropriate CIDR-formatted IP addresses for your environment.

🔄 Reset Firewall to a Clean State

iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -X iptables -F

🚫 Disable IP Forwarding (Routing)

iptables -P FORWARD DROP

✅ Allow Expected Inbound Traffic

# Drop malformed/invalid traffic iptables -A INPUT -m conntrack --ctstate INVALID -j DROP # Allow already established or related connections iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Allow localhost (loopback) iptables -A INPUT -i lo -j ACCEPT

📦 Allow Incoming DHCP (for PXE Booting)

iptables -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT

🛠️ Remote Management Access (e.g., ggRock Web UI, HTTPS)

iptables -A INPUT -p tcp -s X.X.X.X/X --dport 9090 -j ACCEPT iptables -A INPUT -p tcp -s X.X.X.X/X --dport 443 -j ACCEPT iptables -A INPUT -p udp -s X.X.X.X/X --dport 443 -j ACCEPT

🖥️ Allow Access from ggRock Client Subnet

iptables -A INPUT -p icmp -s Y.Y.Y.Y/Y -j ACCEPT iptables -A INPUT -p tcp -s Y.Y.Y.Y/Y -j ACCEPT iptables -A INPUT -p udp -s Y.Y.Y.Y/Y -j ACCEPT

🔐 ggCircuit VPN IP Allowances

# Region 1 iptables -A INPUT -p tcp -s 34.255.111.148/25 --dport 9090 -j ACCEPT iptables -A INPUT -p tcp -s 34.255.111.148/25 --dport 443 -j ACCEPT iptables -A INPUT -p udp -s 34.255.111.148/25 --dport 443 -j ACCEPT # Region 2 iptables -A INPUT -p tcp -s 54.228.150.30/25 --dport 9090 -j ACCEPT iptables -A INPUT -p tcp -s 54.228.150.30/25 --dport 443 -j ACCEPT iptables -A INPUT -p udp -s 54.228.150.30/25 --dport 443 -j ACCEPT

🚫 Block All Other Inbound Traffic

# Optional: log dropped input traffic # iptables -A INPUT -j LOG iptables -P INPUT DROP

📤 Allow Expected Outbound Traffic

# Allow responses to connections iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT # Allow localhost iptables -A OUTPUT -o lo -j ACCEPT # Allow ICMP (ping, etc.) iptables -A OUTPUT -p icmp -j ACCEPT # DHCP iptables -A OUTPUT -p udp --dport 67 --sport 68 -j ACCEPT # DNS iptables -A OUTPUT -p udp --dport 53 -j ACCEPT iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT # NTP (time sync) iptables -A OUTPUT -p udp --dport 123 -j ACCEPT iptables -A OUTPUT -p tcp --dport 123 -j ACCEPT # HTTP/S for updates and web access iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT iptables -A OUTPUT -p udp --dport 443 -j ACCEPT

🌐 Allow All Other Outbound Traffic

# Optional: log outgoing traffic # iptables -A OUTPUT -j LOG iptables -P OUTPUT ACCEPT

⚠️ Important:
Before running this script, replace the placeholder IP ranges (X.X.X.X/X, Y.Y.Y.Y/Y) with the actual values for your environment.

#!/bin/bash # ggRock iptables Firewall Configuration Script # Replace X.X.X.X/X and Y.Y.Y.Y/Y with actual CIDR blocks before running! echo "⚙️ Applying iptables rules for ggRock..." # === Reset existing rules === iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP iptables -F iptables -X # === Allow expected incoming traffic === # Drop invalid packets iptables -A INPUT -m conntrack --ctstate INVALID -j DROP # Allow established and related traffic iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Allow loopback iptables -A INPUT -i lo -j ACCEPT # Allow DHCP (PXE boot) iptables -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT # Remote management (Web UI) iptables -A INPUT -p tcp -s X.X.X.X/X --dport 9090 -j ACCEPT iptables -A INPUT -p tcp -s X.X.X.X/X --dport 443 -j ACCEPT iptables -A INPUT -p udp -s X.X.X.X/X --dport 443 -j ACCEPT # Allow all traffic from ggRock PC subnet iptables -A INPUT -p icmp -s Y.Y.Y.Y/Y -j ACCEPT iptables -A INPUT -p tcp -s Y.Y.Y.Y/Y -j ACCEPT iptables -A INPUT -p udp -s Y.Y.Y.Y/Y -j ACCEPT # ggCircuit VPN IPs iptables -A INPUT -p tcp -s 34.255.111.148/25 --dport 9090 -j ACCEPT iptables -A INPUT -p tcp -s 34.255.111.148/25 --dport 443 -j ACCEPT iptables -A INPUT -p udp -s 34.255.111.148/25 --dport 443 -j ACCEPT iptables -A INPUT -p tcp -s 54.228.150.30/25 --dport 9090 -j ACCEPT iptables -A INPUT -p tcp -s 54.228.150.30/25 --dport 443 -j ACCEPT iptables -A INPUT -p udp -s 54.228.150.30/25 --dport 443 -j ACCEPT # Drop all other incoming traffic # Uncomment to enable logging: # iptables -A INPUT -j LOG iptables -P INPUT DROP # === Allow expected outgoing traffic === # Allow related outbound traffic iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT # Allow loopback iptables -A OUTPUT -o lo -j ACCEPT # Allow ICMP (ping) iptables -A OUTPUT -p icmp -j ACCEPT # DHCP iptables -A OUTPUT -p udp --dport 67 --sport 68 -j ACCEPT # DNS iptables -A OUTPUT -p udp --dport 53 -j ACCEPT iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT # NTP iptables -A OUTPUT -p udp --dport 123 -j ACCEPT iptables -A OUTPUT -p tcp --dport 123 -j ACCEPT # HTTP/S iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT iptables -A OUTPUT -p udp --dport 443 -j ACCEPT # Allow all other outbound traffic # Uncomment to enable logging: # iptables -A OUTPUT -j LOG iptables -P OUTPUT ACCEPT echo "✅ iptables rules applied successfully!"

🔐 To Use:

  1. Save this script as configure-iptables.sh

  2. Make it executable:

    chmod +x configure-iptables.sh

  3. Run it as root (or with sudo):

    sudo ./configure-iptables.sh

Optional:

To make your iptables rules persistent across reboots:

🧊 Step 1: Install Persistence Tools

Run this command to install the required package:

sudo apt-get update && sudo apt-get install -y iptables-persistent

During installation, it will prompt you to save current rules — say Yes when asked.

💾 Step 2: Save Current iptables Rules

After running your configure-iptables.sh script, save the active rules like this:

sudo netfilter-persistent save

This saves both IPv4 and IPv6 rules to:

  • /etc/iptables/rules.v4

  • /etc/iptables/rules.v6

If you're only using IPv4, that's totally fine — the IPv6 file can stay empty.

🔁 Step 3: Automatically Load on Boot

The netfilter-persistent service handles loading the rules on boot automatically. You can verify it’s enabled with:

sudo systemctl is-enabled netfilter-persistent

If it's not enabled, you can enable it:

sudo systemctl enable netfilter-persistent

🧪 Optional: Reload Without Rebooting

To apply saved rules without rebooting:

sudo netfilter-persistent reload

✅ That's it! Your custom iptables configuration will now persist across system reboots.