Articles on: ggRock

πŸ”₯ Configuring iptables for ggRock Functionality

This guide provides a reference configuration for setting up the iptables firewall to permit proper ggRock server and client functionality.


πŸ“ Note:
Replace any placeholder IP ranges (e.g., X.X.X.X/X, Y.Y.Y.Y/Y) with the appropriate CIDR-formatted IP addresses for your environment.



πŸ”„ Reset Firewall to a Clean State


iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -X
iptables -F



🚫 Disable IP Forwarding (Routing)


iptables -P FORWARD DROP



βœ… Allow Expected Inbound Traffic


# Drop malformed/invalid traffic
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
# Allow already established or related connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow localhost (loopback)
iptables -A INPUT -i lo -j ACCEPT



πŸ“¦ Allow Incoming DHCP (for PXE Booting)


iptables -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT



πŸ› οΈ Remote Management Access (e.g., ggRock Web UI, HTTPS)


iptables -A INPUT -p tcp -s X.X.X.X/X --dport 9090 -j ACCEPT
iptables -A INPUT -p tcp -s X.X.X.X/X --dport 443 -j ACCEPT
iptables -A INPUT -p udp -s X.X.X.X/X --dport 443 -j ACCEPT



πŸ–₯️ Allow Access from ggRock Client Subnet


iptables -A INPUT -p icmp -s Y.Y.Y.Y/Y -j ACCEPT
iptables -A INPUT -p tcp -s Y.Y.Y.Y/Y -j ACCEPT
iptables -A INPUT -p udp -s Y.Y.Y.Y/Y -j ACCEPT



πŸ” ggCircuit VPN IP Allowances


# Region 1
iptables -A INPUT -p tcp -s 34.255.111.148/25 --dport 9090 -j ACCEPT
iptables -A INPUT -p tcp -s 34.255.111.148/25 --dport 443 -j ACCEPT
iptables -A INPUT -p udp -s 34.255.111.148/25 --dport 443 -j ACCEPT
# Region 2
iptables -A INPUT -p tcp -s 54.228.150.30/25 --dport 9090 -j ACCEPT
iptables -A INPUT -p tcp -s 54.228.150.30/25 --dport 443 -j ACCEPT
iptables -A INPUT -p udp -s 54.228.150.30/25 --dport 443 -j ACCEPT



🚫 Block All Other Inbound Traffic


# Optional: log dropped input traffic
# iptables -A INPUT -j LOG
iptables -P INPUT DROP



πŸ“€ Allow Expected Outbound Traffic


# Allow responses to connections
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Allow localhost
iptables -A OUTPUT -o lo -j ACCEPT
# Allow ICMP (ping, etc.)
iptables -A OUTPUT -p icmp -j ACCEPT
# DHCP
iptables -A OUTPUT -p udp --dport 67 --sport 68 -j ACCEPT
# DNS
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
# NTP (time sync)
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 123 -j ACCEPT
# HTTP/S for updates and web access
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p udp --dport 443 -j ACCEPT



🌐 Allow All Other Outbound Traffic


# Optional: log outgoing traffic
# iptables -A OUTPUT -j LOG
iptables -P OUTPUT ACCEPT



⚠️ Important:
Before running this script, replace the placeholder IP ranges (X.X.X.X/X, Y.Y.Y.Y/Y) with the actual values for your environment.


#!/bin/bash
# ggRock iptables Firewall Configuration Script
# Replace X.X.X.X/X and Y.Y.Y.Y/Y with actual CIDR blocks before running!
echo "βš™οΈ Applying iptables rules for ggRock..."
# === Reset existing rules ===
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -F
iptables -X
# === Allow expected incoming traffic ===
# Drop invalid packets
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
# Allow established and related traffic
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
# Allow DHCP (PXE boot)
iptables -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT
# Remote management (Web UI)
iptables -A INPUT -p tcp -s X.X.X.X/X --dport 9090 -j ACCEPT
iptables -A INPUT -p tcp -s X.X.X.X/X --dport 443 -j ACCEPT
iptables -A INPUT -p udp -s X.X.X.X/X --dport 443 -j ACCEPT
# Allow all traffic from ggRock PC subnet
iptables -A INPUT -p icmp -s Y.Y.Y.Y/Y -j ACCEPT
iptables -A INPUT -p tcp -s Y.Y.Y.Y/Y -j ACCEPT
iptables -A INPUT -p udp -s Y.Y.Y.Y/Y -j ACCEPT
# ggCircuit VPN IPs
iptables -A INPUT -p tcp -s 34.255.111.148/25 --dport 9090 -j ACCEPT
iptables -A INPUT -p tcp -s 34.255.111.148/25 --dport 443 -j ACCEPT
iptables -A INPUT -p udp -s 34.255.111.148/25 --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -s 54.228.150.30/25 --dport 9090 -j ACCEPT
iptables -A INPUT -p tcp -s 54.228.150.30/25 --dport 443 -j ACCEPT
iptables -A INPUT -p udp -s 54.228.150.30/25 --dport 443 -j ACCEPT
# Drop all other incoming traffic
# Uncomment to enable logging:
# iptables -A INPUT -j LOG
iptables -P INPUT DROP
# === Allow expected outgoing traffic ===
# Allow related outbound traffic
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Allow loopback
iptables -A OUTPUT -o lo -j ACCEPT
# Allow ICMP (ping)
iptables -A OUTPUT -p icmp -j ACCEPT
# DHCP
iptables -A OUTPUT -p udp --dport 67 --sport 68 -j ACCEPT
# DNS
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
# NTP
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 123 -j ACCEPT
# HTTP/S
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p udp --dport 443 -j ACCEPT
# Allow all other outbound traffic
# Uncomment to enable logging:
# iptables -A OUTPUT -j LOG
iptables -P OUTPUT ACCEPT
echo "βœ… iptables rules applied successfully!"



πŸ” To Use:


  1. Save this script as configure-iptables.sh
  2. Make it executable:


   chmod +x configure-iptables.sh
  1. Run it as root (or with sudo):


   sudo ./configure-iptables.sh



Optional:


To make your iptables rules persistent across reboots:



🧊 Step 1: Install Persistence Tools


Run this command to install the required package:


sudo apt-get update && sudo apt-get install -y iptables-persistent


During installation, it will prompt you to save current rules β€” say Yes when asked.



πŸ’Ύ Step 2: Save Current iptables Rules


After running your configure-iptables.sh script, save the active rules like this:


sudo netfilter-persistent save


This saves both IPv4 and IPv6 rules to:


  • /etc/iptables/rules.v4
  • /etc/iptables/rules.v6


If you're only using IPv4, that's totally fine β€” the IPv6 file can stay empty.



πŸ” Step 3: Automatically Load on Boot


The netfilter-persistent service handles loading the rules on boot automatically. You can verify it’s enabled with:


sudo systemctl is-enabled netfilter-persistent


If it's not enabled, you can enable it:


sudo systemctl enable netfilter-persistent



πŸ§ͺ Optional: Reload Without Rebooting


To apply saved rules without rebooting:


sudo netfilter-persistent reload



βœ… That's it! Your custom iptables configuration will now persist across system reboots.

Updated on: 10/12/2025

Was this article helpful?

Share your feedback

Cancel

Thank you!