文章分类: ggRock
本条还可参阅:

ggRock IPTABLES 防火墙配置

本文章用作参考,说明如何配置 iptables 防火墙以允许 ggRock 功能。


将任何占位符值(如 X.X.X.X/X 和 Y.Y.Y.Y/Y)替换为您组织的适当 CIDR 记号值。


# Reset Firewall
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -X
iptables -F
# Disable Acting as a Router
iptables -P FORWARD DROP
# Allow Expected Traffic
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
# Allow DHCP
iptables -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT
# Remote Management
iptables -A INPUT -p tcp -s X.X.X.X/X --dport 9090 -j ACCEPT
iptables -A INPUT -p tcp -s X.X.X.X/X --dport 443 -j ACCEPT
iptables -A INPUT -p udp -s X.X.X.X/X --dport 443 -j ACCEPT
# Allow All from Subnet (ggRock PCs)
iptables -A INPUT -p icmp -s Y.Y.Y.Y/Y -j ACCEPT
iptables -A INPUT -p tcp -s Y.Y.Y.Y/Y -j ACCEPT
iptables -A INPUT -p udp -s Y.Y.Y.Y/Y -j ACCEPT
# ggCircuit VPN Port Allowances
iptables -A INPUT -p tcp -s 34.255.111.148/25 --dport 9090 -j ACCEPT
iptables -A INPUT -p tcp -s 34.255.111.148/25 --dport 443 -j ACCEPT
iptables -A INPUT -p udp -s 34.255.111.148/25 --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -s 54.228.150.30/25 --dport 9090 -j ACCEPT
iptables -A INPUT -p tcp -s 54.228.150.30/25 --dport 443 -j ACCEPT
iptables -A INPUT -p udp -s 54.228.150.30/25 --dport 443 -j ACCEPT
# Block (and Log) Other Ingress
# iptables -A INPUT -j LOG
iptables -P INPUT DROP
# Allow Expected Egress
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
# DHCP
iptables -A OUTPUT -p udp --dport 67 --sport 68 -j ACCEPT
# DNS
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
# NTP
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 123 -j ACCEPT
# HTTP/S for Updates, etc.
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p udp --dport 443 -j ACCEPT
# Allow (and Log) All Egress
# iptables -A OUTPUT -j LOG
iptables -P OUTPUT ACCEPT

更新于: 24/04/2026

这篇文章有帮助吗?

分享您的反馈意见

取消

谢谢!