From d57fd745e63b2d9a9dc162faa153df2218bca1d8 Mon Sep 17 00:00:00 2001
From: wvr <mitch@wvr.sh>
Date: Sun, 15 Feb 2026 17:31:35 -0600
Subject: [PATCH] fix

---
 caddy/iptables/iptables-caddy.sh | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/caddy/iptables/iptables-caddy.sh b/caddy/iptables/iptables-caddy.sh
index dd317b7..c46a39c 100755
--- a/caddy/iptables/iptables-caddy.sh
+++ b/caddy/iptables/iptables-caddy.sh
@@ -1,7 +1,4 @@
 #!/bin/sh
-#
-# mitchs iptables skeleton config
-# -------------------------------------------
 
 # -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
 # variables
@@ -20,14 +17,11 @@ iptables -P FORWARD DROP
 
 # ========================================================================
 # CADDY IPTABLES CONFIG
-#
-# permit any traffic on local lan
-iptables -A OUTPUT -j ACCEPT -d $SUBNET.0/24 -p tcp -m state --state NEW
-iptables -A OUTPUT -j ACCEPT -d $SUBNET.0/24 -p udp -m state --state NEW
 
-# permit 443 inbound from outside
-iptables -A INPUT -j ACCEPT -p tcp --dport 443 -m state --state NEW,ESTABLISHED
-####iptables -A INPUT -j ACCEPT -p tcp --dport 80 -m state --state NEW,ESTABLISHED
+# allow any tcp traffic on local lan
+iptables -A OUTPUT -j ACCEPT -d $SUBNET.0/24 -p tcp -m state --state NEW,ESTABLISHED,RELATED
+# only allow input on 443
+iptables -A INPUT  -j ACCEPT -d $SUBNET.0/24 -p tcp --dport 443 -m state --state NEW,ESTABLISHED,RELATED
 # ========================================================================
 
 # dns to pihole