mitch/pihole-scripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
pihole-scripts/iptables-pihole.sh
wvr ee55e33d6a initial
2026-02-08 23:25:58 -06:00

91 lines
4.6 KiB
Bash
Executable File
Raw Permalink Blame History

#!/bin/sh
#
# mitchs iptables pihole config
# -------------------------------------------
# -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
# variables
# -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
SUBNET=192.168.100
PIHOLE=$SUBNET.200
# =/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=/=
# flush
iptables -F
# deny all default
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
# dns to/from pihole (self)
iptables -A INPUT -s $SUBNET.0/24 -j ACCEPT -p tcp --dport 53 -m state --state NEW
iptables -A INPUT -s $SUBNET.0/24 -j ACCEPT -p tcp --sport 53 -m state --state NEW
iptables -A INPUT -s $SUBNET.0/24 -j ACCEPT -p udp --dport 53 -m state --state NEW
iptables -A INPUT -s $SUBNET.0/24 -j ACCEPT -p udp --sport 53 -m state --state NEW
iptables -A OUTPUT -d $SUBNET.0/24 -j ACCEPT -p tcp --dport 53 -m state --state ESTABLISHED,RELATED
iptables -A OUTPUT -d $SUBNET.0/24 -j ACCEPT -p tcp --sport 53 -m state --state ESTABLISHED,RELATED
iptables -A OUTPUT -d $SUBNET.0/24 -j ACCEPT -p udp --dport 53 -m state --state ESTABLISHED,RELATED
iptables -A OUTPUT -d $SUBNET.0/24 -j ACCEPT -p udp --sport 53 -m state --state ESTABLISHED,RELATED
# -----------------------------------------------------------
# dns to/from 9.9.9.9
iptables -A OUTPUT -j ACCEPT -d 9.9.9.9/24 -p tcp --dport 53 -m state --state NEW,ESTABLISHED,RELATED
iptables -A OUTPUT -j ACCEPT -d 9.9.9.9/24 -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED
iptables -A INPUT -j ACCEPT -s 9.9.9.9/24 -p tcp --sport 53 -m state --state NEW,ESTABLISHED,RELATED
iptables -A INPUT -j ACCEPT -s 9.9.9.9/24 -p udp --sport 53 -m state --state NEW,ESTABLISHED,RELATED
# and quad9s alt
iptables -A OUTPUT -j ACCEPT -d 149.112.112.112/24 -p tcp --dport 53 -m state --state NEW,ESTABLISHED,RELATED
iptables -A OUTPUT -j ACCEPT -d 149.112.112.112/24 -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED
iptables -A INPUT -j ACCEPT -s 149.112.112.112/24 -p tcp --sport 53 -m state --state NEW,ESTABLISHED,RELATED
iptables -A INPUT -j ACCEPT -s 149.112.112.112/24 -p udp --sport 53 -m state --state NEW,ESTABLISHED,RELATED
# dns.watch
iptables -A OUTPUT -j ACCEPT -d 84.200.68.80/24 -p tcp --dport 53 -m state --state NEW,ESTABLISHED,RELATED
iptables -A OUTPUT -j ACCEPT -d 84.200.68.80/24 -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED
iptables -A INPUT -j ACCEPT -s 84.200.68.80/24 -p tcp --sport 53 -m state --state NEW,ESTABLISHED,RELATED
iptables -A INPUT -j ACCEPT -s 84.200.68.80/24 -p udp --sport 53 -m state --state NEW,ESTABLISHED,RELATED
# dns.watch alt
iptables -A OUTPUT -j ACCEPT -d 84.200.70.40/24 -p tcp --dport 53 -m state --state NEW,ESTABLISHED,RELATED
iptables -A OUTPUT -j ACCEPT -d 84.200.70.40/24 -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED
iptables -A INPUT -j ACCEPT -s 84.200.70.40/24 -p tcp --sport 53 -m state --state NEW,ESTABLISHED,RELATED
iptables -A INPUT -j ACCEPT -s 84.200.70.40/24 -p udp --sport 53 -m state --state NEW,ESTABLISHED,RELATED
# -----------------------------------------------------------
# permit local ssh
iptables -A INPUT -s $SUBNET.0/24 -j ACCEPT -p tcp --dport ssh -m state --state NEW
iptables -A INPUT -s $SUBNET.0/24 -j ACCEPT -p tcp --sport ssh -m state --state NEW
iptables -A OUTPUT -d $SUBNET.0/24 -j ACCEPT -p tcp --sport ssh -m state --state ESTABLISHED
iptables -A OUTPUT -d $SUBNET.0/24 -j ACCEPT -p tcp --dport ssh -m state --state ESTABLISHED
# permit outgoing http,https,ftp as well for updates and things
iptables -A OUTPUT -j ACCEPT -p tcp --dport 80 -m state --state NEW,ESTABLISHED
iptables -A OUTPUT -j ACCEPT -p tcp --dport 443 -m state --state NEW,ESTABLISHED
iptables -A OUTPUT -j ACCEPT -p tcp --dport 21 -m state --state NEW,ESTABLISHED
# allow pihole ftl
iptables -A INPUT -s $SUBNET.0/24 -j ACCEPT -p tcp --dport 80 -m state --state NEW
iptables -A OUTPUT -d $SUBNET.0/24 -j ACCEPT -p tcp --sport 80 -m state --state ESTABLISHED
# allow telnet ftl api (port 4711)
# ----- important: but only originating from our localhost outbound; not in
iptables -A INPUT -s 127.0.0.1/24 -j ACCEPT -p tcp --dport 4711 -m state --state NEW
iptables -A OUTPUT -d $SUBNET.0/24 -j ACCEPT -p tcp --sport 4711 -m state --state ESTABLISHED
# permit loopback
iptables -A OUTPUT -j ACCEPT -o lo
# permit established
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
# save
if command -v systemctl >/dev/null 2>&1 ; then
if [ -f /etc/sysconfig/iptables ] ; then
iptables-save -f /etc/sysconfig/iptables
elif [ -f /etc/iptables/iptables.rules ] ; then
iptables-save -f /etc/iptables/iptables.rules
fi
elif command -v rc-service >/dev/null 2>&1 ; then
/etc/init.d/iptables save
fi
Reference in New Issue View Git Blame Copy Permalink