Skip to content
This repository was archived by the owner on Jul 15, 2021. It is now read-only.

Setup Iptables for RPKI with prerouting.

Jump to bottom
Gabriel Ajabahian edited this page May 29, 2018 · 2 revisions

This example is assuming your binding RPKI to localhost only and running an Apache or Nginx proxy, rather than listen on all IP addresses. You can change this by editing the "server.address" setting in the "application.properties" file.

IPV4 iptables

Before running the iptables rules, make sure you don't lock yourself out of the server. You can add a whitelisted ip range by doing:

sudo iptables -A INPUT -s 192.168.3.0/24 -j ACCEPT

Rules to Accept HTTPS only with port 323 for RTR protocol.

sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p icmp -j ACCEPT
sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT
sudo iptables -I INPUT -p tcp -m tcp --dport 323 -j ACCEPT
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 323 -j REDIRECT --to-port 8323
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -j REJECT
iptables-save > /etc/sysconfig/iptables

To make this change permanent, add the rules to the start up rc.local: For Centos 7

chmod +x /etc/rc.local
systemctl enable rc-local
systemctl start rc-local
systemctl status rc-local
Add at the end of /etc/rc.local:
iptables-restore < /etc/sysconfig/iptables

IPV6 ip6tables

Before running the iptables rules, make sure you don't lock yourself out of the server. You can add a whitelisted ip range by doing:

sudo ip6tables -A INPUT -s 2001:d00::/24 -j ACCEPT

Rules to Accept HTTPS only with port 323 for RTR protocol.

sudo ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo ip6tables -A INPUT -p icmp -j ACCEPT
sudo ip6tables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
sudo ip6tables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT
sudo ip6tables -I INPUT -p tcp -m tcp --dport 323 -j ACCEPT
sudo ip6tables -t nat -A PREROUTING -i eth0 -p tcp --dport 323 -j REDIRECT --to-port 8323
sudo ip6tables -A INPUT -i lo -j ACCEPT
sudo ip6tables -A INPUT -j REJECT
ip6tables-save > /etc/sysconfig/ip6tables
Add at the end of /etc/rc.local:
ip6tables-restore < /etc/sysconfig/ip6tables
Clone this wiki locally