The firewall rules below can be loaded by using iptables-restore. If you have the iptables-persistent package installed you can store the rules in the appropriate file:
/etc/iptables/rules.v4 for IPv4/etc/iptables/rules.v6 for IPv6*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:ACTION_DROP - [0:0]
:ACTION_REJECT - [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:IN_INVALID - [0:0]
:IN_TCP - [0:0]
:IN_UDP - [0:0]
-A INPUT -i lo -m comment --comment "Allow all local loopback traffic" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "Allow established/related connections" -j ACCEPT
-A INPUT -m comment --comment "Do basic checks for invalid packets" -j IN_INVALID
-A INPUT -p tcp -m comment --comment "Send all TCP traffic to IN_TCP" -j IN_TCP
-A INPUT -p udp -m comment --comment "Send all UDP traffic to IN_UDP" -j IN_UDP
-A INPUT -p icmp -m comment --comment "Permit all ICMP traffic" -j ACCEPT
-A INPUT -m comment --comment "Drop all unmatched traffic" -j ACTION_DROP
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A ACTION_DROP -m limit --limit 30/min -m comment --comment "Enable logging" -j LOG --log-prefix "Dropping: "
-A ACTION_DROP -m comment --comment "Drop all traffic sent to this chain" -j DROP
-A ACTION_REJECT -m limit --limit 30/min -m comment --comment "Enable logging" -j LOG --log-prefix "Rejecting: "
-A ACTION_REJECT -m comment --comment "Reject all traffic sent to this chain" -j REJECT --reject-with icmp-port-unreachable
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A IN_INVALID -m state --state INVALID -m comment --comment "Drop invalid traffic" -j ACTION_DROP
-A IN_INVALID -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m comment --comment "Force incoming TCP connections to start with SYN" -j ACTION_DROP
-A IN_INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m comment --comment "Stealth scan" -j ACTION_DROP
-A IN_INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m comment --comment "Stealth scan" -j ACTION_DROP
-A IN_INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m comment --comment "Stealth scan" -j ACTION_DROP
-A IN_INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m comment --comment "Stealth scan" -j ACTION_DROP
-A IN_INVALID -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m comment --comment "Stealth scan" -j ACTION_DROP
-A IN_INVALID -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m comment --comment "Stealth scan" -j ACTION_DROP
-A IN_INVALID -p icmp -f -m comment --comment "Drop ICMP fragments" -j ACTION_DROP
-A IN_INVALID -m comment --comment "Return for further processing" -j RETURN
-A IN_TCP -p tcp -m multiport --dports 22 -m state --state NEW -m comment --comment "Allow incoming SSH connections" -j ACCEPT
-A IN_TCP -p tcp -m multiport --dports 2376,2377,7946 -m state --state NEW -m comment --comment "Allow incoming Docker swarm connections" -j ACCEPT
-A IN_TCP -p tcp -m comment --comment "Drop unmatched TCP" -j ACTION_DROP
-A IN_UDP -p udp -m udp --dport 33434:33523 -m comment --comment "Allow UDP traceroute" -j ACCEPT
-A IN_UDP -p udp -m multiport --dports 4789,7946 -m comment --comment "Allow incoming Docker swarm connections" -j ACCEPT
-A IN_UDP -p udp -m comment --comment "Drop unmatched UDP" -j ACTION_DROP
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A DOCKER -i docker0 -j RETURN
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:ACTION_DROP - [0:0]
:ACTION_REJECT - [0:0]
:IN_INVALID - [0:0]
:IN_TCP - [0:0]
:IN_UDP - [0:0]
-A INPUT -i lo -m comment --comment "Allow all local loopback traffic" -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "Allow established/related connections" -j ACCEPT
-A INPUT -m comment --comment "Do basic checks for invalid packets" -j IN_INVALID
-A INPUT -p tcp -m comment --comment "Send all TCP traffic to IN_TCP" -j IN_TCP
-A INPUT -p udp -m comment --comment "Send all UDP traffic to IN_UDP" -j IN_UDP
-A INPUT -p ipv6-icmp -m comment --comment "Permit all ICMP traffic" -j ACCEPT
-A INPUT -m comment --comment "Drop all unmatched traffic" -j ACTION_DROP
-A ACTION_DROP -m limit --limit 30/min -m comment --comment "Enable logging" -j LOG --log-prefix "Dropping: "
-A ACTION_DROP -m comment --comment "Drop all traffic sent to this chain" -j DROP
-A ACTION_REJECT -m limit --limit 30/min -m comment --comment "Enable logging" -j LOG --log-prefix "Rejecting: "
-A ACTION_REJECT -m comment --comment "Reject all traffic sent to this chain" -j REJECT --reject-with icmp6-port-unreachable
-A IN_INVALID -m state --state INVALID -m comment --comment "Drop invalid traffic" -j ACTION_DROP
-A IN_INVALID -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m comment --comment "Force incoming TCP connections to start with SYN" -j ACTION_DROP
-A IN_INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m comment --comment "Stealth scan" -j ACTION_DROP
-A IN_INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m comment --comment "Stealth scan" -j ACTION_DROP
-A IN_INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m comment --comment "Stealth scan" -j ACTION_DROP
-A IN_INVALID -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -m comment --comment "Stealth scan" -j ACTION_DROP
-A IN_INVALID -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m comment --comment "Stealth scan" -j ACTION_DROP
-A IN_INVALID -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m comment --comment "Stealth scan" -j ACTION_DROP
-A IN_INVALID -p icmp -m frag -m comment --comment "Drop ICMP fragments" -j ACTION_DROP
-A IN_INVALID -m comment --comment "Return for further processing" -j RETURN
-A IN_TCP -p tcp -m multiport --dports 22 -m state --state NEW -m comment --comment "Allow incoming SSH connections" -j ACCEPT
-A IN_TCP -p tcp -m multiport --dports 2376,2377,7946 -m state --state NEW -m comment --comment "Allow incoming Docker swarm connections" -j ACCEPT
-A IN_TCP -p tcp -m comment --comment "Drop unmatched TCP" -j ACTION_DROP
-A IN_UDP -p udp -m udp --dport 33434:33523 -m comment --comment "Allow UDP traceroute" -j ACCEPT
-A IN_UDP -p udp -m multiport --dports 4789,7946 -m comment --comment "Allow incoming Docker swarm connections" -j ACCEPT
-A IN_UDP -p udp -m comment --comment "Drop unmatched UDP" -j ACTION_DROP
COMMIT