apt-get install ufw
# all incoming drop
ufw default deny incoming
——-Allow in all————
ufw allow 80/tcp
ufw allow 443/tcp
———————————-
#mysql
ufw allow in on eth1 to any port 3306
#elasticsearch
ufw allow from 210.4.64.0/24 to any proto tcp port 9200:9300
#For SSH
ufw allow from 210.4.64.0/24 to any proto tcp port 2222
ufw allow from 210.4.77.0/24 to any proto tcp port 2222
ufw allow from 103.16.72.0/24 to any proto tcp port 2222
ufw allow from 103.16.74.0/24 to any proto tcp port 2222
——————————————–
#ufw does not allow specifying icmp rules via the command line interface command. It does allow you to adjust your ruleset via its rules files, which are iptables-restore style files.
#ufw does allow certain icmp traffic by default including icmp echo reply, and this is already configured by default in
vi /etc/ufw/before.rules
# ok icmp codes output
-A ufw-before-output -p icmp –icmp-type destination-unreachable -j ACCEPT
-A ufw-before-output -p icmp –icmp-type source-quench -j ACCEPT
-A ufw-before-output -p icmp –icmp-type time-exceeded -j ACCEPT
-A ufw-before-output -p icmp –icmp-type parameter-problem -j ACCEPT
-A ufw-before-output -p icmp –icmp-type echo-request -j ACCEPT
# for domain name ping and remort file down
ufw allow out 53
ufw allow out http
ufw allow out https
——-Allow out all————
ufw allow out from 210.4.64.0/22
ufw allow out from 103.16.72.0/22
——————-
# Allow specific services.
# For SSH port 2222 and 10222
ufw allow out from 210.4.64.0/24 to any proto tcp port 10222
ufw allow out from 210.4.77.0/24 to any proto tcp port 10222
ufw allow out from 103.16.72.0/24 to any proto tcp port 10222
ufw allow out from 103.16.74.0/24 to any proto tcp port 10222
ufw allow out from 210.4.64.0/24 to any proto tcp port 2222
ufw allow out from 210.4.77.0/24 to any proto tcp port 2222
ufw allow out from 103.16.72.0/24 to any proto tcp port 2222
ufw allow out from 103.16.74.0/24 to any proto tcp port 2222
# Mail
ufw allow out 25
#ossec-authd
ufw allow out from 103.16.74.245 to any proto tcp port 1515
# all outgoing drop
ufw default deny outgoing
ufw enable
ufw reload
ufw status verbose
222/tcp ALLOW Anywhere
Anywhere ALLOW 172.16.0.0/12
Anywhere ALLOW 192.168.0.0/16
Anywhere ALLOW 103.123.169.104/29
Anywhere ALLOW 172.172.172.0/24
Anywhere ALLOW 172.200.20.0/24
Anywhere ALLOW 192.172.10.0/24
Anywhere ALLOW 103.156.67.0/24
Anywhere ALLOW 103.156.67.128/25
Anywhere ALLOW 103.156.67.64/26
Anywhere ALLOW 103.156.67.0/27
Anywhere ALLOW 10.0.0.0/8
2222/tcp (v6) ALLOW Anywhere (v6)