Ok, I've borrowed heavily from chaeplin's 5 MN setup guide. You should refer to his guide for details on how to setup your user spaces ('ubuntu' and 'ubuntu2' in the iptables script below) and darkcoin.conf.
The following iptables script is useful on VULTR and currently works for 2 IPs. It's straightforward to see how to extend it to 3 IPs.
NOTE: Be sure to install the connection tracking module, conntrack. Like this:
$ sudo apt-get install conntrack
Copy the code below into a file called firewall_2ips.sh. Then change permissions to be executable.
$ chmod 755 firewall_2ips.sh
Then run the script as sudo:
$ sudo ./firewall_2ips.sh
Code:
#
IIP=`/sbin/ifconfig eth0 |sed --silent 's/.*inet addr:\(.*\) \ Bcast.*/\1/p'`
IIP2=`/sbin/ifconfig eth0:1 |sed --silent 's/.*inet addr:\(.*\) \ Bcast.*/\1/p'`
IPTABLES="/sbin/iptables"
echo "Activating firewall for $IIP and $IIP2"
echo 0 > /proc/sys/net/ipv4/ip_forward
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
# Add your spoofed IP range/IPs here
SPOOF_IPS="0.0.0.0/8 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 224.0.0.0/3"
#Accept loopback packets always
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# Filter out message fragments
$IPTABLES -A INPUT -f -j DROP
# Drop XMAS packets
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
#DROP null packets
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Drop packet that claiming from our own server on WAN port
$IPTABLES -A INPUT -i eth0 -s $IIP -j DROP
## Drop all spoofed
for ip in $SPOOF_IPS
do
$IPTABLES -A INPUT -i eth0 -s $ip -j DROP
$IPTABLES -A OUTPUT -o eth0 -s $ip -j DROP
done
#
$IPTABLES -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m conntrack --ctstate INVALID -j DROP
$IPTABLES -A INPUT -p tcp --dport ssh -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 9998 -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -p tcp -m tcp --dport 9997 -j REJECT --reject-with tcp-reset
#
$IPTABLES -A INPUT -i eth0 -p tcp -m tcp -d $IIP --dport 9999 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 8 --connlimit-mask 24 --connlimit-saddr -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -i eth0 -p tcp -m tcp -d $IIP --dport 9999 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 2 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -i eth0 -p tcp -m tcp -d $IIP2 --dport 9999 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 8 --connlimit-mask 24 --connlimit-saddr -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -i eth0 -p tcp -m tcp -d $IIP2 --dport 9999 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 2 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with tcp-reset
#
$IPTABLES -A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 9999 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 9999 -j ACCEPT
#
#
$IPTABLES -A OUTPUT -p udp -o eth0 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp -o eth0 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m tcp --sport ssh -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m tcp --sport 9999 -m conntrack --ctstate NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m tcp --sport 9999 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m tcp --dport 9999 -j ACCEPT
#$IPTABLES -A OUTPUT -j ACCEPT
#COMMIT
#-----
#
$IPTABLES -t nat -A POSTROUTING -m owner --uid-owner ubuntu -p tcp --dport 9999 -j SNAT --to-source $IIP
$IPTABLES -t nat -A POSTROUTING -m owner --uid-owner ubuntu2 -p tcp --dport 9999 -j SNAT --to-source $IIP2
#
$IPTABLES -t nat -A POSTROUTING -m owner --uid-owner ubuntu -p tcp --dport 443 -j SNAT --to-source $IIP
$IPTABLES -t nat -A POSTROUTING -m owner --uid-owner ubuntu2 -p tcp --dport 443 -j SNAT --to-source $IIP2
#
$IPTABLES -t nat -A POSTROUTING -m owner --uid-owner ubuntu -p tcp --dport ssh -j SNAT --to-source $IIP
$IPTABLES -t nat -A POSTROUTING -m owner --uid-owner ubuntu2 -p tcp --dport ssh -j SNAT --to-source $IIP2
Note that this script opens up the https port (port 443). This enables you to update masternode software easily. You may not want this port to be open. If that's the case, just comment out the lines with port 443 and those packets won't be accepted.