docs: Adding an example iptables rules (EVerest#1776)

SebaLukas · Pietfried · web-flow · commit d504cb1af80d · 2026-02-09T12:24:34.000Z
* docs: Adding an example iptables rules to ensure that internal services cannot be accessed via the powerline connection

Signed-off-by: Sebastian Lukas &lt;sebastian.lukas@pionix.de&gt;

* modul -&gt; module, PowerLine -&gt; powerline

Signed-off-by: Sebastian Lukas &lt;sebastian.lukas@pionix.de&gt;

* Update docs/source/how-to-guides/security-best-practices.rst

Co-authored-by: Piet Gömpel &lt;37657534+Pietfried@users.noreply.github.com&gt;
Signed-off-by: Sebastian Lukas &lt;45936573+SebaLukas@users.noreply.github.com&gt;

---------

Signed-off-by: Sebastian Lukas &lt;sebastian.lukas@pionix.de&gt;
Signed-off-by: Sebastian Lukas &lt;45936573+SebaLukas@users.noreply.github.com&gt;
Co-authored-by: Piet Gömpel &lt;37657534+Pietfried@users.noreply.github.com&gt;
diff --git a/docs/source/how-to-guides/security-best-practices.rst b/docs/source/how-to-guides/security-best-practices.rst
@@ -91,6 +91,28 @@ The systemd service should start the manager process as root. It will
 then change the user for the child processes it forks (the modules) and
 set the capabilities as needed.
 
+- To ensure that internal services cannot be accessed via the powerline connection,
+  iptables can be used with the following rules. In this example the powerline module
+  is on device seth0.
+
+.. code-block::
+
+   ip6tables -S | grep seth0
+   -A INPUT -i seth0 -p ipv6-icmp -j ACCEPT
+   -A INPUT -i seth0 -p udp -m udp --dport 15118 -j ACCEPT
+   -A INPUT -i seth0 -p tcp -m tcp --dport 50000 -j ACCEPT
+   -A INPUT -i seth0 -p tcp -m tcp --dport 61341 -j ACCEPT
+   -A INPUT -i seth0 -p tcp -m tcp --dport 64109 -j ACCEPT
+   -A OUTPUT -o seth0 -p ipv6-icmp -j ACCEPT
+   -A OUTPUT -o seth0 -p udp -m udp --sport 15118 -j ACCEPT
+   -A OUTPUT -o seth0 -p tcp -m tcp --sport 50000 -j ACCEPT
+   -A OUTPUT -o seth0 -p tcp -m tcp --sport 61341 -j ACCEPT
+   -A OUTPUT -o seth0 -p tcp -m tcp --sport 64109 -j ACCEPT
+
+According to the standard, port 15118 is used for SDP messages.
+:doc:`EvseV2G </reference/modules/EvseV2G>`  uses the following ports: TCP (61341), TLS (64109).
+:doc:`Evse15118D20 </reference/modules/Evse15118D20>` integrates libiso15118 which uses port 50000 for TCP and TLS1.2/1.3.
+
 General (non-EVerest-related) security aspects
 ====================================================================
 
