Firewall: Difference between revisions
Jump to navigation
Jump to search
Using
m (aha. need to use PRE tags for code blocks (and ascii art I suppose)) |
mNo edit summary |
||
| Line 85: | Line 85: | ||
} | } | ||
</pre> | </pre> | ||
* start the firewall | * start the firewall | ||
systemctl start nftables | systemctl start nftables | ||
* see how it looks (assuming you have not just accidentally locked yourself out of the server) | * see how it looks (assuming you have not just accidentally locked yourself out of the server) | ||
nft list ruleset | nft list ruleset | ||
get rich off your NFT! | get rich off your NFT! | ||
[[Category:System]] | [[Category:System]] | ||
Revision as of 12:40, 18 February 2025
Different ways to handle iptables and nftables.
Using iptables-persistent on Debian
Note: In use on vrijdagmiddagborrel.
It's basically a set of iptables plugins for netfilter-persistent, which itself is a loader for different netfilter configuration. Once installed, it will take care of restoring rules at boot time, and through a small helper, can be used to reload/update/save rules on the fly.
Installation and config
- Installation:
apt install iptables-persistent netfilter-persistent
- Add/change iptables rules located at
/etc/iptables/rules.v4and/etc/iptables/rules.v6
Usage
- Apply new rules after changes made to
rules.v*files and check result
netfilter-persistent reload iptables -L
iptables oneliners
- list all rules from all chains
iptables -L
- block an IP
iptables -I INPUT -s 192.168.111.111 -j DROP iptables -I OUTPUT -d 192.168.111.111 -j DROP
nftables
nftables is the hip new thing in the kernel. It has nicer, easier to read config syntax and has a bunch of performance improvements. Current Debian (12) comes with it installed (but turned off).
- enable the firewall
systemctl enable nftables
- a basic firewall config you can drop into /etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
table firewall {
chain incoming {
type filter hook input priority 0; policy drop;
# established/related connections
ct state established,related accept
# loopback interface
iifname lo accept
# icmp
icmp type echo-request accept
# open tcp ports: sshd (22), httpd (80)
tcp dport { ssh, http, https, 999 } accept
# tinc
udp dport { 60000-61000 } accept
}
}
table ip6 firewall {
chain incoming {
type filter hook input priority 0; policy drop;
# established/related connections
ct state established,related accept
# invalid connections
ct state invalid drop
# loopback interface
iifname lo accept
# icmp
# routers may also want: mld-listener-query, nd-router-solicit
icmpv6 type { echo-request, nd-neighbor-solicit } accept
# open tcp ports: sshd (22), httpd (80)
tcp dport { ssh, http, https, 999 } accept
# tinc
udp dport { 60000-61000 } accept
}
}
- start the firewall
systemctl start nftables
- see how it looks (assuming you have not just accidentally locked yourself out of the server)
nft list ruleset
get rich off your NFT!