Firewall: Difference between revisions
Jump to navigation
Jump to search
Using
No edit summary |
(added l4proto and ipv6-icmp) |
||
| (8 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
Different ways to handle <code>iptables</code>. | Different ways to handle <code>iptables</code> and <code>nftables</code>. | ||
== Using <code>iptables-persistent</code> on Debian == | == Using <code>iptables-persistent</code> on Debian == | ||
| Line 19: | Line 19: | ||
== <code>iptables</code> oneliners == | == <code>iptables</code> oneliners == | ||
note - for newer setups see nftables below. iptables commands still work but directly using nftables is preferred. | |||
* list all rules from all chains | * list all rules from all chains | ||
iptables -L | iptables -L | ||
* block an IP | |||
iptables -I INPUT -s 192.168.111.111 -j DROP | |||
iptables -I OUTPUT -d 192.168.111.111 -j DROP | |||
== nftables == | |||
''nftables'' is the hip new thing in the kernel. It has nicer, easier to read config syntax and has a bunch of performance improvements. Current Debian (12) comes with it installed (but turned off). | |||
* enable the firewall | |||
systemctl enable nftables | |||
* a basic firewall config you can drop into /etc/nftables.conf | |||
<pre> | |||
#!/usr/sbin/nft -f | |||
flush ruleset | |||
table firewall { | |||
chain incoming { | |||
type filter hook input priority 0; policy drop; | |||
# established/related connections | |||
ct state established,related accept | |||
# loopback interface | |||
iifname lo accept | |||
# open vpn traffic | |||
iifname lurknet accept | |||
# icmp | |||
icmp type echo-request accept | |||
# open tcp ports: sshd (22), httpd (80) | |||
tcp dport { ssh, http, https, 655, 999 } accept | |||
# tinc | |||
udp dport { 655, 60000-61000 } accept | |||
} | |||
} | |||
table ip6 firewall { | |||
chain incoming { | |||
type filter hook input priority 0; policy drop; | |||
# established/related connections | |||
ct state established,related accept | |||
# invalid connections | |||
ct state invalid drop | |||
# loopback interface | |||
iifname lo accept | |||
# vpn interface | |||
iifname lurknet accept | |||
# icmp | |||
# routers may also want: mld-listener-query, nd-router-solicit | |||
icmpv6 type { echo-request, nd-neighbor-solicit } accept | |||
meta l4proto ipv6-icmp accept | |||
# open tcp ports: sshd (22), httpd (80) | |||
tcp dport { ssh, http, https, 655, 999 } accept | |||
# tinc | |||
udp dport { 655, 60000-61000 } accept | |||
} | |||
} | |||
</pre> | |||
* start the firewall | |||
systemctl start nftables | |||
* see how it looks (assuming you have not just accidentally locked yourself out of the server) | |||
nft list ruleset | |||
get rich off your NFT! | |||
[[Category:System]] | [[Category:System]] | ||
Latest revision as of 10:48, 21 February 2025
Different ways to handle iptables and nftables.
Using iptables-persistent on Debian
Note: In use on vrijdagmiddagborrel.
It's basically a set of iptables plugins for netfilter-persistent, which itself is a loader for different netfilter configuration. Once installed, it will take care of restoring rules at boot time, and through a small helper, can be used to reload/update/save rules on the fly.
Installation and config
- Installation:
apt install iptables-persistent netfilter-persistent
- Add/change iptables rules located at
/etc/iptables/rules.v4and/etc/iptables/rules.v6
Usage
- Apply new rules after changes made to
rules.v*files and check result
netfilter-persistent reload iptables -L
iptables oneliners
note - for newer setups see nftables below. iptables commands still work but directly using nftables is preferred.
- list all rules from all chains
iptables -L
- block an IP
iptables -I INPUT -s 192.168.111.111 -j DROP iptables -I OUTPUT -d 192.168.111.111 -j DROP
nftables
nftables is the hip new thing in the kernel. It has nicer, easier to read config syntax and has a bunch of performance improvements. Current Debian (12) comes with it installed (but turned off).
- enable the firewall
systemctl enable nftables
- a basic firewall config you can drop into /etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
table firewall {
chain incoming {
type filter hook input priority 0; policy drop;
# established/related connections
ct state established,related accept
# loopback interface
iifname lo accept
# open vpn traffic
iifname lurknet accept
# icmp
icmp type echo-request accept
# open tcp ports: sshd (22), httpd (80)
tcp dport { ssh, http, https, 655, 999 } accept
# tinc
udp dport { 655, 60000-61000 } accept
}
}
table ip6 firewall {
chain incoming {
type filter hook input priority 0; policy drop;
# established/related connections
ct state established,related accept
# invalid connections
ct state invalid drop
# loopback interface
iifname lo accept
# vpn interface
iifname lurknet accept
# icmp
# routers may also want: mld-listener-query, nd-router-solicit
icmpv6 type { echo-request, nd-neighbor-solicit } accept
meta l4proto ipv6-icmp accept
# open tcp ports: sshd (22), httpd (80)
tcp dport { ssh, http, https, 655, 999 } accept
# tinc
udp dport { 655, 60000-61000 } accept
}
}
- start the firewall
systemctl start nftables
- see how it looks (assuming you have not just accidentally locked yourself out of the server)
nft list ruleset
get rich off your NFT!