Firewall: Difference between revisions
Jump to navigation
Jump to search
Using
m (aha. need to use PRE tags for code blocks (and ascii art I suppose)) |
(added l4proto and ipv6-icmp) |
||
| (3 intermediate revisions by the same user not shown) | |||
| Line 19: | Line 19: | ||
== <code>iptables</code> oneliners == | == <code>iptables</code> oneliners == | ||
note - for newer setups see nftables below. iptables commands still work but directly using nftables is preferred. | |||
* list all rules from all chains | * list all rules from all chains | ||
iptables -L | iptables -L | ||
| Line 24: | Line 26: | ||
iptables -I INPUT -s 192.168.111.111 -j DROP | iptables -I INPUT -s 192.168.111.111 -j DROP | ||
iptables -I OUTPUT -d 192.168.111.111 -j DROP | iptables -I OUTPUT -d 192.168.111.111 -j DROP | ||
== nftables == | == nftables == | ||
| Line 48: | Line 49: | ||
# loopback interface | # loopback interface | ||
iifname lo accept | iifname lo accept | ||
# open vpn traffic | |||
iifname lurknet accept | |||
# icmp | # icmp | ||
| Line 53: | Line 57: | ||
# open tcp ports: sshd (22), httpd (80) | # open tcp ports: sshd (22), httpd (80) | ||
tcp dport { ssh, http, https, 999 } accept | tcp dport { ssh, http, https, 655, 999 } accept | ||
# tinc | # tinc | ||
udp dport { 60000-61000 } accept | udp dport { 655, 60000-61000 } accept | ||
} | } | ||
} | } | ||
| Line 72: | Line 76: | ||
# loopback interface | # loopback interface | ||
iifname lo accept | iifname lo accept | ||
# vpn interface | |||
iifname lurknet accept | |||
# icmp | # icmp | ||
# routers may also want: mld-listener-query, nd-router-solicit | # routers may also want: mld-listener-query, nd-router-solicit | ||
icmpv6 type { echo-request, nd-neighbor-solicit } accept | icmpv6 type { echo-request, nd-neighbor-solicit } accept | ||
meta l4proto ipv6-icmp accept | |||
# open tcp ports: sshd (22), httpd (80) | # open tcp ports: sshd (22), httpd (80) | ||
tcp dport { ssh, http, https, 999 } accept | tcp dport { ssh, http, https, 655, 999 } accept | ||
# tinc | # tinc | ||
udp dport { 60000-61000 } accept | udp dport { 655, 60000-61000 } accept | ||
} | } | ||
} | } | ||
</pre> | </pre> | ||
* start the firewall | * start the firewall | ||
systemctl start nftables | systemctl start nftables | ||
* see how it looks (assuming you have not just accidentally locked yourself out of the server) | * see how it looks (assuming you have not just accidentally locked yourself out of the server) | ||
nft list ruleset | nft list ruleset | ||
get rich off your NFT! | get rich off your NFT! | ||
[[Category:System]] | [[Category:System]] | ||
Latest revision as of 10:48, 21 February 2025
Different ways to handle iptables and nftables.
Using iptables-persistent on Debian
Note: In use on vrijdagmiddagborrel.
It's basically a set of iptables plugins for netfilter-persistent, which itself is a loader for different netfilter configuration. Once installed, it will take care of restoring rules at boot time, and through a small helper, can be used to reload/update/save rules on the fly.
Installation and config
- Installation:
apt install iptables-persistent netfilter-persistent
- Add/change iptables rules located at
/etc/iptables/rules.v4and/etc/iptables/rules.v6
Usage
- Apply new rules after changes made to
rules.v*files and check result
netfilter-persistent reload iptables -L
iptables oneliners
note - for newer setups see nftables below. iptables commands still work but directly using nftables is preferred.
- list all rules from all chains
iptables -L
- block an IP
iptables -I INPUT -s 192.168.111.111 -j DROP iptables -I OUTPUT -d 192.168.111.111 -j DROP
nftables
nftables is the hip new thing in the kernel. It has nicer, easier to read config syntax and has a bunch of performance improvements. Current Debian (12) comes with it installed (but turned off).
- enable the firewall
systemctl enable nftables
- a basic firewall config you can drop into /etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
table firewall {
chain incoming {
type filter hook input priority 0; policy drop;
# established/related connections
ct state established,related accept
# loopback interface
iifname lo accept
# open vpn traffic
iifname lurknet accept
# icmp
icmp type echo-request accept
# open tcp ports: sshd (22), httpd (80)
tcp dport { ssh, http, https, 655, 999 } accept
# tinc
udp dport { 655, 60000-61000 } accept
}
}
table ip6 firewall {
chain incoming {
type filter hook input priority 0; policy drop;
# established/related connections
ct state established,related accept
# invalid connections
ct state invalid drop
# loopback interface
iifname lo accept
# vpn interface
iifname lurknet accept
# icmp
# routers may also want: mld-listener-query, nd-router-solicit
icmpv6 type { echo-request, nd-neighbor-solicit } accept
meta l4proto ipv6-icmp accept
# open tcp ports: sshd (22), httpd (80)
tcp dport { ssh, http, https, 655, 999 } accept
# tinc
udp dport { 655, 60000-61000 } accept
}
}
- start the firewall
systemctl start nftables
- see how it looks (assuming you have not just accidentally locked yourself out of the server)
nft list ruleset
get rich off your NFT!