Firewall: Difference between revisions
Jump to navigation
Jump to search
Using
(add docs for nftables firewall) |
mNo edit summary |
||
| Line 34: | Line 34: | ||
* a basic firewall config you can drop into /etc/nftables.conf | * a basic firewall config you can drop into /etc/nftables.conf | ||
{{code | | |||
#!/usr/sbin/nft -f | #!/usr/sbin/nft -f | ||
| Line 84: | Line 84: | ||
} | } | ||
} | } | ||
}} | |||
* start the firewall | * start the firewall | ||
Revision as of 12:35, 18 February 2025
Different ways to handle iptables and nftables.
Using iptables-persistent on Debian
Note: In use on vrijdagmiddagborrel.
It's basically a set of iptables plugins for netfilter-persistent, which itself is a loader for different netfilter configuration. Once installed, it will take care of restoring rules at boot time, and through a small helper, can be used to reload/update/save rules on the fly.
Installation and config
- Installation:
apt install iptables-persistent netfilter-persistent
- Add/change iptables rules located at
/etc/iptables/rules.v4and/etc/iptables/rules.v6
Usage
- Apply new rules after changes made to
rules.v*files and check result
netfilter-persistent reload iptables -L
iptables oneliners
- list all rules from all chains
iptables -L
- block an IP
iptables -I INPUT -s 192.168.111.111 -j DROP iptables -I OUTPUT -d 192.168.111.111 -j DROP
nftables
nftables is the hip new thing in the kernel. It has nicer, easier to read config syntax and has a bunch of performance improvements. Current Debian (12) comes with it installed (but turned off).
- enable the firewall
systemctl enable nftables
- a basic firewall config you can drop into /etc/nftables.conf
- start the firewall
systemctl start nftables
- see how it looks (assuming you have not just accidentally locked yourself out of the server)
nft list ruleset
get rich off your NFT!