Firewall

From Run Your Own
Revision as of 12:30, 18 February 2025 by Brendan (talk | contribs) (add docs for nftables firewall)
Jump to navigation Jump to search

Different ways to handle iptables and nftables.

Using iptables-persistent on Debian

Note: In use on vrijdagmiddagborrel.

It's basically a set of iptables plugins for netfilter-persistent, which itself is a loader for different netfilter configuration. Once installed, it will take care of restoring rules at boot time, and through a small helper, can be used to reload/update/save rules on the fly.

Installation and config

  • Installation:
apt install iptables-persistent netfilter-persistent
  • Add/change iptables rules located at /etc/iptables/rules.v4 and /etc/iptables/rules.v6

Usage

  • Apply new rules after changes made to rules.v* files and check result
netfilter-persistent reload
iptables -L


iptables oneliners

  • list all rules from all chains
iptables -L
  • block an IP
iptables -I INPUT -s 192.168.111.111 -j DROP
iptables -I OUTPUT -d 192.168.111.111 -j DROP


nftables

nftables is the hip new thing in the kernel. It has nicer, easier to read config syntax and has a bunch of performance improvements. Current Debian (12) comes with it installed (but turned off).

  • enable the firewall
systemctl enable nftables
  • a basic firewall config you can drop into /etc/nftables.conf

  1. !/usr/sbin/nft -f

flush ruleset

table firewall { 

 chain incoming {
   type filter hook input priority 0; policy drop;

   # established/related connections
   ct state established,related accept

   # loopback interface
   iifname lo accept

   # icmp
   icmp type echo-request accept

   # open tcp ports: sshd (22), httpd (80)
   tcp dport { ssh, http, https, 999 } accept

   # tinc
   udp dport { 60000-61000 } accept
 }

}

table ip6 firewall { 

 chain incoming {
   type filter hook input priority 0; policy drop;

   # established/related connections
   ct state established,related accept

   # invalid connections
   ct state invalid drop

   # loopback interface
   iifname lo accept

   # icmp
   # routers may also want: mld-listener-query, nd-router-solicit
   icmpv6 type { echo-request, nd-neighbor-solicit } accept

   # open tcp ports: sshd (22), httpd (80)
   tcp dport { ssh, http, https, 999 } accept

   # tinc
   udp dport { 60000-61000 } accept
 }

}

  • start the firewall

systemctl start nftables

  • see how it looks (assuming you have not just accidentally locked yourself out of the server)

nft list ruleset

get rich off your NFT!

Retrieved from "https://things.bleu255.com/runyourown/index.php?title=Firewall&oldid=641"