Simple firewall

Share your own howto's etc. Not for support questions!

Simple firewall

Postby av88p » 2016-12-21 19:07

Obviously, simpliest firewall. This firewall drops all TCP connections, except those, which are computer's communication with computer itself (lo interface). Two versions. First - client only. Second - for server with port 46850. Comments are welcome.

First:

iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --tcp-flags ALL SYN -j DROP

Second:

iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 46850 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --tcp-flags ALL SYN -j DROP
av88p
 
Posts: 5
Joined: 2016-11-24 17:02

Re: Simple firewall

Postby Bulkley » 2016-12-21 21:35

You are missing three important ones. Try this:

Code: Select all
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


Without the two drops you are wide open.

As always, I suggest you check your router's firewall and, if possible, choose the most secure option.
Bulkley
 
Posts: 5284
Joined: 2006-02-11 18:35

Re: Simple firewall

Postby Head_on_a_Stick » 2016-12-21 22:57

I use this:
Code: Select all
TheLab: ~ # cat /etc/nftables.conf                                                       
#!/usr/sbin/nft -f

flush ruleset

table inet filter {
        chain input {
                type filter hook input priority 0;

                # accept any localhost traffic
                iif lo accept

                # accept traffic originated from us
                ct state established,related accept

                # activate the following line to accept common local services
                #tcp dport { 22, 80, 443 } ct state new accept

                # accept neighbour discovery otherwise IPv6 connectivity breaks.
                ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert } accept

                # count and drop any other traffic
                counter drop
        }
}

https://packages.debian.org/jessie-backports/nftables

I find the syntax easier to understand :)
"Are you quite sure that all those bells and whistles, all those wonderful facilities of your so called powerful programming languages, belong to the solution set rather than the problem set?" — Edsger W. Dijkstra
User avatar
Head_on_a_Stick
 
Posts: 6585
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Simple firewall

Postby cryptoa » 2017-07-14 19:14

Code: Select all
#!/usr/sbin/nft -f

flush ruleset

table inet filter {

   chain input {
      type filter hook input priority 0; policy drop;

      ### loopback iface
      iif lo                                                              accept

   ### established/related connections #removed , related     
        ###count invalid accept incoming if established
   ct state invalid counter                                        drop
   ct state established                                             accept

               }

chain forward {
      type filter hook forward priority 0; policy drop;
         }


chain output {
      type filter hook output priority 0; policy drop;
      ### looopback
      oif lo                                                                         accept

   tcp sport  { http, https, imaps, imap2, ftp }                   return
   ct state new, established                                                accept
             }

## this chain still needs to be set up i have added this postrouting as a placeholder
## currently dose nothing

chain final-out { type filter hook postrouting priority 0; policy accept;
      }

}


this is what i use.. .... however it is too strict for some sites .. you could change the output to policy accept ... i just don't like that .. and ya i got nftables down in about a day ... still need to look up keywords .... i used firehol when it was iptables.. never did like gufw interface...
cryptoa
 
Posts: 34
Joined: 2014-01-03 21:35


Return to Docs, Howtos, Tips & Tricks

Who is online

Users browsing this forum: No registered users and 3 guests

fashionable