Simple firewall

Share your own howto's etc. Not for support questions!

Simple firewall

Postby av88p » 2016-12-21 19:07

Obviously, simpliest firewall. This firewall drops all TCP connections, except those, which are computer's communication with computer itself (lo interface). Two versions. First - client only. Second - for server with port 46850. Comments are welcome.

First:

iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --tcp-flags ALL SYN -j DROP

Second:

iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 46850 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --tcp-flags ALL SYN -j DROP
av88p
 
Posts: 5
Joined: 2016-11-24 17:02

Re: Simple firewall

Postby Bulkley » 2016-12-21 21:35

You are missing three important ones. Try this:

Code: Select all
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


Without the two drops you are wide open.

As always, I suggest you check your router's firewall and, if possible, choose the most secure option.
Bulkley
 
Posts: 5240
Joined: 2006-02-11 18:35

Re: Simple firewall

Postby Head_on_a_Stick » 2016-12-21 22:57

I use this:
Code: Select all
TheLab: ~ # cat /etc/nftables.conf                                                       
#!/usr/sbin/nft -f

flush ruleset

table inet filter {
        chain input {
                type filter hook input priority 0;

                # accept any localhost traffic
                iif lo accept

                # accept traffic originated from us
                ct state established,related accept

                # activate the following line to accept common local services
                #tcp dport { 22, 80, 443 } ct state new accept

                # accept neighbour discovery otherwise IPv6 connectivity breaks.
                ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert } accept

                # count and drop any other traffic
                counter drop
        }
}

https://packages.debian.org/jessie-backports/nftables

I find the syntax easier to understand :)
“Controlling complexity is the essence of computer programming."Brian Kernighan

Please read before posting How to report a problem
User avatar
Head_on_a_Stick
 
Posts: 6491
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Simple firewall

Postby cryptoa » 2017-07-14 19:14

Code: Select all
#!/usr/sbin/nft -f

flush ruleset

table inet filter {

   chain input {
      type filter hook input priority 0; policy drop;

      ### loopback iface
      iif lo                                                              accept

   ### established/related connections #removed , related     
        ###count invalid accept incoming if established
   ct state invalid counter                                        drop
   ct state established                                             accept

               }

chain forward {
      type filter hook forward priority 0; policy drop;
         }


chain output {
      type filter hook output priority 0; policy drop;
      ### looopback
      oif lo                                                                         accept

   tcp sport  { http, https, imaps, imap2, ftp }                   return
   ct state new, established                                                accept
             }

## this chain still needs to be set up i have added this postrouting as a placeholder
## currently dose nothing

chain final-out { type filter hook postrouting priority 0; policy accept;
      }

}


this is what i use.. .... however it is too strict for some sites .. you could change the output to policy accept ... i just don't like that .. and ya i got nftables down in about a day ... still need to look up keywords .... i used firehol when it was iptables.. never did like gufw interface...
cryptoa
 
Posts: 34
Joined: 2014-01-03 21:35


Return to Docs, Howtos, Tips & Tricks

Who is online

Users browsing this forum: No registered users and 2 guests

fashionable