Debian User Forums

[av88p]

Obviously, simpliest firewall. This firewall drops all TCP connections, except those, which are computer's communication with computer itself (lo interface). Two versions. First - client only. Second - for server with port 46850. Comments are welcome.

First:

iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --tcp-flags ALL SYN -j DROP

Second:

iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 46850 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --tcp-flags ALL SYN -j DROP

[Bulkley]

You are missing three important ones. Try this:

Code: Select all

iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Without the two drops you are wide open.

As always, I suggest you check your router's firewall and, if possible, choose the most secure option.

[Head_on_a_Stick]

I use this:

Code: Select all

TheLab: ~ # cat /etc/nftables.conf                                                       
#!/usr/sbin/nft -f

flush ruleset

table inet filter {
        chain input {
                type filter hook input priority 0;

                # accept any localhost traffic
                iif lo accept

                # accept traffic originated from us
                ct state established,related accept

                # activate the following line to accept common local services
                #tcp dport { 22, 80, 443 } ct state new accept

                # accept neighbour discovery otherwise IPv6 connectivity breaks.
                ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert } accept

                # count and drop any other traffic
                counter drop
        }
}

https://packages.debian.org/jessie-backports/nftables

I find the syntax easier to understand

[cryptoa]

Code: Select all

#!/usr/sbin/nft -f

flush ruleset

table inet filter {

   chain input {
      type filter hook input priority 0; policy drop;

      ### loopback iface
      iif lo                                                              accept

   ### established/related connections #removed , related     
        ###count invalid accept incoming if established
   ct state invalid counter                                        drop
   ct state established                                             accept

               }

chain forward {
      type filter hook forward priority 0; policy drop;
         }


chain output {
      type filter hook output priority 0; policy drop;
      ### looopback
      oif lo                                                                         accept

   tcp sport  { http, https, imaps, imap2, ftp }                   return
   ct state new, established                                                accept
             }

## this chain still needs to be set up i have added this postrouting as a placeholder
## currently dose nothing

chain final-out { type filter hook postrouting priority 0; policy accept;
      }

}


this is what i use.. .... however it is too strict for some sites .. you could change the output to policy accept ... i just don't like that .. and ya i got nftables down in about a day ... still need to look up keywords .... i used firehol when it was iptables.. never did like gufw interface...