Obviously, simpliest firewall. This firewall drops all TCP connections, except those, which are computer's communication with computer itself (lo interface). Two versions. First - client only. Second - for server with port 46850. Comments are welcome.
First:
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --tcp-flags ALL SYN -j DROP
Second:
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 46850 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --tcp-flags ALL SYN -j DROP
Simple firewall
4 posts
• Page 1 of 1
Re: Simple firewall
by Bulkley » 2016-12-21 21:35
You are missing three important ones. Try this:
Without the two drops you are wide open.
As always, I suggest you check your router's firewall and, if possible, choose the most secure option.
- Code: Select all
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Without the two drops you are wide open.
As always, I suggest you check your router's firewall and, if possible, choose the most secure option.
- Bulkley
- Posts: 5236
- Joined: 2006-02-11 18:35
Re: Simple firewall
by Head_on_a_Stick » 2016-12-21 22:57
I use this:
https://packages.debian.org/jessie-backports/nftables
I find the syntax easier to understand
- Code: Select all
TheLab: ~ # cat /etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
# accept any localhost traffic
iif lo accept
# accept traffic originated from us
ct state established,related accept
# activate the following line to accept common local services
#tcp dport { 22, 80, 443 } ct state new accept
# accept neighbour discovery otherwise IPv6 connectivity breaks.
ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
# count and drop any other traffic
counter drop
}
}
https://packages.debian.org/jessie-backports/nftables
I find the syntax easier to understand
“Controlling complexity is the essence of computer programming." — Brian Kernighan
Please read before posting ∙ How to report a problem
Please read before posting ∙ How to report a problem
-
Head_on_a_Stick - Posts: 6491
- Joined: 2014-06-01 17:46
- Location: /dev/chair
Re: Simple firewall
by cryptoa » 2017-07-14 19:14
- Code: Select all
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
### loopback iface
iif lo accept
### established/related connections #removed , related
###count invalid accept incoming if established
ct state invalid counter drop
ct state established accept
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy drop;
### looopback
oif lo accept
tcp sport { http, https, imaps, imap2, ftp } return
ct state new, established accept
}
## this chain still needs to be set up i have added this postrouting as a placeholder
## currently dose nothing
chain final-out { type filter hook postrouting priority 0; policy accept;
}
}
this is what i use.. .... however it is too strict for some sites .. you could change the output to policy accept ... i just don't like that .. and ya i got nftables down in about a day ... still need to look up keywords .... i used firehol when it was iptables.. never did like gufw interface...
- cryptoa
- Posts: 34
- Joined: 2014-01-03 21:35
4 posts
• Page 1 of 1
Return to Docs, Howtos, Tips & Tricks
Who is online
Users browsing this forum: No registered users and 2 guests