Debian User Forums

[av88p]

Obviously, simpliest firewall. This firewall drops all TCP connections, except those, which are computer's communication with computer itself (lo interface). Two versions. First - client only. Second - for server with port 46850. Comments are welcome.

First:

iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --tcp-flags ALL SYN -j DROP

Second:

iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 46850 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --tcp-flags ALL SYN -j DROP

[Bulkley]

You are missing three important ones. Try this:

Code: Select all

iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Without the two drops you are wide open.

As always, I suggest you check your router's firewall and, if possible, choose the most secure option.

[Head_on_a_Stick]

I use this:

Code: Select all

TheLab: ~ # cat /etc/nftables.conf                                                       
#!/usr/sbin/nft -f

flush ruleset

table inet filter {
        chain input {
                type filter hook input priority 0;

                # accept any localhost traffic
                iif lo accept

                # accept traffic originated from us
                ct state established,related accept

                # activate the following line to accept common local services
                #tcp dport { 22, 80, 443 } ct state new accept

                # accept neighbour discovery otherwise IPv6 connectivity breaks.
                ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert } accept

                # count and drop any other traffic
                counter drop
        }
}

https://packages.debian.org/jessie-backports/nftables

I find the syntax easier to understand