Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Simple firewall

Share your HowTo, Documentation, Tips and Tricks. Not for support questions!.
Post Reply
Message
Author
av88p
Posts: 5
Joined: 2016-11-24 17:02

Simple firewall

#1 Post by av88p »

Obviously, simpliest firewall. This firewall drops all TCP connections, except those, which are computer's communication with computer itself (lo interface). Two versions. First - client only. Second - for server with port 46850. Comments are welcome.

First:

iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --tcp-flags ALL SYN -j DROP

Second:

iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 46850 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --tcp-flags ALL SYN -j DROP

Bulkley
Posts: 6383
Joined: 2006-02-11 18:35
Has thanked: 2 times
Been thanked: 39 times

Re: Simple firewall

#2 Post by Bulkley »

You are missing three important ones. Try this:

Code: Select all

iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Without the two drops you are wide open.

As always, I suggest you check your router's firewall and, if possible, choose the most secure option.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Simple firewall

#3 Post by Head_on_a_Stick »

I use this:

Code: Select all

TheLab: ~ # cat /etc/nftables.conf                                                       
#!/usr/sbin/nft -f

flush ruleset

table inet filter {
        chain input {
                type filter hook input priority 0;

                # accept any localhost traffic
                iif lo accept

                # accept traffic originated from us
                ct state established,related accept

                # activate the following line to accept common local services
                #tcp dport { 22, 80, 443 } ct state new accept

                # accept neighbour discovery otherwise IPv6 connectivity breaks.
                ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert } accept

                # count and drop any other traffic
                counter drop
        }
}
https://packages.debian.org/jessie-backports/nftables

I find the syntax easier to understand :)
deadbang

cryptoa
Posts: 44
Joined: 2014-01-03 21:35

Re: Simple firewall

#4 Post by cryptoa »

Code: Select all

#!/usr/sbin/nft -f

flush ruleset

table inet filter {

	chain input {
		type filter hook input priority 0; policy drop;

		### loopback iface
		iif lo                                                              accept

	### established/related connections #removed , related     
        ###count invalid accept incoming if established
	ct state invalid counter                                        drop
	ct state established                                             accept

	            }

chain forward {
		type filter hook forward priority 0; policy drop;
	      }


chain output {
		type filter hook output priority 0; policy drop;
		### looopback
		oif lo                                                                         accept

	tcp sport  { http, https, imaps, imap2, ftp }                   return
	ct state new, established                                                accept
             }

## this chain still needs to be set up i have added this postrouting as a placeholder
## currently dose nothing

chain final-out { type filter hook postrouting priority 0; policy accept;
		}

}
this is what i use.. .... however it is too strict for some sites .. you could change the output to policy accept ... i just don't like that .. and ya i got nftables down in about a day ... still need to look up keywords .... i used firehol when it was iptables.. never did like gufw interface...

Post Reply