This is a basic firewall for desktop computers and aimed at beginners.
What will it result in?
* An extra layer of security.
* Your computer will not respond to pings or portscans. It will behave as if it is not there at all.
* Your services will be unreachable. You choose when you want to expose them to the Internet.
* All outgoing traffic is open. (This is OK for most users, but if you want top notch firewall security, you should restrict outgoing traffic as well.)
Let's do this
Remove all traces of Iptables and flush all iptables rules:
- Code: Select all
# iptables -F && apt remove iptables iptables-persistent
Nftables should be installed by default, but just in case...
- Code: Select all
# apt install nftables
We can see that there are no rules by pressing
- Code: Select all
# nft list ruleset
We will now copy the nftables configuration file to the correct location:
- Code: Select all
# cp /usr/share/doc/nftables/examples/workstation.nft /etc/nftables.conf
Now we will edit the file:
- Code: Select all
# nano /etc/nftables.conf
It will look like this:
- Code: Select all
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
# accept any localhost traffic
iif lo accept
# accept traffic originated from us
ct state established,related accept
# activate the following line to accept common local services
#tcp dport { 22, 80, 443 } ct state new accept
# accept neighbour discovery otherwise IPv6 connectivity breaks.
ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
# count and drop any other traffic
counter drop
}
}
The default configuration file will allow all traffic to the loopback interface, allow all traffic originating from your desktop and drop everything else. This means that even pings from your own network will not get a response. (Yes, I have tested.)
It is not necessary to open port 22 unless you want to SSH into it, and 80 and 443 do not need to be opened to browse the web. It will work just fine with those ports closed.
Edit the file if needed, and save it by pressing Control + x and then y to exit.
Enabling and starting the firewall
Enable start on boot
- Code: Select all
# systemctl enable nftables.service
Start nftables now
- Code: Select all
# systemctl start nftables.service
Check that everything is OK
- Code: Select all
# nft list ruleset
It should look like this:
- Code: Select all
table inet filter {
chain input {
type filter hook input priority 0; policy accept;
iif "lo" accept
ct state established,related accept
ip6 nexthdr ipv6-icmp icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
counter packets 410 bytes 31247 drop
}
}
You can also try pinging your computer, and there should be a 100% packet loss. Replace with your internal address, for instance:
- Code: Select all
ping -c3 192.168.1.x
PING 192.168.1.x (192.168.1.x) 56(84) bytes of data.
--- 192.168.1.x ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 50ms
It works.
