Debian User Forums

[Hallvor]

Who is this for?
This is a basic firewall for desktop computers and aimed at beginners.

What will it result in?
* An extra layer of security.
* Your services will be unreachable. You choose when you want to expose them to the Internet.
* All outgoing traffic is open. (This is OK for most users, but if you want top notch firewall security, you should restrict outgoing traffic as well.)

Let's do this

Remove all traces of Iptables and flush all iptables rules:

Code: Select all

# iptables -F && apt remove iptables iptables-persistent

Nftables should be installed by default, but just in case...

Code: Select all

# apt install nftables

We can see that there are no rules by pressing

Code: Select all

# nft list ruleset

We will now copy the nftables configuration file to the correct location:

Code: Select all

# cp /usr/share/doc/nftables/examples/workstation.nft /etc/nftables.conf

Now we will edit the file:

Code: Select all

# nano /etc/nftables.conf

It will look like this:

Code: Select all

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
        chain input {
                type filter hook input priority 0;

                # accept any localhost traffic
                iif lo accept

                # accept traffic originated from us
                ct state established,related accept

                # activate the following line to accept common local services
                #tcp dport { 22, 80, 443 } ct state new accept

                # accept neighbour discovery otherwise IPv6 connectivity breaks.
                ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert } accept

                # count and drop any other traffic
                counter drop
        }
}

The default configuration file will allow all traffic to the loopback interface, allow all traffic originating from your desktop and drop everything else. This means that even pings from your own network will not get a response. (Yes, I have tested.)

It is not necessary to open port 22 unless you want to SSH into it, and 80 and 443 do not need to be opened to browse the web. It will work just fine with those ports closed.

Edit the file if needed, and save it by pressing Control + x and then y to exit.

Enabling and starting the firewall

Enable start on boot

Code: Select all

# systemctl enable nftables.service

Start nftables now

Code: Select all

# systemctl start nftables.service

Check that everything is OK

Code: Select all

# nft list ruleset

It should look like this:

Code: Select all

table inet filter {
        chain input {
                type filter hook input priority 0; policy accept;
                iif "lo" accept
                ct state established,related accept
                ip6 nexthdr ipv6-icmp icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
                counter packets 410 bytes 31247 drop
        }
}

[None1975]

Thank you for sharing it. Works as they should.

[duhok1]

You can also try pinging your computer, and there should be a 100% packet loss. Replace with your internal address, for instance:

Code: Select all

ping -c3 192.168.1.x
PING 192.168.1.x (192.168.1.x) 56(84) bytes of data.

--- 192.168.1.x ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 50ms

It works.

I am getting 100% received pinging my local IP (192.168.0.xx). Appreciate your input.

[Hallvor]

What is the output of the following?

Code: Select all

# nft list ruleset

Code: Select all

# systemctl status nftables.service

[duhok1]

What is the output of the following?

Code: Select all

# nft list ruleset

Code: Select all

# systemctl status nftables.service

Code: Select all

table inet filter {
   chain input {
      type filter hook input priority filter; policy accept;
      iif "lo" accept
      ct state established,related accept
      ip6 nexthdr ipv6-icmp icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
      counter packets 2 bytes 112 drop
   }
}


Code: Select all

● nftables.service - Netfilter Tables
     Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; vendor preset: disabled)
     Active: active (exited) since Thu 2020-03-12 09:38:25 EDT; 6min ago
       Docs: man:nft(8)
    Process: 807 ExecStart=/usr/bin/nft -f /etc/nftables.conf (code=exited, status=0/SUCCESS)
   Main PID: 807 (code=exited, status=0/SUCCESS)

Mar 12 09:38:25 cheebo systemd[1]: Starting Netfilter Tables...
Mar 12 09:38:25 cheebo systemd[1]: Finished Netfilter Tables.

[Hallvor]

It is both running and dropping traffic. Unless you have altered the default settings, it should work.

[gijsg]

My local IP adress is 192.168.0.161, the ping test failes for this IP adress but not for 192.168.1.161. Any idea why?

My nftables.conf is an exact copy of the tutorial.

Here are the commands I've used:

https://i.imgur.com/OVDWDR7.png

~~~~

Mod Note: image changed to URL, please post actual text (using code tags) rather than pictures of text — HoaS

[Head_on_a_Stick]

My local IP adress is 192.168.0.161, the ping test failes for this IP adress but not for 192.168.1.161. Any idea why?

Your (redacted) image shows the exact opposite.

The workstation ruleset does not block ICMP echo requests (because they shouldn't be blocked[0]) so your result is as expected.

And please note that Raspbian is not supported here.