Obviously, simpliest firewall. This firewall drops all TCP connections, except those, which are computer's communication with computer itself (lo interface). Two versions. First - client only. Second - for server with port 46850. Comments are welcome.
First:
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --tcp-flags ALL SYN -j DROP
Second:
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 46850 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --tcp-flags ALL SYN -j DROP
Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Simple firewall
Re: Simple firewall
You are missing three important ones. Try this:
Without the two drops you are wide open.
As always, I suggest you check your router's firewall and, if possible, choose the most secure option.
Code: Select all
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
As always, I suggest you check your router's firewall and, if possible, choose the most secure option.
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 133 times
Re: Simple firewall
I use this:
https://packages.debian.org/jessie-backports/nftables
I find the syntax easier to understand
Code: Select all
TheLab: ~ # cat /etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
# accept any localhost traffic
iif lo accept
# accept traffic originated from us
ct state established,related accept
# activate the following line to accept common local services
#tcp dport { 22, 80, 443 } ct state new accept
# accept neighbour discovery otherwise IPv6 connectivity breaks.
ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
# count and drop any other traffic
counter drop
}
}
I find the syntax easier to understand
deadbang
Re: Simple firewall
Code: Select all
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
### loopback iface
iif lo accept
### established/related connections #removed , related
###count invalid accept incoming if established
ct state invalid counter drop
ct state established accept
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy drop;
### looopback
oif lo accept
tcp sport { http, https, imaps, imap2, ftp } return
ct state new, established accept
}
## this chain still needs to be set up i have added this postrouting as a placeholder
## currently dose nothing
chain final-out { type filter hook postrouting priority 0; policy accept;
}
}