This is a basic firewall for desktop computers and aimed at beginners.
What will it result in?
* An extra layer of security.
* Your services will be unreachable. You choose when you want to expose them to the Internet.
* All outgoing traffic is open. (This is OK for most users, but if you want top notch firewall security, you should restrict outgoing traffic as well.)
Let's do this
Remove all traces of Iptables and flush all iptables rules:
Code: Select all
# iptables -F && apt remove iptables iptables-persistent
Code: Select all
# apt install nftables
Code: Select all
# nft list ruleset
Code: Select all
# cp /usr/share/doc/nftables/examples/workstation.nft /etc/nftables.conf
Code: Select all
# nano /etc/nftables.conf
Code: Select all
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
# accept any localhost traffic
iif lo accept
# accept traffic originated from us
ct state established,related accept
# activate the following line to accept common local services
#tcp dport { 22, 80, 443 } ct state new accept
# accept neighbour discovery otherwise IPv6 connectivity breaks.
ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
# count and drop any other traffic
counter drop
}
}
Opening ports
You may need to open ports in your firewall to make everything work. Fortunately, there are several tools to make this easy.
Code: Select all
# netstat -tulpn
Here is example output from my computer.
Code: Select all
root@debian-thinkpad:~# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp6 0 0 :::1740 :::* LISTEN 1620/kdeconnectd
tcp6 0 0 :::1741 :::* LISTEN 1620/kdeconnectd
tcp6 0 0 :::1716 :::* LISTEN 1620/kdeconnectd
udp 0 0 0.0.0.0:41203 0.0.0.0:* 854/avahi-daemon: r
udp 0 0 0.0.0.0:5353 0.0.0.0:* 854/avahi-daemon: r
udp6 0 0 :::40776 :::* 854/avahi-daemon: r
udp6 0 0 :::5353 :::* 854/avahi-daemon: r
udp6 0 0 :::1716 :::* 1620/kdeconnectd
I see here that Kdeconnect is listening for connections on ports 1740, 1741 and 1716. That will not work properly if it can't be reached, so I need to open ports in the firewall.
Avahi-daemon is framework to help discover services available on the local network, for instance networked scanners, without needing any manual configuration.
A different variation is here (as sudo or root):
Code: Select all
# lsof -nP -iTCP -sTCP:LISTEN
Code: Select all
root@debian-thinkpad:~# lsof -nP -iTCP -sTCP:LISTEN
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
kdeconnec 1620 hallvor 13u IPv6 2895898 0t0 TCP *:1716 (LISTEN)
kdeconnec 1620 hallvor 26u IPv6 2451199 0t0 TCP *:1740 (LISTEN)
kdeconnec 1620 hallvor 28u IPv6 2453134 0t0 TCP *:1741 (LISTEN)
Many tutorials show that one should open ports 22, 80 and 443. However, it is not necessary to open port 22 unless you want to SSH into it, and 80 and 443 do not need to be opened to browse the web. It will work just fine with those ports closed.
As we can see, Kdeconnect uses different ports, so we can search online to find out what port range it uses. It says that Kdeconnect will use 1714-1764 for UDP and TCP.
https://userbase.kde.org/KDEConnect/en
If you for instance want to open the firewall for kdeconnect, we can then uncomment and edit this line
Code: Select all
#tcp dport { 22, 80, 443 } ct state new accept
Code: Select all
tcp dport 1714-1764 ct state new accept
Enabling and starting the firewall
Enable start on boot
Code: Select all
# systemctl enable nftables.service
Code: Select all
# systemctl start nftables.service
Code: Select all
# nft list ruleset
Code: Select all
table inet filter {
chain input {
type filter hook input priority 0; policy accept;
iif "lo" accept
ct state established,related accept
ip6 nexthdr ipv6-icmp icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
counter packets 410 bytes 31247 drop
}
}