Netfilter
A firewall filters network traffic, which is transmitted in packets.
The network packet filter is configured with rules.
The basics of these filter rules are explained here.
Contents
iptables
Load iptables rules on boot
On Debian, iptables-restore
is called on boot by installing the following package:
apt install iptables-persistent
IPv4 rules
We set the default policy of the INPUT
chain to DROP
and
specify some rules, which are applied from top to bottom:
- Incoming packets on the loopback interface
lo
are accepted. ESTABLISHED
connections orRELATED
packets are accepted.- ICMP traffic (e.g. incoming
ping
requests) is allowed. - The number of SSH connection attempts from each source IP address is limited
to 8 in 60 seconds. This slows down brute-force password attacks significantly. - A web server needs incoming packets on port 80 (http) and port 443 (https)
to be accepted.
/etc/iptables/rules.v4
-
*filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP -A INPUT -p tcp --dport 22 -j ACCEPT -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT COMMIT
Load the IPv4 rules from file:
iptables-restore < /etc/iptables/rules.v4
Verify the loaded IPv4 rules:
iptables -L
Network Address Translation (NAT)
The PREROUTING
chain is used for port forwarding.
The rule in the POSTROUTING
chain translates the source address of outgoing packets.
The reply will be forwarded by translating the destination address of incoming packets.
This is what ordinary IPv4 routers do.
Rules for the nat
table are part of the iptables rules:
/etc/iptables/rules.v4
-
*filter #... COMMIT *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.100:80 -A POSTROUTING -s 192.168.0.0/255.255.255.0 -o ppp0 -j MASQUERADE COMMIT
Forwarding of IPv4 packets needs to be enabled in the kernel.
An interface for modifying kernel parameters is the proc file system.
echo 1 > /proc/sys/net/ipv4/ip_forward
A simplified command line tool for the proc file system is sysctl
.
To make the change persistent over reboots, edit the following file:
/etc/sysctl.conf
-
#... # Uncomment the next line to enable packet forwarding for IPv4 net.ipv4.ip_forward=1 #...
IPv6 rules
For IPv6, the following rules need to be added:
- ICMPv6 is required for IPv6 to work correctly.
- DHCPv6 needs incoming UDP packets on port 546 to be accepted.
/etc/iptables/rules.v6
-
*filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmpv6 -j ACCEPT -A INPUT -p udp -s fe80::/10 --dport 546 -j ACCEPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP -A INPUT -p tcp --dport 22 -j ACCEPT -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT COMMIT
Load the IPv6 rules from file:
ip6tables-restore < /etc/iptables/rules.v6
Verify the loaded IPv6 rules:
ip6tables -L
nftables
nftables is the successor of {ip,ip6,arp,eb}tables.
There is only one ruleset needed to cover IPv4 and IPv6.
The table ip
contains chains with rules for IPv4.
The contained chain input
filters incoming packets.
All accepted IPv4 packets are marked with 0x34414343
("4ACC"):
- All ICMP packets are accepted.
- For new SSH connections, rules are created that limit the rate
to 12 connections per minute for each source IP address.
This slows down brute-force password attacks significantly.
The table ip6
contains chains with rules for IPv6.
The contained chain input
filters incoming packets.
All accepted IPv6 packets are marked with 0x36414343
("6ACC"):
- All ICMPv6 packets are accepted. This is mandatory for IPv6.
- All DHCPv6 packets are accepted from link-local IPv6 addresses.
This is mandatory for IPv6. - For new SSH connections, rules are created that limit the rate
to 12 connections per minute for each source IP address.
This slows down brute-force password attacks significantly.
The table inet
contains chains with rules for IPv4 and IPv6.
The contained chain input
accepts the following incoming packets:
- All packets on the loopback interface (lo) are accepted.
- Packets from established connections or related packets are accepted.
- Packets marked with
0x34414343
(from tableip
) are accepted. - Packets marked with
0x36414343
(from tableip6
) are accepted. - For a web server, packets on port 80 (http) are accepted.
- Packets on port 443 (https) are accepted.
/etc/nftables.conf
-
#!/usr/sbin/nft -f flush ruleset table ip filter { set ipv4_ssh_meter { type ipv4_addr flags dynamic,timeout timeout 10m } chain input { type filter hook input priority -10; meta l4proto icmp counter meta mark set 0x34414343 accept tcp dport 22 ct state new update @ipv4_ssh_meter { ip saddr limit rate 12/minute } counter meta mark set 0x34414343 accept } } table ip6 filter { set ipv6_ssh_meter { type ipv6_addr flags dynamic,timeout timeout 10m } chain input { type filter hook input priority -10; meta l4proto ipv6-icmp counter meta mark set 0x36414343 accept ip6 saddr fe80::/10 udp dport 546 counter meta mark set 0x36414343 accept tcp dport 22 ct state new update @ipv6_ssh_meter { ip6 saddr limit rate 12/minute } counter meta mark set 0x36414343 accept } } table inet filter { chain input { type filter hook input priority 0; policy drop; iifname "lo" counter accept ct state established,related counter accept meta mark 0x34414343 counter accept meta mark 0x36414343 counter accept tcp dport 80 counter accept tcp dport 443 counter accept } }
Load the ruleset from file:
nft -f /etc/nftables.conf
Verify the loaded ruleset:
nft list ruleset
Load nftables ruleset on boot
systemctl enable nftables.service
External Links
- https://www.netfilter.org/
- https://ipset.netfilter.org/iptables.man.html
- https://www.netfilter.org/projects/nftables/manpage.html
- https://tldp.org/HOWTO/Linux+IPv6-HOWTO/ch18s05.html
- https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes
- https://wiki.nftables.org/wiki-nftables/index.php/Meters
CONTENT.html | source | 2023-04-25 | 9.6 KB |
clear_iptables_rules.sh | source | 2022-05-01 | 1.8 KB |
clear_iptables_rules.sh 2022-05-01 by Gernot Walzl |
|||
nftables.conf | 2023-04-23 | 1.2 KB | |
no_internet.sh | source | 2023-04-22 | 1.1 KB |
no_internet.sh 2023-04-09 by Gernot Walzl This script blocks an application to access the internet. |
|||
rules.v4 | 2020-05-03 | 496 B | |
rules.v6 | 2021-02-23 | 550 B |