knowledge-base/KB/Linux/Desktop/Firewall.md

---
creation date: 2023-04-10
tags: [note,firewall,iptables,linux]
---

Change `icmp` to `icmp -j REJECT` to not allow `ping` command.

# iptables

## IPv4

Put into `/etc/iptables/iptables.rules`. Pay attention to blank line at the end.

```shell
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable

COMMIT

```

Enable `iptables.service`. Verify result with `sudo iptables -S`.

Add `4713` (pulseaudio) rule if necessary.

```shell
-A INPUT -m state --state NEW -m tcp -p tcp --dport 4713 -j ACCEPT
```

## IPv6

Put into `/etc/iptables/ip6tables.rules`. Pay attention to blank line at the end.

```shell
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -s fe80::/10 -p ipv6-icmp -j ACCEPT
-A INPUT -p udp --sport 547 --dport 546 -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m conntrack --ctstate NEW -j ACCEPT

COMMIT

```

Enable `ip6tables.service`. Verify result with `sudo ip6tables -S`.

Add `4713` (pulseaudio) rule if necessary.

```shell
-A INPUT -m state --state NEW -m tcp -p tcp --dport 4713 -j ACCEPT
```

# nftables

See https://wiki.archlinux.org/title/Nftables

Install `iptables-nft`  which includes nftables as a dependency, will automatically uninstall iptables (an indirect dependency of the base meta package) and prevent conflicts between iptables and nftables when used together.

`/etc/nftables.conf`

```shell
flush ruleset

table inet my_table {
	set LANv4 {
		type ipv4_addr
		flags interval

		elements = { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 }
	}
	set LANv6 {
		type ipv6_addr
		flags interval

		elements = { fd00::/8, fe80::/10 }
	}

	chain my_input_lan {
		udp sport 1900 udp dport >= 1024 meta pkttype unicast limit rate 4/second burst 20 packets accept comment "Accept UPnP IGD port mapping reply"

		udp sport netbios-ns udp dport >= 1024 meta pkttype unicast accept comment "Accept Samba Workgroup browsing replies"

	}

	chain my_input {
		type filter hook input priority filter; policy drop;

		iif lo accept comment "Accept any localhost traffic"
		ct state invalid drop comment "Drop invalid connections"
		ct state established,related accept comment "Accept traffic originated from us"

		meta l4proto ipv6-icmp accept comment "Accept ICMPv6"
		meta l4proto icmp accept comment "Accept ICMP"
		ip protocol igmp accept comment "Accept IGMP"

		udp dport mdns ip6 daddr ff02::fb accept comment "Accept mDNS"
		udp dport mdns ip daddr 224.0.0.251 accept comment "Accept mDNS"

		ip6 saddr @LANv6 jump my_input_lan comment "Connections from private IP address ranges"
		ip saddr @LANv4 jump my_input_lan comment "Connections from private IP address ranges"

		counter comment "Count any other traffic"
	}

	chain my_forward {
		type filter hook forward priority filter; policy drop;
		# Drop everything forwarded to us. We do not forward. That is routers job.
	}

	chain my_output {
		type filter hook output priority filter; policy accept;
		# Accept every outbound connection
	}
}
```
Manual backup: 2023-04-10 10:30:46 2023-04-10 08:30:46 +00:00			`---`
			`creation date: 2023-04-10`
			`tags: [note,firewall,iptables,linux]`
			`---`

			Change `icmp` to `icmp -j REJECT` to not allow `ping` command.

Manual backup: 2023-04-11 12:04:36 2023-04-11 10:04:36 +00:00			`# iptables`

Manual backup: 2023-04-10 10:30:46 2023-04-10 08:30:46 +00:00			`## IPv4`

			Put into `/etc/iptables/iptables.rules`. Pay attention to blank line at the end.

			```shell
			`*filter`
			`:INPUT DROP [0:0]`
			`:FORWARD DROP [0:0]`
			`:OUTPUT ACCEPT [0:0]`
			`:TCP - [0:0]`
			`:UDP - [0:0]`

			`-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT`
			`-A INPUT -i lo -j ACCEPT`
			`-A INPUT -m conntrack --ctstate INVALID -j DROP`
			`-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT`
			`-A INPUT -p udp -m conntrack --ctstate NEW -j UDP`
			`-A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP`
			`-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable`
			`-A INPUT -p tcp -j REJECT --reject-with tcp-reset`
			`-A INPUT -j REJECT --reject-with icmp-proto-unreachable`

			`COMMIT`

			```

			Enable `iptables.service`. Verify result with `sudo iptables -S`.

			Add `4713` (pulseaudio) rule if necessary.

			```shell
			`-A INPUT -m state --state NEW -m tcp -p tcp --dport 4713 -j ACCEPT`
			```

			`## IPv6`

			Put into `/etc/iptables/ip6tables.rules`. Pay attention to blank line at the end.

			```shell
			`*filter`
			`:INPUT DROP [0:0]`
			`:FORWARD DROP [0:0]`
			`:OUTPUT ACCEPT [0:0]`
			`:TCP - [0:0]`
			`:UDP - [0:0]`

			`-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT`
			`-A INPUT -i lo -j ACCEPT`
			`-A INPUT -m conntrack --ctstate INVALID -j DROP`
			`-A INPUT -s fe80::/10 -p ipv6-icmp -j ACCEPT`
			`-A INPUT -p udp --sport 547 --dport 546 -j ACCEPT`
			`-A INPUT -p udp -m conntrack --ctstate NEW -j UDP`
			`-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP`
			`-A INPUT -p udp -j REJECT --reject-with icmp6-adm-prohibited`
			`-A INPUT -p tcp -j REJECT --reject-with tcp-reset`
			`-A INPUT -j REJECT --reject-with icmp6-adm-prohibited`
			`-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128 -m conntrack --ctstate NEW -j ACCEPT`

			`COMMIT`

			```

			Enable `ip6tables.service`. Verify result with `sudo ip6tables -S`.

			Add `4713` (pulseaudio) rule if necessary.

			```shell
			`-A INPUT -m state --state NEW -m tcp -p tcp --dport 4713 -j ACCEPT`
			```
Manual backup: 2023-04-11 12:04:36 2023-04-11 10:04:36 +00:00
			`# nftables`

			`See https://wiki.archlinux.org/title/Nftables`

			Install `iptables-nft` which includes nftables as a dependency, will automatically uninstall iptables (an indirect dependency of the base meta package) and prevent conflicts between iptables and nftables when used together.

			`/etc/nftables.conf`

			```shell
			`flush ruleset`

			`table inet my_table {`
			`set LANv4 {`
			`type ipv4_addr`
			`flags interval`

			`elements = { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 }`
			`}`
			`set LANv6 {`
			`type ipv6_addr`
			`flags interval`

			`elements = { fd00::/8, fe80::/10 }`
			`}`

			`chain my_input_lan {`
			`udp sport 1900 udp dport >= 1024 meta pkttype unicast limit rate 4/second burst 20 packets accept comment "Accept UPnP IGD port mapping reply"`

			`udp sport netbios-ns udp dport >= 1024 meta pkttype unicast accept comment "Accept Samba Workgroup browsing replies"`

			`}`

			`chain my_input {`
			`type filter hook input priority filter; policy drop;`

			`iif lo accept comment "Accept any localhost traffic"`
			`ct state invalid drop comment "Drop invalid connections"`
			`ct state established,related accept comment "Accept traffic originated from us"`

			`meta l4proto ipv6-icmp accept comment "Accept ICMPv6"`
			`meta l4proto icmp accept comment "Accept ICMP"`
			`ip protocol igmp accept comment "Accept IGMP"`

			`udp dport mdns ip6 daddr ff02::fb accept comment "Accept mDNS"`
			`udp dport mdns ip daddr 224.0.0.251 accept comment "Accept mDNS"`

			`ip6 saddr @LANv6 jump my_input_lan comment "Connections from private IP address ranges"`
			`ip saddr @LANv4 jump my_input_lan comment "Connections from private IP address ranges"`

			`counter comment "Count any other traffic"`
			`}`

			`chain my_forward {`
			`type filter hook forward priority filter; policy drop;`
			`# Drop everything forwarded to us. We do not forward. That is routers job.`
			`}`

			`chain my_output {`
			`type filter hook output priority filter; policy accept;`
			`# Accept every outbound connection`
			`}`
			`}`
			```