Manual backup: 2023-04-11 12:04:36

2023-04-11 12:04:36 +02:00 · 2023-04-11 12:04:36 +02:00 · 32ed7d70d1
commit 32ed7d70d1
parent dc9eb77276
2 changed files with 71 additions and 5 deletions
--- a/.obsidian/workspace.json
+++ b/.obsidian/workspace.json
@ -4,11 +4,11 @@
    "type": "split",
    "children": [
      {
-        "id": "f7331c4ec62394bd",
+        "id": "b461b618901c3a19",
        "type": "tabs",
        "children": [
          {
-            "id": "08d8ac249a3aeba9",
+            "id": "396bb06b78652441",
            "type": "leaf",
            "state": {
              "type": "empty",
@ -120,13 +120,14 @@
      "templater-obsidian:Templater": false
    }
  },
-  "active": "08d8ac249a3aeba9",
+  "active": "396bb06b78652441",
  "lastOpenFiles": [
+    "KB/Linux/Desktop/Firewall.md",
+    "KB/Linux/Desktop/Archinstall.md",
    "KB/Linux/Server/SSH Guard.md",
    "KB/Linux/Server/Bootstrap.md",
    "KB/Linux/Server/DNS.md",
    "KB/Linux/Server/Docker Volume Migration.md",
-    "KB/Linux/Desktop/Firewall.md",
    "KB/Linux/Server/Hetzner/Storagebox.md",
    "KB/Linux/Server/Hetzner/Upgrades.md",
    "KB/Linux/Pacman.md",
@ -140,7 +141,6 @@
    "KB/Linux/Desktop/Audio/aptx and pulseaudio.md",
    "KB/Linux/Desktop/KDE/KDE Tiling.md",
    "KB/Linux/Desktop/KDE/KDE.md",
-    "KB/Linux/Desktop/Archinstall.md",
    "KB/Linux/Desktop/Fonts.md",
    "KB/Linux/Desktop/GPG - PGP.md",
    "KB/Linux/Desktop/i3.md",
--- a/KB/Linux/Desktop/Firewall.md
+++ b/KB/Linux/Desktop/Firewall.md
@ -5,6 +5,8 @@ tags: [note,firewall,iptables,linux]

 Change `icmp` to `icmp -j REJECT` to not allow `ping` command.

+# iptables
+
 ## IPv4

 Put into `/etc/iptables/iptables.rules`. Pay attention to blank line at the end.
@ -74,3 +76,67 @@ Add `4713` (pulseaudio) rule if necessary.
 ```shell
 -A INPUT -m state --state NEW -m tcp -p tcp --dport 4713 -j ACCEPT
 ```
+
+# nftables
+
+See https://wiki.archlinux.org/title/Nftables
+
+Install `iptables-nft`  which includes nftables as a dependency, will automatically uninstall iptables (an indirect dependency of the base meta package) and prevent conflicts between iptables and nftables when used together.
+
+`/etc/nftables.conf`
+
+```shell
+flush ruleset
+
+table inet my_table {
+	set LANv4 {
+		type ipv4_addr
+		flags interval
+
+		elements = { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 }
+	}
+	set LANv6 {
+		type ipv6_addr
+		flags interval
+
+		elements = { fd00::/8, fe80::/10 }
+	}
+
+	chain my_input_lan {
+		udp sport 1900 udp dport >= 1024 meta pkttype unicast limit rate 4/second burst 20 packets accept comment "Accept UPnP IGD port mapping reply"
+
+		udp sport netbios-ns udp dport >= 1024 meta pkttype unicast accept comment "Accept Samba Workgroup browsing replies"
+
+	}
+
+	chain my_input {
+		type filter hook input priority filter; policy drop;
+
+		iif lo accept comment "Accept any localhost traffic"
+		ct state invalid drop comment "Drop invalid connections"
+		ct state established,related accept comment "Accept traffic originated from us"
+
+		meta l4proto ipv6-icmp accept comment "Accept ICMPv6"
+		meta l4proto icmp accept comment "Accept ICMP"
+		ip protocol igmp accept comment "Accept IGMP"
+
+		udp dport mdns ip6 daddr ff02::fb accept comment "Accept mDNS"
+		udp dport mdns ip daddr 224.0.0.251 accept comment "Accept mDNS"
+
+		ip6 saddr @LANv6 jump my_input_lan comment "Connections from private IP address ranges"
+		ip saddr @LANv4 jump my_input_lan comment "Connections from private IP address ranges"
+
+		counter comment "Count any other traffic"
+	}
+
+	chain my_forward {
+		type filter hook forward priority filter; policy drop;
+		# Drop everything forwarded to us. We do not forward. That is routers job.
+	}
+
+	chain my_output {
+		type filter hook output priority filter; policy accept;
+		# Accept every outbound connection
+	}
+}
+```