diff --git a/.obsidian/workspace.json b/.obsidian/workspace.json index feb274a..a85a78d 100644 --- a/.obsidian/workspace.json +++ b/.obsidian/workspace.json @@ -4,11 +4,11 @@ "type": "split", "children": [ { - "id": "f7331c4ec62394bd", + "id": "b461b618901c3a19", "type": "tabs", "children": [ { - "id": "08d8ac249a3aeba9", + "id": "396bb06b78652441", "type": "leaf", "state": { "type": "empty", @@ -120,13 +120,14 @@ "templater-obsidian:Templater": false } }, - "active": "08d8ac249a3aeba9", + "active": "396bb06b78652441", "lastOpenFiles": [ + "KB/Linux/Desktop/Firewall.md", + "KB/Linux/Desktop/Archinstall.md", "KB/Linux/Server/SSH Guard.md", "KB/Linux/Server/Bootstrap.md", "KB/Linux/Server/DNS.md", "KB/Linux/Server/Docker Volume Migration.md", - "KB/Linux/Desktop/Firewall.md", "KB/Linux/Server/Hetzner/Storagebox.md", "KB/Linux/Server/Hetzner/Upgrades.md", "KB/Linux/Pacman.md", @@ -140,7 +141,6 @@ "KB/Linux/Desktop/Audio/aptx and pulseaudio.md", "KB/Linux/Desktop/KDE/KDE Tiling.md", "KB/Linux/Desktop/KDE/KDE.md", - "KB/Linux/Desktop/Archinstall.md", "KB/Linux/Desktop/Fonts.md", "KB/Linux/Desktop/GPG - PGP.md", "KB/Linux/Desktop/i3.md", diff --git a/KB/Linux/Desktop/Firewall.md b/KB/Linux/Desktop/Firewall.md index 0ff665e..0ba21bd 100644 --- a/KB/Linux/Desktop/Firewall.md +++ b/KB/Linux/Desktop/Firewall.md @@ -5,6 +5,8 @@ tags: [note,firewall,iptables,linux] Change `icmp` to `icmp -j REJECT` to not allow `ping` command. +# iptables + ## IPv4 Put into `/etc/iptables/iptables.rules`. Pay attention to blank line at the end. @@ -74,3 +76,67 @@ Add `4713` (pulseaudio) rule if necessary. ```shell -A INPUT -m state --state NEW -m tcp -p tcp --dport 4713 -j ACCEPT ``` + +# nftables + +See https://wiki.archlinux.org/title/Nftables + +Install `iptables-nft` which includes nftables as a dependency, will automatically uninstall iptables (an indirect dependency of the base meta package) and prevent conflicts between iptables and nftables when used together. + +`/etc/nftables.conf` + +```shell +flush ruleset + +table inet my_table { + set LANv4 { + type ipv4_addr + flags interval + + elements = { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } + } + set LANv6 { + type ipv6_addr + flags interval + + elements = { fd00::/8, fe80::/10 } + } + + chain my_input_lan { + udp sport 1900 udp dport >= 1024 meta pkttype unicast limit rate 4/second burst 20 packets accept comment "Accept UPnP IGD port mapping reply" + + udp sport netbios-ns udp dport >= 1024 meta pkttype unicast accept comment "Accept Samba Workgroup browsing replies" + + } + + chain my_input { + type filter hook input priority filter; policy drop; + + iif lo accept comment "Accept any localhost traffic" + ct state invalid drop comment "Drop invalid connections" + ct state established,related accept comment "Accept traffic originated from us" + + meta l4proto ipv6-icmp accept comment "Accept ICMPv6" + meta l4proto icmp accept comment "Accept ICMP" + ip protocol igmp accept comment "Accept IGMP" + + udp dport mdns ip6 daddr ff02::fb accept comment "Accept mDNS" + udp dport mdns ip daddr 224.0.0.251 accept comment "Accept mDNS" + + ip6 saddr @LANv6 jump my_input_lan comment "Connections from private IP address ranges" + ip saddr @LANv4 jump my_input_lan comment "Connections from private IP address ranges" + + counter comment "Count any other traffic" + } + + chain my_forward { + type filter hook forward priority filter; policy drop; + # Drop everything forwarded to us. We do not forward. That is routers job. + } + + chain my_output { + type filter hook output priority filter; policy accept; + # Accept every outbound connection + } +} +``` \ No newline at end of file