1
0
Fork 0

Manual backup: 2023-04-11 12:04:36

This commit is contained in:
Alexander Schäferdiek 2023-04-11 12:04:36 +02:00
parent dc9eb77276
commit 32ed7d70d1
2 changed files with 71 additions and 5 deletions

View file

@ -4,11 +4,11 @@
"type": "split", "type": "split",
"children": [ "children": [
{ {
"id": "f7331c4ec62394bd", "id": "b461b618901c3a19",
"type": "tabs", "type": "tabs",
"children": [ "children": [
{ {
"id": "08d8ac249a3aeba9", "id": "396bb06b78652441",
"type": "leaf", "type": "leaf",
"state": { "state": {
"type": "empty", "type": "empty",
@ -120,13 +120,14 @@
"templater-obsidian:Templater": false "templater-obsidian:Templater": false
} }
}, },
"active": "08d8ac249a3aeba9", "active": "396bb06b78652441",
"lastOpenFiles": [ "lastOpenFiles": [
"KB/Linux/Desktop/Firewall.md",
"KB/Linux/Desktop/Archinstall.md",
"KB/Linux/Server/SSH Guard.md", "KB/Linux/Server/SSH Guard.md",
"KB/Linux/Server/Bootstrap.md", "KB/Linux/Server/Bootstrap.md",
"KB/Linux/Server/DNS.md", "KB/Linux/Server/DNS.md",
"KB/Linux/Server/Docker Volume Migration.md", "KB/Linux/Server/Docker Volume Migration.md",
"KB/Linux/Desktop/Firewall.md",
"KB/Linux/Server/Hetzner/Storagebox.md", "KB/Linux/Server/Hetzner/Storagebox.md",
"KB/Linux/Server/Hetzner/Upgrades.md", "KB/Linux/Server/Hetzner/Upgrades.md",
"KB/Linux/Pacman.md", "KB/Linux/Pacman.md",
@ -140,7 +141,6 @@
"KB/Linux/Desktop/Audio/aptx and pulseaudio.md", "KB/Linux/Desktop/Audio/aptx and pulseaudio.md",
"KB/Linux/Desktop/KDE/KDE Tiling.md", "KB/Linux/Desktop/KDE/KDE Tiling.md",
"KB/Linux/Desktop/KDE/KDE.md", "KB/Linux/Desktop/KDE/KDE.md",
"KB/Linux/Desktop/Archinstall.md",
"KB/Linux/Desktop/Fonts.md", "KB/Linux/Desktop/Fonts.md",
"KB/Linux/Desktop/GPG - PGP.md", "KB/Linux/Desktop/GPG - PGP.md",
"KB/Linux/Desktop/i3.md", "KB/Linux/Desktop/i3.md",

View file

@ -5,6 +5,8 @@ tags: [note,firewall,iptables,linux]
Change `icmp` to `icmp -j REJECT` to not allow `ping` command. Change `icmp` to `icmp -j REJECT` to not allow `ping` command.
# iptables
## IPv4 ## IPv4
Put into `/etc/iptables/iptables.rules`. Pay attention to blank line at the end. Put into `/etc/iptables/iptables.rules`. Pay attention to blank line at the end.
@ -74,3 +76,67 @@ Add `4713` (pulseaudio) rule if necessary.
```shell ```shell
-A INPUT -m state --state NEW -m tcp -p tcp --dport 4713 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 4713 -j ACCEPT
``` ```
# nftables
See https://wiki.archlinux.org/title/Nftables
Install `iptables-nft` which includes nftables as a dependency, will automatically uninstall iptables (an indirect dependency of the base meta package) and prevent conflicts between iptables and nftables when used together.
`/etc/nftables.conf`
```shell
flush ruleset
table inet my_table {
set LANv4 {
type ipv4_addr
flags interval
elements = { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 }
}
set LANv6 {
type ipv6_addr
flags interval
elements = { fd00::/8, fe80::/10 }
}
chain my_input_lan {
udp sport 1900 udp dport >= 1024 meta pkttype unicast limit rate 4/second burst 20 packets accept comment "Accept UPnP IGD port mapping reply"
udp sport netbios-ns udp dport >= 1024 meta pkttype unicast accept comment "Accept Samba Workgroup browsing replies"
}
chain my_input {
type filter hook input priority filter; policy drop;
iif lo accept comment "Accept any localhost traffic"
ct state invalid drop comment "Drop invalid connections"
ct state established,related accept comment "Accept traffic originated from us"
meta l4proto ipv6-icmp accept comment "Accept ICMPv6"
meta l4proto icmp accept comment "Accept ICMP"
ip protocol igmp accept comment "Accept IGMP"
udp dport mdns ip6 daddr ff02::fb accept comment "Accept mDNS"
udp dport mdns ip daddr 224.0.0.251 accept comment "Accept mDNS"
ip6 saddr @LANv6 jump my_input_lan comment "Connections from private IP address ranges"
ip saddr @LANv4 jump my_input_lan comment "Connections from private IP address ranges"
counter comment "Count any other traffic"
}
chain my_forward {
type filter hook forward priority filter; policy drop;
# Drop everything forwarded to us. We do not forward. That is routers job.
}
chain my_output {
type filter hook output priority filter; policy accept;
# Accept every outbound connection
}
}
```