Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
How to deny all incoming connections with iptables/nftables?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
hjkl
Apprentice
Apprentice


Joined: 22 Apr 2021
Posts: 198
Location: Somewhere in Europe

PostPosted: Thu Jul 08, 2021 10:21 am    Post subject: How to deny all incoming connections with iptables/nftables? Reply with quote

Hi,

I'm wanted to use an iptables frontend but I'm having issues with them (some errors, no idea).

My issue with iptables is: the syntax is complicated, same with nftables.

How would I make all incoming connections be denied for IPv6 & IPv4?

Thanks!
_________________
Having problems compiling since 2021 :(
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 3998
Location: Bavaria

PostPosted: Thu Jul 08, 2021 10:35 am    Post subject: Reply with quote

First of all you must know: With iptables you can filter only IPv4. For IPv6 you would need ip6tables. Do you really use both ?

If yes, I recommend nftables. With nftables you can do filtering for both.
If not, I recommend iptables because it is older and more stable (I am watching the kernel patches)

If you want to allow all outgoing (= no filtering here) and disallow all incoming packets it it very easy:


# clear all exsisting rules
iptables -F
iptables -X

# set default actions
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# you must allow internal communications
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# this line is needed to allow all packets which are answers to exsisting sessions
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# if you want also to log not allowed incoming packets enable this line
# iptables -A INPUT -j LOG --log-prefix "DROPED: "
Back to top
View user's profile Send private message
hjkl
Apprentice
Apprentice


Joined: 22 Apr 2021
Posts: 198
Location: Somewhere in Europe

PostPosted: Thu Jul 08, 2021 10:40 am    Post subject: Reply with quote

pietinger wrote:
First of all you must know: With iptables you can filter only IPv4. For IPv6 you would need ip6tables. Do you really use both ?

If yes, I recommend nftables. With nftables you can do filtering for both.
If not, I recommend iptables because it is older and more stable (I am watching the kernel patches)

If you want to allow all outgoing (= no filtering here) and disallow all incoming packets it it very easy:


# clear all exsisting rules
iptables -F
iptables -X

# set default actions
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# you must allow internal communications
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# this line is needed to allow all packets which are answers to exsisting sessions
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# if you want also to log not allowed incoming packets enable this line
# iptables -A INPUT -j LOG --log-prefix "DROPED: "


Well, I do use IPv6 so I guess nftables would be my case, although this is helpful.

Should I use the above commands even if IPv6 is being used since iptables is IPv4 only?
_________________
Having problems compiling since 2021 :(
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 3998
Location: Bavaria

PostPosted: Thu Jul 08, 2021 10:48 am    Post subject: Reply with quote

fullbyte wrote:
Should I use the above commands even if IPv6 is being used since iptables is IPv4 only?

No. If you really use both you should take nftables. There is a nice command: "iptables-translate" to translate iptables-commands into nftables-commands. See also: https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables

But you dont need it, if you take a look into this page:
https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes
At the very end of this page there is a simple IP/IPv6 Firewall.
Back to top
View user's profile Send private message
hjkl
Apprentice
Apprentice


Joined: 22 Apr 2021
Posts: 198
Location: Somewhere in Europe

PostPosted: Thu Jul 08, 2021 10:53 am    Post subject: Reply with quote

pietinger wrote:
fullbyte wrote:
Should I use the above commands even if IPv6 is being used since iptables is IPv4 only?

No. If you really use both you should take nftables. There is a nice command: "iptables-translate" to translate iptables-commands into nftables-commands. See also: https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables

But you dont need it, if you take a look into this page:
https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes
At the very end of this page there is a simple IP/IPv6 Firewall.


Thanks, I'll try it out.

Still is pretty complicated for me to understand though.
_________________
Having problems compiling since 2021 :(
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 21490

PostPosted: Thu Jul 08, 2021 7:16 pm    Post subject: Reply with quote

If you want to stay with iptables, then use the commands that pietinger gave. That will restrict IPv4. Then take those commands, replace iptables with ip6tables in every command, and run the result to restrict IPv6. Porting IPv4 to IPv6 isn't always this easy, but since none of the commands actually inspect source/destination address, this one is easy.
Back to top
View user's profile Send private message
hjkl
Apprentice
Apprentice


Joined: 22 Apr 2021
Posts: 198
Location: Somewhere in Europe

PostPosted: Thu Jul 08, 2021 8:37 pm    Post subject: Reply with quote

Hu wrote:
If you want to stay with iptables, then use the commands that pietinger gave. That will restrict IPv4. Then take those commands, replace iptables with ip6tables in every command, and run the result to restrict IPv6. Porting IPv4 to IPv6 isn't always this easy, but since none of the commands actually inspect source/destination address, this one is easy.


Cheers! I didn't know that.
_________________
Having problems compiling since 2021 :(
Back to top
View user's profile Send private message
mike155
Advocate
Advocate


Joined: 17 Sep 2010
Posts: 4438
Location: Frankfurt, Germany

PostPosted: Thu Jul 08, 2021 11:22 pm    Post subject: Reply with quote

fullbyte wrote:
How would I make all incoming connections be denied for IPv6 & IPv4?

Do you really want to disable all incoming traffic? That's highly unusual! If you really want that, it might be better to just shut down the interface.

Or do you want to disable incoming TCP connections, but allow outgoing TCP connections? If that's the case, disabling the INPUT chain is probably the wrong answer. The right answer would be to disable incoming packets with the SYN flag set.
Back to top
View user's profile Send private message
pietinger
Moderator
Moderator


Joined: 17 Oct 2006
Posts: 3998
Location: Bavaria

PostPosted: Fri Jul 09, 2021 8:16 am    Post subject: Reply with quote

mike155 wrote:
If that's the case, disabling the INPUT chain is probably the wrong answer. [...]

This is wrong. Allowing only related packets and droping the rest (via default action) is more usual than droping some packets (with SYN) and allowing the rest !

mike155 wrote:
[...] The right answer would be to disable incoming packets with the SYN flag set.

No, this is not as secure as the usual solution.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum