View previous topic :: View next topic |
Author |
Message |
hjkl Apprentice
Joined: 22 Apr 2021 Posts: 198 Location: Somewhere in Europe
|
Posted: Thu Jul 08, 2021 10:21 am Post subject: How to deny all incoming connections with iptables/nftables? |
|
|
Hi,
I'm wanted to use an iptables frontend but I'm having issues with them (some errors, no idea).
My issue with iptables is: the syntax is complicated, same with nftables.
How would I make all incoming connections be denied for IPv6 & IPv4?
Thanks! _________________ Having problems compiling since 2021 |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 4148 Location: Bavaria
|
Posted: Thu Jul 08, 2021 10:35 am Post subject: |
|
|
First of all you must know: With iptables you can filter only IPv4. For IPv6 you would need ip6tables. Do you really use both ?
If yes, I recommend nftables. With nftables you can do filtering for both.
If not, I recommend iptables because it is older and more stable (I am watching the kernel patches)
If you want to allow all outgoing (= no filtering here) and disallow all incoming packets it it very easy:
# clear all exsisting rules
iptables -F
iptables -X
# set default actions
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# you must allow internal communications
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# this line is needed to allow all packets which are answers to exsisting sessions
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# if you want also to log not allowed incoming packets enable this line
# iptables -A INPUT -j LOG --log-prefix "DROPED: " |
|
Back to top |
|
|
hjkl Apprentice
Joined: 22 Apr 2021 Posts: 198 Location: Somewhere in Europe
|
Posted: Thu Jul 08, 2021 10:40 am Post subject: |
|
|
pietinger wrote: | First of all you must know: With iptables you can filter only IPv4. For IPv6 you would need ip6tables. Do you really use both ?
If yes, I recommend nftables. With nftables you can do filtering for both.
If not, I recommend iptables because it is older and more stable (I am watching the kernel patches)
If you want to allow all outgoing (= no filtering here) and disallow all incoming packets it it very easy:
# clear all exsisting rules
iptables -F
iptables -X
# set default actions
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# you must allow internal communications
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# this line is needed to allow all packets which are answers to exsisting sessions
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# if you want also to log not allowed incoming packets enable this line
# iptables -A INPUT -j LOG --log-prefix "DROPED: " |
Well, I do use IPv6 so I guess nftables would be my case, although this is helpful.
Should I use the above commands even if IPv6 is being used since iptables is IPv4 only? _________________ Having problems compiling since 2021 |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 4148 Location: Bavaria
|
|
Back to top |
|
|
hjkl Apprentice
Joined: 22 Apr 2021 Posts: 198 Location: Somewhere in Europe
|
Posted: Thu Jul 08, 2021 10:53 am Post subject: |
|
|
Thanks, I'll try it out.
Still is pretty complicated for me to understand though. _________________ Having problems compiling since 2021 |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21624
|
Posted: Thu Jul 08, 2021 7:16 pm Post subject: |
|
|
If you want to stay with iptables, then use the commands that pietinger gave. That will restrict IPv4. Then take those commands, replace iptables with ip6tables in every command, and run the result to restrict IPv6. Porting IPv4 to IPv6 isn't always this easy, but since none of the commands actually inspect source/destination address, this one is easy. |
|
Back to top |
|
|
hjkl Apprentice
Joined: 22 Apr 2021 Posts: 198 Location: Somewhere in Europe
|
Posted: Thu Jul 08, 2021 8:37 pm Post subject: |
|
|
Hu wrote: | If you want to stay with iptables, then use the commands that pietinger gave. That will restrict IPv4. Then take those commands, replace iptables with ip6tables in every command, and run the result to restrict IPv6. Porting IPv4 to IPv6 isn't always this easy, but since none of the commands actually inspect source/destination address, this one is easy. |
Cheers! I didn't know that. _________________ Having problems compiling since 2021 |
|
Back to top |
|
|
mike155 Advocate
Joined: 17 Sep 2010 Posts: 4438 Location: Frankfurt, Germany
|
Posted: Thu Jul 08, 2021 11:22 pm Post subject: |
|
|
fullbyte wrote: | How would I make all incoming connections be denied for IPv6 & IPv4? |
Do you really want to disable all incoming traffic? That's highly unusual! If you really want that, it might be better to just shut down the interface.
Or do you want to disable incoming TCP connections, but allow outgoing TCP connections? If that's the case, disabling the INPUT chain is probably the wrong answer. The right answer would be to disable incoming packets with the SYN flag set. |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 4148 Location: Bavaria
|
Posted: Fri Jul 09, 2021 8:16 am Post subject: |
|
|
mike155 wrote: | If that's the case, disabling the INPUT chain is probably the wrong answer. [...] |
This is wrong. Allowing only related packets and droping the rest (via default action) is more usual than droping some packets (with SYN) and allowing the rest !
mike155 wrote: | [...] The right answer would be to disable incoming packets with the SYN flag set. |
No, this is not as secure as the usual solution. |
|
Back to top |
|
|
|