Firewall Guide

From Void Linux Wiki
Jump to: navigation, search

Icon delete.svgThis section (or entire page if this is at the beginning of it) has been marked for removal.

Reason: This page should be either removed or merged with Firewall Configuration (Discuss in Talk:Firewall Guide#)

iptables

First off, install the iptables package:

# xbps-install iptables

Now let's set up our firewall configuration:

 # Set default chain policies
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -P OUTPUT ACCEPT

 # Accept on localhost
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A OUTPUT -o lo -j ACCEPT

 # Allow established sessions to receive traffic
 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

 # Allow SSH remote
 # iptables -I INPUT -p tcp --dport 22 -j ACCEPT
 iptables-save > /etc/firewall.conf

/etc/firewall.conf

# Generated by iptables-save v1.4.21 on Mon Oct 27 16:52:51 2014
*filter
:INPUT DROP [1:52]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [518:49547]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Mon Oct 27 16:52:51 2014

/etc/sv/iptables/run

#!/bin/sh
iptables-restore < /etc/firewall.conf
chmod +x /etc/sv/iptables/run
ln -s /etc/sv/iptables /var/service/

Reboot and test

$ sudo iptables -L -n
 Chain INPUT (policy DROP)
 target     prot opt source               destination         
 ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
 ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

 Chain FORWARD (policy DROP)
 target     prot opt source               destination         

 Chain OUTPUT (policy ACCEPT)
 target     prot opt source               destination         
 ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0