Warning: THE VOID WIKI IS DEPRECATED. It is no longer being maintained, contains outdated and incorrect information, and will eventually be shut down. Please refer to the Void Handbook, https://docs.voidlinux.org/, for the official documentation. If you can't find the information you're seeking, please raise an issue at https://github.com/void-linux/void-docs/issues

Firewall Guide

From Void Linux Wiki
Revision as of 22:07, 16 August 2017 by GreattoBeGrateful (talk | contribs) (Added 'iptables' heading. Added 'ufw - Uncomplicated Firewall' section)
Jump to navigation Jump to search

Icon delete.svgThis section (or entire page if this is at the beginning of it) has been marked for removal.

Reason: This page should be either removed or merged with Firewall Configuration (Discuss in Talk:Firewall Guide#)

iptables

First off, install the iptables package:

# xbps-install iptables

Now let's set up our firewall configuration:

 # Set default chain policies
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -P OUTPUT ACCEPT

 # Accept on localhost
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A OUTPUT -o lo -j ACCEPT

 # Allow established sessions to receive traffic
 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

 # Allow SSH remote
 # iptables -I INPUT -p tcp --dport 22 -j ACCEPT
 iptables-save > /etc/firewall.conf

/etc/firewall.conf

# Generated by iptables-save v1.4.21 on Mon Oct 27 16:52:51 2014
*filter
:INPUT DROP [1:52]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [518:49547]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Mon Oct 27 16:52:51 2014

/etc/sv/iptables/run

#!/bin/sh
iptables-restore < /etc/firewall.conf
chmod +x /etc/sv/iptables/run
ln -s /etc/sv/iptables /var/service/

Reboot and test

$ sudo iptables -L -n
 Chain INPUT (policy DROP)
 target     prot opt source               destination         
 ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
 ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

 Chain FORWARD (policy DROP)
 target     prot opt source               destination         

 Chain OUTPUT (policy ACCEPT)
 target     prot opt source               destination         
 ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

ufw - Uncomplicated Firewall

Alternatively, basic firewall rules (deny incoming, allow outgoing) can be established by default by installing and enabling ufw:

 $ sudo xbps-install ufw
 $ sudo xbps-reconfigure ufw
 $ sudo ufw enable

To check whether the ufw firewall is active during the session:

 $ sudo ufw status

To list rules:

 $ sudo ufw status verbose

For the service to persist on reboot:

 $ sudo ln -s /etc/sv/ufw /var/service

ufw pulls iptables as a dependency. Rules can be modified using iptables, by following ufw's man page, or through gufw, a graphical interface for ufw:

 $ sudo xbps-install gufw   
 $ sudo gufw