Firewall Guide

From Void Linux Wiki
Revision as of 17:15, 23 August 2017 by GreattoBeGrateful (talk | contribs) (Added - ufw service down during single user session)
Jump to: navigation, search

Icon delete.svgThis section (or entire page if this is at the beginning of it) has been marked for removal.

Reason: This page should be either removed or merged with Firewall Configuration (Discuss in Talk:Firewall Guide#)

iptables

First off, install the iptables package:

# xbps-install iptables

Now let's set up our firewall configuration:

 # Set default chain policies
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -P OUTPUT ACCEPT

 # Accept on localhost
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A OUTPUT -o lo -j ACCEPT

 # Allow established sessions to receive traffic
 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

 # Allow SSH remote
 # iptables -I INPUT -p tcp --dport 22 -j ACCEPT
 iptables-save > /etc/firewall.conf

/etc/firewall.conf

# Generated by iptables-save v1.4.21 on Mon Oct 27 16:52:51 2014
*filter
:INPUT DROP [1:52]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [518:49547]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Mon Oct 27 16:52:51 2014

/etc/sv/iptables/run

#!/bin/sh
iptables-restore < /etc/firewall.conf
chmod +x /etc/sv/iptables/run
ln -s /etc/sv/iptables /var/service/

Reboot and test

$ sudo iptables -L -n
 Chain INPUT (policy DROP)
 target     prot opt source               destination         
 ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
 ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

 Chain FORWARD (policy DROP)
 target     prot opt source               destination         

 Chain OUTPUT (policy ACCEPT)
 target     prot opt source               destination         
 ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

ufw - Uncomplicated Firewall

Alternatively, basic firewall rules (deny incoming, allow outgoing) can be established by default by installing and enabling ufw:

 $ sudo xbps-install ufw
 $ sudo xbps-reconfigure ufw
 $ sudo ufw enable

To check whether the ufw firewall is active during the session:

 $ sudo ufw status

To list rules:

 $ sudo ufw status verbose

For the service to persist on reboot:

 $ sudo ln -s /etc/sv/ufw /var/service

ufw pulls iptables as a dependency. Rules can be modified using iptables, by following ufw's man page, or through gufw, a graphical interface for ufw:

 $ sudo xbps-install gufw   
 $ sudo gufw
Note: The ufw service will not start, and therefore the ufw will be inactive, if your session is launched in single user mode.

Other services, including the network service, will not start either by default during that session except for the sulogin service, used for single user mode. Single user mode can be entered through the Grub menu at startup: Select 'Advanced options' followed by 'recovery mode'.

Services modified during that session are not persistent.