Firewall Configuration

From Void Linux Wiki
Jump to: navigation, search

Three possible firewall configurations, among others.

Firewall with nftables

This section details enabling a basic firewall using the new nftables tool. According to the netfilter project, nftables replaces the old iptables. For a guide about iptables, see below.

# xbps-install -S nftables

After installation is done, look at the runit run script in /etc/sv/nftables/run which has the following content:

#!/bin/sh
[ ! -r /etc/nftables.conf ] && exit 0
nft -f /etc/nftables.conf
exec chpst -b nftables pause

As we can see we need to either create a batch file /etc/nftables.conf or change the script. Let's create the file:

# touch /etc/nftables.conf

Now we can add nftables to runit:

# ln -s /etc/sv/nftables /var/service/

In the next step we define some basic rules.

IPv4 and IPv6 together

Since kernel 3.18 there is no need for separate IPv4 and IPv6 rules — we can define rules for both protocols using inet. For this we need to create a table in inet and define its chains and rules. Edit /etc/nftables.conf with the following content:

# optional since the /etc/sv/finish script already does this after service shutdown
flush ruleset
# adding table filter to inet
add table inet filter
# adding chain input
add chain inet filter input { type filter hook input priority 0; }
# accept all localhost traffic
add rule inet filter input iif lo accept
# accept all connections originated from our PC
add rule inet filter input ct state established,related accept
# IPv6 neighbor discovery
add rule inet filter input ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
# drop all other packets
add rule inet filter input counter drop

Enabling and testing service

Now we can run nftables:

# sv start nftables

We can check the configuration:

# nft list table inet filter

For more info about nftables see the nftables wiki.

Firewall with iptables

This section details enabling a basic firewall using the iptables tool. Begin by installing the package:

# xbps-install -S iptables

IPv4

After installation is done, use the following script to define a basic firewall that denies all incoming connections, allows established connections to pass through, and (optionally) opens the standard SSH port:

#!/bin/sh
# Allow all loopback (lo0) traffic and drop all traffic to 127/8
# that doesn't use lo0
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable

# Allow established sessions to receive traffic
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow ICMP pings
#iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# Allow SSH remote
#iptables -I INPUT -p tcp --dport 22 -j ACCEPT

# Reject all other inbound connections
iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable
iptables -A FORWARD -j REJECT --reject-with icmp-port-unreachable

And save the configuration:

# iptables-save > /etc/iptables/iptables.rules

Enable and test service

# ln -s /etc/sv/iptables /var/service/
# sv stop iptables
# iptables -nL # should return an empty rule set
# sv start iptables
# iptables -nL # should return the rule set as defined above

IPv6

Define a simple firewall that denies all incoming traffic but allows outgoing traffic and save it:

# ip6tables -A INPUT -j REJECT
# ip6tables -A FORWARD -j REJECT
# ip6tables-save > /etc/iptables/ip6tables.rules

Enable and test service

# ln -s /etc/sv/ip6tables /var/service/
# sv stop ip6tables
# ip6tables -nL # should return an empty rule set
# sv start ip6tables
# ip6tables -nL # should return the rule set as defined above

ufw - Uncomplicated Firewall

Basic firewall rules (deny incoming, allow outgoing) can be established by default by installing and enabling ufw:

 $ sudo xbps-install ufw
 $ sudo xbps-reconfigure ufw
 $ sudo ufw enable

To check whether the ufw firewall is active during the session:

$ sudo ufw status

To list rules:

$ sudo ufw status verbose

For the service to persist on reboot:

$ sudo ln -s /etc/sv/ufw /var/service

ufw pulls iptables as a dependency. Rules can be modified using iptables, by following ufw's man page, or through gufw, a graphical interface for ufw:

 $ sudo xbps-install gufw   
 $ sudo gufw
Note: The ufw service will not start, and therefore the ufw will be inactive, if your session is launched in single user mode.

Other services, including the network service, will not start either by default during that session except for the sulogin service, used for single user mode. Single user mode can be entered through the Grub menu at startup: Select 'Advanced options' followed by 'recovery mode'.

Services modified during that session are not persistent.