-Configure Debian iptables firewall.
+Configure Debian nftables firewall.
Allow everything out, limit in, disable forward.
+++ /dev/null
-#!/bin/sh
-### BEGIN INIT INFO
-# Provides: iptables.sh
-# Required-Start: $remote_fs $network
-# Required-Stop: $remote_fs
-# Default-Start: 2 3 4 5
-# Default-Stop: 0 1 6
-# Short-Description: iptables firewall
-### END INIT INFO
-
-# Setup ip firewall
-
-. /etc/network/functions.phd
-
-case "$1" in
- start)
- /etc/init.d/fail2ban stop
-
- # Start afresh
- $IPTABLES -F
- $IPTABLES -F -t nat
- $IPTABLES -F -t mangle
-
- # Default policies
- $IPTABLES -P INPUT DROP
- $IPTABLES -P OUTPUT ACCEPT
- $IPTABLES -P FORWARD DROP
-
- start_firewall
- /etc/init.d/rc.masq
- /etc/init.d/fail2ban start
- ;;
-
- stop)
- /etc/init.d/fail2ban stop
-
- $IPTABLES -F
- $IPTABLES -F -t nat
- $IPTABLES -F -t mangle
- $IPTABLES -P INPUT DROP
- $IPTABLES -P OUTPUT DROP
- $IPTABLES -P FORWARD DROP
- ;;
-
- clear)
- /etc/init.d/fail2ban stop
-
- # Flush (delete) all rules
- $IPTABLES -F
- $IPTABLES -F -t nat
- $IPTABLES -F -t mangle
- $IPTABLES -P INPUT ACCEPT
- $IPTABLES -P OUTPUT ACCEPT
- $IPTABLES -P FORWARD ACCEPT
- ;;
-
- *)
- echo "Usage: firewall {start|stop|clear}"
- exit 1
-esac
-
-exit 0
--- /dev/null
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides: nftables.sh
+# Required-Start: $remote_fs $network
+# Required-Stop: $remote_fs
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: nftables firewall
+### END INIT INFO
+
+# Setup ip firewall
+
+. /etc/network/functions.phd
+
+case "$1" in
+ start)
+ /etc/init.d/fail2ban stop
+
+ # Start afresh
+ nft flush ruleset
+
+ # Default policies
+ nft add table ip filter
+ nft add table ip nat
+ nft add chain ip nat prerouting \{ type nat hook prerouting priority dstnat\; policy accept\; \}
+ nft add chain ip nat postrouting \{ type nat hook postrouting priority srcnat\; policy accept\; \}
+ nft add chain ip filter input \{ type filter hook input priority filter\; policy drop\; \}
+ nft add chain ip filter output \{ type filter hook output priority filter\; policy accept\; \}
+ nft add chain ip filter forward \{ type filter hook forward priority filter\; policy drop\; \}
+
+ start_firewall
+ /etc/init.d/rc.masq
+ /etc/init.d/fail2ban start
+ ;;
+
+ stop)
+ /etc/init.d/fail2ban stop
+
+ nft flush ruleset
+ nft add chain ip filter input \{ type filter hook input priority filter\; policy drop\; \}
+ nft add chain ip filter output \{ type filter hook output priority filter\; policy drop\; \}
+ nft add chain ip filter forward \{ type filter hook forward priority filter\; policy drop\; \}
+ ;;
+
+ clear)
+ /etc/init.d/fail2ban stop
+
+ # Flush (delete) all rules
+ nft flush ruleset
+ nft add chain ip filter input \{ type filter hook input priority filter\; policy accept\; \}
+ nft add chain ip filter output \{ type filter hook output priority filter\; policy accept\; \}
+ nft add chain ip filter forward \{ type filter hook forward priority filter\; policy accept\; \}
+ ;;
+
+ *)
+ echo "Usage: firewall {start|stop|clear}"
+ exit 1
+esac
+
+exit 0
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
-IPTABLES=/sbin/iptables
-
-
# DHCP: For people who receive their external IP address from either DHCP or BOOTP
# such as ADSL or Cablemodem users, it is necessary to use the following
# before the deny command. The "bootp_client_net_if_name" should be replaced
-IPTABLES=/sbin/iptables
PATH=/sbin:/bin:/usr/sbin:/usr/bin
my_ip() {
MYIP=$1
# Allow everything from this host
- $IPTABLES -A INPUT -s $MYIP -j ACCEPT
+ nft add rule ip filter input ip saddr $MYIP accept
# Allow ICMP
- $IPTABLES -A INPUT -d $MYIP -p icmp -j ACCEPT
+ nft add rule ip filter input ip daddr $MYIP accept
# Allow ports >1024
- $IPTABLES -A INPUT -d $MYIP -p tcp --dport 1024: ! --syn -j ACCEPT
- $IPTABLES -A INPUT -d $MYIP -p udp --dport 1024: -j ACCEPT
+ nft add rule ip filter input ip daddr $MYIP tcp dport 1024-65535 tcp flags \& syn != syn accept
+ nft add rule ip filter input ip daddr $MYIP udp dport 1024-65535 accept
}
start_firewall() {
# Allow everything from localhost
- $IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT
+ nft add rule ip filter input ip saddr 127.0.0.1 accept
# Specifically block access to NFS and XWindows. Neccessary because these are ports >1024
- $IPTABLES -A INPUT -p tcp --dport 2049 -j DROP
- $IPTABLES -A INPUT -p udp --dport 2049 -j DROP
- $IPTABLES -A INPUT -p tcp --dport 6000:6063 -j DROP
- $IPTABLES -A INPUT -p udp --dport 6000:6063 -j DROP
+ nft add rule ip filter input tcp dport 2049 drop
+ nft add rule ip filter input udp dport 2049 drop
+ nft add rule ip filter input tcp dport 6000-6063 drop
+ nft add rule ip filter input udp dport 6000-6063 drop
# Allow incoming ssh, smtp, dns, dhcp, www, ident, ntp, smb, OpenVPN, git-daemon
- $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
- $IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT
- $IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
- $IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
- $IPTABLES -A INPUT -p udp --sport 53 --dport 1024: -j ACCEPT
- $IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
- $IPTABLES -A INPUT -p tcp --dport 113 -j ACCEPT
- $IPTABLES -A INPUT -p tcp --dport 123 -j ACCEPT
- $IPTABLES -A INPUT -p udp --dport 123 -j ACCEPT
- $IPTABLES -A INPUT -p tcp --dport 137:139 -j ACCEPT
- $IPTABLES -A INPUT -p udp --dport 137:139 -j ACCEPT
- $IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
- $IPTABLES -A INPUT -p tcp --dport 445 -j ACCEPT
- $IPTABLES -A INPUT -p udp --dport 1194 -j ACCEPT
- $IPTABLES -A INPUT -p tcp --dport 9418 -j ACCEPT
+ nft add rule ip filter input tcp dport 22 accept
+ nft add rule ip filter input tcp dport 25 accept
+ nft add rule ip filter input tcp dport 53 accept
+ nft add rule ip filter input udp dport 53 accept
+ nft add rule ip filter input udp sport 53 udp dport 1024-65535 accept
+ nft add rule ip filter input tcp dport 80 accept
+ nft add rule ip filter input tcp dport 113 accept
+ nft add rule ip filter input tcp dport 123 accept
+ nft add rule ip filter input udp dport 123 accept
+ nft add rule ip filter input tcp dport 137-139 accept
+ nft add rule ip filter input udp dport 137-139 accept
+ nft add rule ip filter input tcp dport 443 accept
+ nft add rule ip filter input tcp dport 445 accept
+ nft add rule ip filter input udp dport 1194 accept
+ nft add rule ip filter input tcp dport 9418 accept
# FTP
- $IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
- $IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
+ nft add rule ip filter input tcp dport 20 accept
+ nft add rule ip filter input tcp dport 21 accept
# Allow ftp-data for active connections
- #$IPTABLES -A INPUT -p tcp --sport 20 --dport 1024: -j ACCEPT
+ #nft add rule ip filter input tcp sport 20 tcp dport 1024-65535 accept
# Track FTP connections to allow active and passive mode FTP
- $IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
- $IPTABLES -A INPUT -p tcp --dport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
- $IPTABLES -A INPUT -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
- $IPTABLES -A INPUT -p tcp --dport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT
- $IPTABLES -A INPUT -p tcp --sport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
- $IPTABLES -A INPUT -p tcp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
+ nft add rule ip filter input tcp sport 20 ct state established,related accept
+ nft add rule ip filter input tcp dport 20 ct state established,related accept
+ nft add rule ip filter input tcp sport 21 ct state new,established accept
+ nft add rule ip filter input tcp dport 21 ct state established,related accept
+ nft add rule ip filter input tcp sport 1024-65535 ct state established,related accept
+ nft add rule ip filter input tcp dport 1024-65535 ct state established,related accept
MY_IP=$(ip --oneline -4 address show up | awk '{split($4,a,/\//); if (a[1] != "127.0.0.1") print a[1]}')
for ip in $MY_IP; do my_ip "$ip"; done
#!/bin/sh
-exec /etc/init.d/iptables.sh start
+exec /etc/init.d/nftables.sh start
#!/bin/sh
-exec /etc/init.d/iptables.sh start
+exec /etc/init.d/nftables.sh start
- name: Restart firewall
become: true
service:
- name: iptables.sh
+ name: nftables.sh
state: started
-- name: Install iptables and fail2ban
+- name: Install fail2ban and nftables
become: true
apt:
cache_valid_time: 3600
install_recommends: no
- name: ['iptables', 'fail2ban']
+ name: ['fail2ban', 'nftables']
state: latest
update_cache: yes
notify: Restart firewall
+- name: "Change /etc/fail2ban/jail.conf (iptables -> nftables)"
+ become: true
+ lineinfile:
+ path: /etc/fail2ban/jail.conf
+ regexp: '^banaction = iptables-multiport$'
+ line: 'banaction = nftables-multiport'
+ notify: Restart firewall
+- become: true
+ lineinfile:
+ path: /etc/fail2ban/jail.conf
+ regexp: '^banaction = iptables-multiport-log$'
+ line: 'banaction = nftables-multiport'
+ notify: Restart firewall
+- become: true
+ lineinfile:
+ path: /etc/fail2ban/jail.conf
+ regexp: '^banaction_allports = iptables-allports$'
+ line: 'banaction_allports = nftables-allports'
+ notify: Restart firewall
+
- name: Configure Debian firewall
become: true
copy:
path: /etc/network/functions.phd
mode: '0640'
notify: Restart firewall
+
+- name: Remove iptables leftovers
+ become: true
+ file:
+ path: /etc/init.d/iptables.sh
+ state: absent
-Configure iptables firewall.
+Configure nftables firewall.
Allow everything out, limit in, disable forward.
-IPTABLES=/sbin/iptables
PATH=/sbin:/bin:/usr/sbin:/usr/bin
my_ip() {
MYIP=$1
# Allow everything from this host
- $IPTABLES -A INPUT -s $MYIP -j ACCEPT
+ nft add rule ip filter input saddr $MYIP counter accept
# Allow ICMP
- $IPTABLES -A INPUT -d $MYIP -p icmp -j ACCEPT
+ nft add rule ip filter input daddr $MYIP proto icmp counter accept
# Allow ports >1024
- $IPTABLES -A INPUT -d $MYIP -p tcp --dport 1024: ! --syn -j ACCEPT
- $IPTABLES -A INPUT -d $MYIP -p udp --dport 1024: -j ACCEPT
+ nft add rule ip filter input daddr $MYIP dport 1024- proto tcp tcp flags & syn != syn counter accept
+ nft add rule ip filter input daddr $MYIP dport 1024- proto udp counter accept
}
start_firewall() {
# Allow everything from localhost
- $IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT
+ nft add rule ip filter input saddr 127.0.0.1 counter accept
# Specifically block access to NFS and XWindows. Neccessary because these are ports >1024
- $IPTABLES -A INPUT -p tcp --dport 2049 -j DROP
- $IPTABLES -A INPUT -p udp --dport 2049 -j DROP
- $IPTABLES -A INPUT -p tcp --dport 6000:6063 -j DROP
- $IPTABLES -A INPUT -p udp --dport 6000:6063 -j DROP
+ nft add rule ip filter input dport 2049 proto tcp counter drop
+ nft add rule ip filter input dport 2049 proto udp counter drop
+ nft add rule ip filter input dport 6000-6063 proto tcp counter drop
+ nft add rule ip filter input dport 6000-6063 proto udp counter drop
# Allow incoming ssh, smtp, dns, dhcp, www, ident, ntp, smb, OpenVPN, git-daemon
- $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
- $IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT
- $IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
- $IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
- $IPTABLES -A INPUT -p udp --sport 53 --dport 1024: -j ACCEPT
- $IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
- $IPTABLES -A INPUT -p tcp --dport 113 -j ACCEPT
- $IPTABLES -A INPUT -p tcp --dport 123 -j ACCEPT
- $IPTABLES -A INPUT -p udp --dport 123 -j ACCEPT
- $IPTABLES -A INPUT -p tcp --dport 137:139 -j ACCEPT
- $IPTABLES -A INPUT -p udp --dport 137:139 -j ACCEPT
- $IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
- $IPTABLES -A INPUT -p tcp --dport 445 -j ACCEPT
- $IPTABLES -A INPUT -p udp --dport 1194 -j ACCEPT
- $IPTABLES -A INPUT -p tcp --dport 9418 -j ACCEPT
+ nft add rule ip filter input dport 22 proto tcp counter accept
+ nft add rule ip filter input dport 25 proto tcp counter accept
+ nft add rule ip filter input dport 53 proto tcp counter accept
+ nft add rule ip filter input dport 53 proto udp counter accept
+ nft add rule ip filter input sport 53 dport 1024- proto udp counter accept
+ nft add rule ip filter input dport 80 proto tcp counter accept
+ nft add rule ip filter input dport 113 proto tcp counter accept
+ nft add rule ip filter input dport 123 proto tcp counter accept
+ nft add rule ip filter input dport 123 proto udp counter accept
+ nft add rule ip filter input dport 137-139 proto tcp counter accept
+ nft add rule ip filter input dport 137-139 proto udp counter accept
+ nft add rule ip filter input dport 443 proto tcp counter accept
+ nft add rule ip filter input dport 445 proto tcp counter accept
+ nft add rule ip filter input dport 1194 proto udp counter accept
+ nft add rule ip filter input dport 9418 proto tcp counter accept
# FTP
- $IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
- $IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
+ nft add rule ip filter input dport 20 proto tcp counter accept
+ nft add rule ip filter input dport 21 proto tcp counter accept
# Allow ftp-data for active connections
- #$IPTABLES -A INPUT -p tcp --sport 20 --dport 1024: -j ACCEPT
+ #nft add rule ip filter input sport 20 dport 1024- proto tcp counter accept
# Track FTP connections to allow active and passive mode FTP
- $IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
- $IPTABLES -A INPUT -p tcp --dport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
- $IPTABLES -A INPUT -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
- $IPTABLES -A INPUT -p tcp --dport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT
- $IPTABLES -A INPUT -p tcp --sport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
- $IPTABLES -A INPUT -p tcp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
+ nft add rule ip filter input sport 20 proto tcp ct mstate state state state established,related counter accept
+ nft add rule ip filter input dport 20 proto tcp ct mstate state state state established,related counter accept
+ nft add rule ip filter input sport 21 proto tcp ct mstate state state state new,established counter accept
+ nft add rule ip filter input dport 21 proto tcp ct mstate state state state established,related counter accept
+ nft add rule ip filter input sport 1024-65535 proto tcp ct mstate state state state established,related counter accept
+ nft add rule ip filter input dport 1024-65535 proto tcp ct mstate state state state established,related counter accept
MY_IP=$(ip --oneline -4 address show up | awk '{split($4,a,/\//); if (a[1] != "127.0.0.1") print a[1]}')
for ip in $MY_IP; do my_ip "$ip"; done
#!/bin/sh
-exec /etc/rc.d/init.d/iptables.sh start
+exec /etc/rc.d/init.d/nftables.sh start
#!/bin/sh
-exec /etc/rc.d/init.d/iptables.sh start
+exec /etc/rc.d/init.d/nftables.sh start
+++ /dev/null
-#!/bin/sh
-### BEGIN INIT INFO
-# Provides: iptables.sh
-# Required-Start: $remote_fs $network
-# Required-Stop: $remote_fs
-# Default-Start: 2 3 4 5
-# Default-Stop: 0 1 6
-# Short-Description: iptables firewall
-### END INIT INFO
-
-# Setup ip firewall
-
-. /etc/network/functions.phd
-
-case "$1" in
- start)
- systemctl stop fail2ban.service
-
- # Start afresh
- $IPTABLES -F
- $IPTABLES -F -t nat
- $IPTABLES -F -t mangle
-
- # Default policies
- $IPTABLES -P INPUT DROP
- $IPTABLES -P OUTPUT ACCEPT
- $IPTABLES -P FORWARD DROP
-
- start_firewall
- /etc/rc.d/init.d/rc.masq
- systemctl start fail2ban.service
- ;;
-
- stop)
- systemctl stop fail2ban.service
-
- $IPTABLES -F
- $IPTABLES -F -t nat
- $IPTABLES -F -t mangle
- $IPTABLES -P INPUT DROP
- $IPTABLES -P OUTPUT DROP
- $IPTABLES -P FORWARD DROP
- ;;
-
- clear)
- systemctl stop fail2ban.service
-
- # Flush (delete) all rules
- $IPTABLES -F
- $IPTABLES -F -t nat
- $IPTABLES -F -t mangle
- $IPTABLES -P INPUT ACCEPT
- $IPTABLES -P OUTPUT ACCEPT
- $IPTABLES -P FORWARD ACCEPT
- ;;
-
- *)
- echo "Usage: firewall {start|stop|clear}"
- exit 1
-esac
-
-exit 0
--- /dev/null
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides: nftables.sh
+# Required-Start: $remote_fs $network
+# Required-Stop: $remote_fs
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: nftables firewall
+### END INIT INFO
+
+# Setup ip firewall
+
+. /etc/network/functions.phd
+
+case "$1" in
+ start)
+ systemctl stop fail2ban.service
+
+ # Start afresh
+ nft flush
+
+ # Default policies
+ nft create table ip filter
+ nft create table ip nat
+ nft create chain ip nat prerouting { type nat hook preroutung priority 0; policy accept; }
+ nft create chain ip nat postrouting { type nat hook postroutung priority 0; policy accept; }
+ nft create chain ip filter input { type filter hook input priority 0; policy drop; }
+ nft create chain ip filter output { type filter hook output priority 0; policy accept; }
+ nft create chain ip filter forward { type filter hook forward priority 0; policy drop; }
+
+ start_firewall
+ /etc/rc.d/init.d/rc.masq
+ systemctl start fail2ban.service
+ ;;
+
+ stop)
+ systemctl stop fail2ban.service
+
+ nft flush
+ nft create chain ip filter input { type filter hook input priority 0; policy drop; }
+ nft create chain ip filter output { type filter hook output priority 0; policy drop; }
+ nft create chain ip filter forward { type filter hook forward priority 0; policy drop; }
+ ;;
+
+ clear)
+ systemctl stop fail2ban.service
+
+ # Flush (delete) all rules
+ nft flush
+ nft create chain ip filter input { type filter hook input priority 0; policy accept; }
+ nft create chain ip filter output { type filter hook output priority 0; policy accept; }
+ nft create chain ip filter forward { type filter hook forward priority 0; policy accept; }
+ ;;
+
+ *)
+ echo "Usage: firewall {start|stop|clear}"
+ exit 1
+esac
+
+exit 0
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
-IPTABLES=/sbin/iptables
-
-
# DHCP: For people who receive their external IP address from either DHCP or BOOTP
# such as ADSL or Cablemodem users, it is necessary to use the following
# before the deny command. The "bootp_client_net_if_name" should be replaced
- name: Restart firewall
become: true
- command: /etc/rc.d/init.d/iptables.sh start
+ command: /etc/rc.d/init.d/nftables.sh start
-- name: Install fail2ban and iptables-services
+- name: Install fail2ban and nftables
become: true
dnf:
- name: ['fail2ban', 'iptables-services']
+ name: ['fail2ban', 'nftables-services', 'nftables']
state: latest
update_cache: yes
notify: Restart firewall
state: started
enabled: yes
-- name: Enable iptables-service
+- name: Enable nftables-service
become: true
service:
- name: iptables
+ name: nftables
state: started
enabled: yes