s83/privacy-guides
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

reorder nftables rules for remote access preservation

Browse source
This commit is contained in:
cadupuy 2024-01-30 21:52:30 +01:00
parent 5e1c3d6ea1
commit 0b9a0382f8
2 changed files with 8 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

6
how-to-configure-hardened-debian-server/README.md
View file

@ -205,17 +205,19 @@ systemctl start nftables
```shell ```shell
nft flush ruleset nft flush ruleset
nft add table ip firewall nft add table ip firewall
nft add chain ip firewall input { type filter hook input priority 0 \; policy drop \; } nft add chain ip firewall input { type filter hook input priority 0 \; }
nft add rule ip firewall input iif lo accept nft add rule ip firewall input iif lo accept
nft add rule ip firewall input iif != lo ip daddr 127.0.0.0/8 drop nft add rule ip firewall input iif != lo ip daddr 127.0.0.0/8 drop
nft add rule ip firewall input tcp dport ssh accept nft add rule ip firewall input tcp dport ssh accept
nft add rule ip firewall input ct state established,related accept nft add rule ip firewall input ct state established,related accept
nft add chain ip firewall input { type filter hook input priority 0 \; policy drop \; }
nft add chain ip firewall forward { type filter hook forward priority 0 \; policy drop \; } nft add chain ip firewall forward { type filter hook forward priority 0 \; policy drop \; }
nft add chain ip firewall output { type filter hook output priority 0 \; policy drop \; } nft add chain ip firewall output { type filter hook output priority 0 \; }
nft add rule ip firewall output oif lo accept nft add rule ip firewall output oif lo accept
nft add rule ip firewall output tcp dport { http, https } accept nft add rule ip firewall output tcp dport { http, https } accept
nft add rule ip firewall output udp dport { domain, ntp } accept nft add rule ip firewall output udp dport { domain, ntp } accept
nft add rule ip firewall output ct state established,related accept nft add rule ip firewall output ct state established,related accept
nft add chain ip firewall output { type filter hook output priority 0 \; policy drop \; }
``` ```
If network is IPv4-only, run: If network is IPv4-only, run:

6
how-to-configure-hardened-raspberry-pi/README.md
View file

@ -302,17 +302,19 @@ systemctl start nftables
```shell ```shell
nft flush ruleset nft flush ruleset
nft add table ip firewall nft add table ip firewall
nft add chain ip firewall input { type filter hook input priority 0 \; policy drop \; } nft add chain ip firewall input { type filter hook input priority 0 \; }
nft add rule ip firewall input iif lo accept nft add rule ip firewall input iif lo accept
nft add rule ip firewall input iif != lo ip daddr 127.0.0.0/8 drop nft add rule ip firewall input iif != lo ip daddr 127.0.0.0/8 drop
nft add rule ip firewall input tcp dport ssh accept nft add rule ip firewall input tcp dport ssh accept
nft add rule ip firewall input ct state established,related accept nft add rule ip firewall input ct state established,related accept
nft add chain ip firewall input { type filter hook input priority 0 \; policy drop \; }
nft add chain ip firewall forward { type filter hook forward priority 0 \; policy drop \; } nft add chain ip firewall forward { type filter hook forward priority 0 \; policy drop \; }
nft add chain ip firewall output { type filter hook output priority 0 \; policy drop \; } nft add chain ip firewall output { type filter hook output priority 0 \; }
nft add rule ip firewall output oif lo accept nft add rule ip firewall output oif lo accept
nft add rule ip firewall output tcp dport { http, https } accept nft add rule ip firewall output tcp dport { http, https } accept
nft add rule ip firewall output udp dport { domain, ntp } accept nft add rule ip firewall output udp dport { domain, ntp } accept
nft add rule ip firewall output ct state established,related accept nft add rule ip firewall output ct state established,related accept
nft add chain ip firewall output { type filter hook output priority 0 \; policy drop \; }
``` ```
If network is IPv4-only, run: If network is IPv4-only, run: