s83/privacy-guides
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge 0b9a0382f8 into 0d3aa55231

Browse source
This commit is contained in:
Charles-Antoine Dupuy 2024-05-27 15:49:37 +00:00 committed by GitHub
commit db89b8c889
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 8 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

6
how-to-configure-hardened-debian-server/README.md
View file

@ -205,17 +205,19 @@ systemctl start nftables
```shell ```shell
nft flush ruleset nft flush ruleset
nft add table ip firewall nft add table ip firewall
nft add chain ip firewall input { type filter hook input priority 0 \; policy drop \; } nft add chain ip firewall input { type filter hook input priority 0 \; }
nft add rule ip firewall input iif lo accept nft add rule ip firewall input iif lo accept
nft add rule ip firewall input iif != lo ip daddr 127.0.0.0/8 drop nft add rule ip firewall input iif != lo ip daddr 127.0.0.0/8 drop
nft add rule ip firewall input tcp dport ssh accept nft add rule ip firewall input tcp dport ssh accept
nft add rule ip firewall input ct state established,related accept nft add rule ip firewall input ct state established,related accept
nft add chain ip firewall input { type filter hook input priority 0 \; policy drop \; }
nft add chain ip firewall forward { type filter hook forward priority 0 \; policy drop \; } nft add chain ip firewall forward { type filter hook forward priority 0 \; policy drop \; }
nft add chain ip firewall output { type filter hook output priority 0 \; policy drop \; } nft add chain ip firewall output { type filter hook output priority 0 \; }
nft add rule ip firewall output oif lo accept nft add rule ip firewall output oif lo accept
nft add rule ip firewall output tcp dport { http, https } accept nft add rule ip firewall output tcp dport { http, https } accept
nft add rule ip firewall output udp dport { domain, ntp } accept nft add rule ip firewall output udp dport { domain, ntp } accept
nft add rule ip firewall output ct state established,related accept nft add rule ip firewall output ct state established,related accept
nft add chain ip firewall output { type filter hook output priority 0 \; policy drop \; }
``` ```
If network is IPv4-only, run: If network is IPv4-only, run:

6
how-to-configure-hardened-raspberry-pi/README.md
View file

@ -302,17 +302,19 @@ systemctl start nftables
```shell ```shell
nft flush ruleset nft flush ruleset
nft add table ip firewall nft add table ip firewall
nft add chain ip firewall input { type filter hook input priority 0 \; policy drop \; } nft add chain ip firewall input { type filter hook input priority 0 \; }
nft add rule ip firewall input iif lo accept nft add rule ip firewall input iif lo accept
nft add rule ip firewall input iif != lo ip daddr 127.0.0.0/8 drop nft add rule ip firewall input iif != lo ip daddr 127.0.0.0/8 drop
nft add rule ip firewall input tcp dport ssh accept nft add rule ip firewall input tcp dport ssh accept
nft add rule ip firewall input ct state established,related accept nft add rule ip firewall input ct state established,related accept
nft add chain ip firewall input { type filter hook input priority 0 \; policy drop \; }
nft add chain ip firewall forward { type filter hook forward priority 0 \; policy drop \; } nft add chain ip firewall forward { type filter hook forward priority 0 \; policy drop \; }
nft add chain ip firewall output { type filter hook output priority 0 \; policy drop \; } nft add chain ip firewall output { type filter hook output priority 0 \; }
nft add rule ip firewall output oif lo accept nft add rule ip firewall output oif lo accept
nft add rule ip firewall output tcp dport { http, https } accept nft add rule ip firewall output tcp dport { http, https } accept
nft add rule ip firewall output udp dport { domain, ntp } accept nft add rule ip firewall output udp dport { domain, ntp } accept
nft add rule ip firewall output ct state established,related accept nft add rule ip firewall output ct state established,related accept
nft add chain ip firewall output { type filter hook output priority 0 \; policy drop \; }
``` ```
If network is IPv4-only, run: If network is IPv4-only, run: