s83/privacy-guides
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge 0b9a0382f8 into 0d3aa55231

Browse source
This commit is contained in:
Charles-Antoine Dupuy 2024-05-27 15:49:37 +00:00 committed by GitHub
commit db89b8c889
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 8 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

6
how-to-configure-hardened-debian-server/README.md
View file

@ -205,17 +205,19 @@ systemctl start nftables
```shell
nft flush ruleset
nft add table ip firewall
nft add chain ip firewall input { type filter hook input priority 0 \; policy drop \; }
nft add chain ip firewall input { type filter hook input priority 0 \; }
nft add rule ip firewall input iif lo accept
nft add rule ip firewall input iif != lo ip daddr 127.0.0.0/8 drop
nft add rule ip firewall input tcp dport ssh accept
nft add rule ip firewall input ct state established,related accept
nft add chain ip firewall input { type filter hook input priority 0 \; policy drop \; }
nft add chain ip firewall forward { type filter hook forward priority 0 \; policy drop \; }
nft add chain ip firewall output { type filter hook output priority 0 \; policy drop \; }
nft add chain ip firewall output { type filter hook output priority 0 \; }
nft add rule ip firewall output oif lo accept
nft add rule ip firewall output tcp dport { http, https } accept
nft add rule ip firewall output udp dport { domain, ntp } accept
nft add rule ip firewall output ct state established,related accept
nft add chain ip firewall output { type filter hook output priority 0 \; policy drop \; }
```
If network is IPv4-only, run:

6
how-to-configure-hardened-raspberry-pi/README.md
View file

@ -302,17 +302,19 @@ systemctl start nftables
```shell
nft flush ruleset
nft add table ip firewall
nft add chain ip firewall input { type filter hook input priority 0 \; policy drop \; }
nft add chain ip firewall input { type filter hook input priority 0 \; }
nft add rule ip firewall input iif lo accept
nft add rule ip firewall input iif != lo ip daddr 127.0.0.0/8 drop
nft add rule ip firewall input tcp dport ssh accept
nft add rule ip firewall input ct state established,related accept
nft add chain ip firewall input { type filter hook input priority 0 \; policy drop \; }
nft add chain ip firewall forward { type filter hook forward priority 0 \; policy drop \; }
nft add chain ip firewall output { type filter hook output priority 0 \; policy drop \; }
nft add chain ip firewall output { type filter hook output priority 0 \; }
nft add rule ip firewall output oif lo accept
nft add rule ip firewall output tcp dport { http, https } accept
nft add rule ip firewall output udp dport { domain, ntp } accept
nft add rule ip firewall output ct state established,related accept
nft add chain ip firewall output { type filter hook output priority 0 \; policy drop \; }
```
If network is IPv4-only, run: