Hi Steve,
Steve Litt writes:
> Hi all,
>
> I'm now at the stage where I need a firewall on my Devuan VM guest, and
> I don't know how to do it. I have the iptables package installed, and
> /usr/sbin/iptables is a command, but I have no idea where to go from
> there. Is there a file that iptables uses to define which ports are
> blocked?
>
> I'm used to iptables being a daemon, and that seems not to be the case
> in Devuan.
No, iptables is not a daemon. It's just a utility to (re)configure the
rules used by the kernel. It has been for as long as I know and that
goes over a decade back in time.
I have been hooking my iptables configuration into ifupdown. Below is
the /etc/network/interfaces for my laptop. I use it in combination with
netplug. Do not uncomment the #allow-hotplug eth0 line. Doing so leads
to a delay when booting.
# interfaces(5) -- file used by ifup(8) and ifdown(8)
# Only bring up the loopback interface automatically during boot.
# Any other interfaces are handled by other software in a later stage
# of the boot process or in reaction to interface (dis)connect events.
auto lo
# Loopback interface
# This interface should be brought up first so that it can be used to
# set up the system's packet filtering policy *before* any interfaces
# become available. To achieve this the `pre-up` phase is used.
# The configuration below aims to implement a deny-all policy for all
# but *sollicited* replies and `localhost` traffic first.
iface lo inet loopback
## Configure IPv4 packet filter policy
pre-up /sbin/iptables -P INPUT DROP
pre-up /sbin/iptables -A INPUT \
--match state --state ESTABLISHED,RELATED \
--jump ACCEPT
pre-up /sbin/iptables -A INPUT \
--source 127.0.0.1/8 --destination 127.0.0.1/8 \
--jump ACCEPT
down /sbin/iptables -F INPUT
iface lo inet6 loopback
## Configure IPv6 packet filter policy
pre-up /sbin/ip6tables -P INPUT DROP
pre-up /sbin/ip6tables -A INPUT \
--match state --state ESTABLISHED,RELATED \
--jump ACCEPT
pre-up /sbin/ip6tables -A INPUT \
--source ::1/128 --destination ::1/128 \
--jump ACCEPT
down /sbin/ip6tables -F INPUT
# Primary wired interface
#allow-hotplug eth0
iface eth0 inet dhcp
I nuked the wireless interface bit for brevity as it doesn't relate to
setting up iptables. For additional rules, see the iptables manual page
and the iptables-extensions manual page.
Other people may prefer using iptables-save/iptables-restore. You could
hook those into /etc/network/interfaces instead.
Hope this helps,
--
Olaf Meeuwissen, LPIC-2 FSF Associate Member since 2004-01-27
GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13 F43E B8A4 A88A F84A 2DD9
Support Free Software https://my.fsf.org/donate
Join the Free Software Foundation https://my.fsf.org/join