:: Re: [DNG] How to firewall on Devuan…
Page principale
Supprimer ce message
Répondre à ce message
Auteur: Olaf Meeuwissen
Date:  
À: Steve Litt
CC: dng
Sujet: Re: [DNG] How to firewall on Devuan?
Hi Steve,

Steve Litt writes:

> Hi all,
>
> I'm now at the stage where I need a firewall on my Devuan VM guest, and
> I don't know how to do it. I have the iptables package installed, and
> /usr/sbin/iptables is a command, but I have no idea where to go from
> there. Is there a file that iptables uses to define which ports are
> blocked?
>
> I'm used to iptables being a daemon, and that seems not to be the case
> in Devuan.


No, iptables is not a daemon. It's just a utility to (re)configure the
rules used by the kernel. It has been for as long as I know and that
goes over a decade back in time.

I have been hooking my iptables configuration into ifupdown. Below is
the /etc/network/interfaces for my laptop. I use it in combination with
netplug. Do not uncomment the #allow-hotplug eth0 line. Doing so leads
to a delay when booting.

# interfaces(5) -- file used by ifup(8) and ifdown(8)

# Only bring up the loopback interface automatically during boot.
# Any other interfaces are handled by other software in a later stage
# of the boot process or in reaction to interface (dis)connect events.

auto lo

# Loopback interface
# This interface should be brought up first so that it can be used to
# set up the system's packet filtering policy *before* any interfaces
# become available. To achieve this the `pre-up` phase is used.
# The configuration below aims to implement a deny-all policy for all
# but *sollicited* replies and `localhost` traffic first.

  iface lo inet loopback
      ##  Configure IPv4 packet filter policy
      pre-up    /sbin/iptables -P INPUT DROP
      pre-up    /sbin/iptables -A INPUT \
              --match state --state ESTABLISHED,RELATED \
              --jump ACCEPT
      pre-up    /sbin/iptables -A INPUT \
              --source 127.0.0.1/8 --destination 127.0.0.1/8 \
              --jump ACCEPT
      down    /sbin/iptables -F INPUT


  iface lo inet6 loopback
      ##  Configure IPv6 packet filter policy
      pre-up    /sbin/ip6tables -P INPUT DROP
      pre-up    /sbin/ip6tables -A INPUT \
              --match state --state ESTABLISHED,RELATED \
              --jump ACCEPT
      pre-up    /sbin/ip6tables -A INPUT \
              --source ::1/128 --destination ::1/128 \
              --jump ACCEPT
      down    /sbin/ip6tables -F INPUT


# Primary wired interface

#allow-hotplug eth0
iface eth0 inet dhcp

I nuked the wireless interface bit for brevity as it doesn't relate to
setting up iptables. For additional rules, see the iptables manual page
and the iptables-extensions manual page.

Other people may prefer using iptables-save/iptables-restore. You could
hook those into /etc/network/interfaces instead.

Hope this helps,
--
Olaf Meeuwissen, LPIC-2            FSF Associate Member since 2004-01-27
 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13  F43E B8A4 A88A F84A 2DD9
 Support Free Software                        https://my.fsf.org/donate
 Join the Free Software Foundation              https://my.fsf.org/join