From d43c7a9f7b127eeff95735c316719f03f18eecff Mon Sep 17 00:00:00 2001 From: Christian Heller Date: Thu, 16 Jan 2020 01:14:23 +0100 Subject: [PATCH] Add basic server firewalling. --- buster/apt-mark/server | 2 ++ buster/etc_files/server/etc/nftables.conf | 20 ++++++++++++++++++++ 2 files changed, 22 insertions(+) create mode 100755 buster/etc_files/server/etc/nftables.conf diff --git a/buster/apt-mark/server b/buster/apt-mark/server index 81be2dd..8183c9c 100644 --- a/buster/apt-mark/server +++ b/buster/apt-mark/server @@ -1,2 +1,4 @@ # so we can login at all … openssh-server +# firewalling +nftables diff --git a/buster/etc_files/server/etc/nftables.conf b/buster/etc_files/server/etc/nftables.conf new file mode 100755 index 0000000..efbc182 --- /dev/null +++ b/buster/etc_files/server/etc/nftables.conf @@ -0,0 +1,20 @@ +#!/usr/sbin/nft -f + +flush ruleset + +table inet filter { + chain input { + type filter hook input priority 0; policy drop; + iif lo accept comment "accept localhost traffic" + ct state invalid drop comment "drop invalid connections" + ct state established, related accept comment "accept traffic originated from us" + tcp dport 22 accept comment "accept SSH on default port" + ip protocol icmp icmp type echo-request accept comment "accept ICMP for pinging" + } + chain forward { + type filter hook forward priority 0; policy drop; + } + chain output { + type filter hook output priority 0; policy accept; + } +} -- 2.30.2