1. Forum
  2. Usenet
  3. COMP.OS.LINUX.SECURITY

  • Basic netfilter config for Arch linux

    From m054lw@gmail.com@21:1/5 to All on Sun Nov 4 17:24:00 2018
    Dear security experts,




    in order to resurrect my 2GB RAM netbook, I'm changing from SUSE linux to Arch linux.

    Also Arch linux is great, for example I'm enthusiast of how much RAM is still free after the system boots.

    I chose Arch linux also because it supports also the Raspberry Pi, which should be a sign of good philosophy and efficient use of the hardware.

    I'm setting up a netfilter firewall for my system, below you find my /etc/nftables.conf

    Since I don't speak this netfilter language, I'm not able to check whether my system (I didn't set up any server, I'm directly connected with the DSL router of my inet provider) is reasonably protected.

    I would be very grateful for your comments or suggestions.


    - /etc/nftables.conf :

    #!/usr/bin/nft -f




    ### ip filter , ip6 filter : verbatim from: https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_workstation on 2018-10-31


    # fw.basic (native)
    table ip filter {
    chain input {
    type filter hook input priority 0;

    # accept traffic originated from us
    ct state established,related accept

    # accept any localhost traffic
    iif lo accept

    # count and drop any other traffic
    counter drop
    }
    }


    # fw6.basic
    table ip6 filter {
    chain input {
    type filter hook input priority 0;

    # accept any localhost traffic
    iif lo accept

    # accept traffic originated from us
    ct state established,related accept

    # accept neighbour discovery otherwise connectivity breaks
    icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept

    # count and drop any other traffic
    counter drop
    }
    }






    ### inet filter is a /etc/nftables.conf of Arch linux 2018 , BUT I changed (only) the 2 lines marked with '!', where I just added 'counter' :



    # ipv4/ipv6 Simple & Safe Firewall
    # you can find examples in /usr/share/nftables/

    table inet filter {
    chain input {
    type filter hook input priority 0;

    # allow established/related connections
    ct state {established, related} accept

    # early drop of invalid connections
    ct state invalid drop

    # allow from loopback
    iifname lo accept

    # allow icmp
    ip protocol icmp accept
    ip6 nexthdr icmpv6 accept

    # allow ssh
    tcp dport ssh accept

    # everything else
    counter reject with icmpx type port-unreachable # !
    }
    chain forward {
    type filter hook forward priority 0;
    counter drop # !
    }
    chain output {
    type filter hook output priority 0;
    }

    }

    # vim:set ts=2 sw=2 et:

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)