Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi there, i just noticed about NFtables, but can't find a complete hardening configuration online. I would like do block everything but my connection. Is this possible? if yes, how?
Hi there, i just noticed about NFtables, but can't find a complete hardening configuration online. I would like do block everything but my connection. Is this possible? if yes, how?
There's no one size fits all solution for packet filtering. Furthermore, for a firewalled system to work, it has to allow connections and it will be through those connections that the compromises will occur.
You can build a filter if you want, but for it to be less of an exercise in futility, it has to be custom designed for your specific situation and your particular threat model:
What are you trying to protect, against whom, and why?
What's your pain point for diagnosing network failures and adjusting the blocking and unblocking?
Are you dealing with a server or a desktop/notebook?
With a production or development environment?
What kind of networking and/or VPN is involved?
Knowing those will allow pointers to where to start.
There's no one size fits all solution for packet filtering. Furthermore, for a firewalled system to work, it has to allow connections and it will be through those connections that the compromises will occur.
You can build a filter if you want, but for it to be less of an exercise in futility, it has to be custom designed for your specific situation and your particular threat model:
What are you trying to protect, against whom, and why?
What's your pain point for diagnosing network failures and adjusting the blocking and unblocking?
Are you dealing with a server or a desktop/notebook?
With a production or development environment?
What kind of networking and/or VPN is involved?
Knowing those will allow pointers to where to start.
I want just to secure as much possible my desktop PC for things i do and obv i wont tell in a pubblic forum. No running servers neither ssh or something else. Sometimes i use VPN, but just when i browse for fun. For obvious reasons the VPN cannot be used for certain accesses.
Those questions don't have too be answered publicly, just to yourself, but they are what you will use to guide your decisions about the NFTables rules.
If you don't have SSH or any other external services then that simplifies the input rules, and the forwarding rules as well. The decisions become then about the granularity of control you want to have for the output rules. Those require a fair amount of debugging if you really lock them down, which might not be worth the effort.
The VPN will complicate matters but without one, my guess is that you could begin with the following:
Code:
#!/usr/sbin/nft -f
# Clear all prior state
flush ruleset
# Basic IPv4/IPv6
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# Accept any localhost traffic
iifname lo accept
# Accept traffic originated from us
ct state { established, related } accept
# Drop invalid connections
ct state invalid drop
# ICMPv4
# Accept ICMP
ip protocol icmp icmp type {
echo-reply, # type 0
destination-unreachable, # type 3
echo-request, # type 8
time-exceeded, # type 11
parameter-problem, # type 12
} accept
# ICMPv6
# Accept basic IPv6 functionality
ip6 nexthdr icmpv6 icmpv6 type {
destination-unreachable, # type 1
packet-too-big, # type 2
time-exceeded, # type 3
parameter-problem, # type 4
echo-request, # type 128
echo-reply, # type 129
} accept
# Allow IPv6 SLAAC
ip6 nexthdr icmpv6 icmpv6 type {
nd-router-solicit, # type 133
nd-router-advert, # type 134
nd-neighbor-solicit, # type 135
nd-neighbor-advert, # type 136
} ip6 hoplimit 255 accept
# Allow IPv6 multicast listener discovery on link-local
ip6 nexthdr icmpv6 icmpv6 type {
mld-listener-query, # type 130
mld-listener-report, # type 131
mld-listener-reduction, # type 132
mld2-listener-report, # type 143
} ip6 saddr fe80::/10 accept
# Accept DHCPv6 replies from IPv6 link-local addresses
ip6 saddr fe80::/10 udp sport 547 udp dport 546 accept
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
include "/etc/nftables.d/*.nft"
That'd be for a basic notebook or desktop which you are sitting at physically.
As you see it does not do much and locking down the output chain would take a lot of detailed knowledge about your outgoing connections.
You might get a much higher return on effort by writing (or rewriting) the AppArmor rules for your various client tools, such as the web browsers. Each web browser, for example, does not need access to much of anywhere in your system except for the Downloads directory. It does not need your Documents or your SSH keys or your VPN certificates, to name a few. Similar for any other networked software you run from day to day.
Last edited by Turbocapitalist; 12-20-2023 at 04:19 PM.
Reason: typo
Those questions don't have too be answered publicly, just to yourself, but they are what you will use to guide your decisions about the NFTables rules.
If you don't have SSH or any other external services then that simplifies the input rules, and the forwarding rules as well. The decisions become then about the granularity of control you want to have for the output rules. Those require a fair amount of debugging if you really lock them down, which might not be worth the effort.
The VPN will complicate matters but without one, my guess is that you could begin with the following:
Code:
#!/usr/sbin/nft -f
# Clear all prior state
flush ruleset
# Basic IPv4/IPv6
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# Accept any localhost traffic
iifname lo accept
# Accept traffic originated from us
ct state { established, related } accept
# Drop invalid connections
ct state invalid drop
# ICMPv4
# Accept ICMP
ip protocol icmp icmp type {
echo-reply, # type 0
destination-unreachable, # type 3
echo-request, # type 8
time-exceeded, # type 11
parameter-problem, # type 12
} accept
# ICMPv6
# Accept basic IPv6 functionality
ip6 nexthdr icmpv6 icmpv6 type {
destination-unreachable, # type 1
packet-too-big, # type 2
time-exceeded, # type 3
parameter-problem, # type 4
echo-request, # type 128
echo-reply, # type 129
} accept
# Allow IPv6 SLAAC
ip6 nexthdr icmpv6 icmpv6 type {
nd-router-solicit, # type 133
nd-router-advert, # type 134
nd-neighbor-solicit, # type 135
nd-neighbor-advert, # type 136
} ip6 hoplimit 255 accept
# Allow IPv6 multicast listener discovery on link-local
ip6 nexthdr icmpv6 icmpv6 type {
mld-listener-query, # type 130
mld-listener-report, # type 131
mld-listener-reduction, # type 132
mld2-listener-report, # type 143
} ip6 saddr fe80::/10 accept
# Accept DHCPv6 replies from IPv6 link-local addresses
ip6 saddr fe80::/10 udp sport 547 udp dport 546 accept
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
include "/etc/nftables.d/*.nft"
That'd be for a basic notebook or desktop which you are sitting at physically.
As you see it does not do much and locking down the output chain would take a lot of detailed knowledge about your outgoing connections.
You might get a much higher return on effort by writing (or rewriting) the AppArmor rules for your various client tools, such as the web browsers. Each web browser, for example, does not need access to much of anywhere in your system except for the Downloads directory. It does not need your Documents or your SSH keys or your VPN certificates, to name a few. Similar for any other networked software you run from day to day.
Thanks, i will remove the IPV6 part as it disbled. I had become familiar with Iptables and I think I had a decent setup, but when i when I read that it had some flaws and that it was no longer supported, I decided to try this firewall which seems to be quite similar, but in my opinion a little more difficult to set up.And yes, Im using Firejail and Apparmor.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
