Re: Internet facing Firewalls mDNS UPnP SMB

Mon, 05 Aug 2024 04:52:24 -0700 

On 2024-08-05, George at Clug wrote:

> Down below is the output of the translation commands for my Iptables
> commands.  Interesting but again, I will need to learn what this means,
> it does not look self explanatory. But hopefully, like everything
> computer related, it is usually not that complex, just you need to
> understand the new syntax and how to use it.
>
> I am also a bit concerned about the statement "table ip nat", I do not
> want [e.g. need] any Network Address Translation occurring.

Simply remove table ip nat and table ip mangle as they are empty and you
don't use them.

> table ip filter {
>       chain INPUT {
>               type filter hook input priority filter; policy drop;
>               iifname "lo" counter packets 0 bytes 0 accept
>               iifname "enp1s0" ct state established,related counter packets 
> 243 bytes 27964 accept
>               iifname "enp1s0" ct state new tcp dport 22 counter packets 0 
> bytes 0 accept
>               iifname "enp1s0" ct state new tcp dport 25565 counter packets 0 
> bytes 0 accept
>               iifname "enp1s0" ct state new tcp dport 8123 counter packets 0 
> bytes 0 accept
>       }

Remove "packets nnn bytes nnn", syntax is:
  iifname lo counter accept
The action "counter" will count packets matching the rule. If you do the
shell command:
  nft list ruleset
the line will be listed with the packets and bytes counters.
Also you don't need to test iifname "enp1s0" if you don't have multiple
interfaces or don't want to differenciate them.
Only loopback (lo) is to be tested.

>       chain OUTPUT {
>               type filter hook output priority filter; policy drop;
>               oifname "lo" counter packets 0 bytes 0 accept
>               oifname "enp1s0" ct state established,related counter packets 
> 189 bytes 33916 accept
>               oifname "enp1s0" ct state new udp dport 53 counter packets 16 
> bytes 984 accept
>               oifname "enp1s0" ct state new tcp dport { 22, 53, 80, 123, 443 
> } counter packets 9 bytes 540 accept
>       }

Same as for input don't test oifname "enp1s0" if not needed.

So you drop packets not accepted. Here for workstation I add a last rule
like this one:
log level warn prefix "[FW accept output] " counter accept
This will log a warning but still accept the packet out.

Reply via email to