Simple ruleset for a workstation
Revision as of 16:32, 15 December 2016 by Arturo (talk | contribs) (→fw.inet.basic: drop misleading comment)
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
fw.basic
table ip filter {
chain input {
type filter hook input priority 0;
# accept traffic originated from us
ct state established,related accept
# accept any localhost traffic
iif lo accept
# count and drop any other traffic
counter drop
}
}
fw6.basic
table ip6 filter {
chain input {
type filter hook input priority 0;
# accept any localhost traffic
iif lo accept
# accept traffic originated from us
ct state established,related accept
# accept neighbour discovery otherwise connectivity breaks
icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
# count and drop any other traffic
counter drop
}
}
fw.inet.basic
The inet table is available from Linux kernel 3.14 and allow to make an IPv4 and IPv6 table. There is mostly a single change compared to previous ruleset which is the inet keyword.
table inet filter {
chain input {
type filter hook input priority 0;
# accept any localhost traffic
iif lo accept
# accept traffic originated from us
ct state established,related accept
# accept neighbour discovery otherwise connectivity breaks
ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
# count and drop any other traffic
counter drop
}
}