I am running Guacamole remote desktop gateway test setup to manage access to cloud VM instances. As I got one strange POC request from one client to restrict Guacamole RDG access to one specific domain which doesn't have static IP, I am out of options. Client might be using services like dynamic DNS to have their domain resolve back to whatever dynamic IP they get. So basically I have to set inbound Firewall rules in my Guacamole RDG server based on one domain name instead of IP address. Apart from basic networking logic, is there any way to achieve this requirement? I tried below command to set iptables rule based on domain name but upon execution, it actually resolve domain name and apply rule to iptables with resolved IP address.

iptables -A INPUT -p tcp --src domain.com --dport 3128 -j ACCEPT

By generic, I mean, mostly standard, i.e. not dependent on ufw or firewalld. What I am asking is if there is something akin to what you have on Windows, where if some game wishes to "Open to Lan" and current firewall doesn't allow it, you are prompted to allow those changes. In other words, is there some standard way a developer could make a GUI application for Linux which requests for a port to open for the remaining of the lifespan of the application? I am sure this is a problem that has been thought of before, but I can't find a solution that satisfy these requirements: - User is prompted for firewall change - Granted privilege is clearly scoped to said modification - Required trust in said application requesting privileges is minimized - Resting said modifications doesn't request privileges once again / Reset managed by system Even for a permanent change, I don't know of anything other than for the application to request full root privileges and then use iptables behind the scenes.

I got some error I can not solve while setting up a default zone in firewalld. I added the interface with firewall-cmd --zone=public --change-interface=ens3 and then I saw the default public zone active. so then I firewall-cmd --reload *error: Command_failed: 'usr/sbin/ip6tables-restore -w -n' failed: ip6tables-restore v1.8.2 (nf_tables): line 4: Rule_Replace faaled (no Such file or directory: rule in chain INPUT" so ip6tables-restore is trying to do something upon restart of firewalld. Yet when I "iptables -L" I get "bash: iptables: command not found. firewall-cmd --list-all *Error: Invalid_zone* But the zone showed moments ago...

I have multiple ethX interfaces. - eth0 is connected to the internet. - eth1 is connected to a trusted network. - eth2 is connected to a network I need to impose usage rules.
What I'd like to do is separate eth1 and eth2 into their own chains (trusted/untrusted) simply to maintain "easy on the eyes" rules.

:INPUT DROP
-A INPUT ! -i eth0 -j ACCEPT    # allows INPUT on traffic not internet based
... # More rules for eth0 allowing PING and shunting most everything else
-A INPUT -i eth1 -j trusted
-A INPUT -i eth2 -j untrusted

OUTPUT and FORWARD are currently set to ACCEPT due to the problems. For the time being, eth1 is just jumping to chain masquerade which is perfectly fine for the moment, but the confusion lies as to how to manipulate eth2 as it hasn't panned out too well with my attempts. My guess was to list all of the ALLOWED ports/protocols, but so far it's not working as devices connected through eth2 cannot reach anything, not even the firewall server's DNS/DHCP.

:untrusted
-A untrusted -i eth2 -p tcp -m tcp --dport 80 -j ACCEPT

What I need is basically a set of rules which "say" the following: 1. If outgoing internet traffic on eth0 is not PING, DROP 2. If eth1 goes out to internet (eth0), accept it 3. If eth2 goes out to internet on TCP port 80, accept it, drop everything else. 4. To GO out to internet, use masquerade through eth0 Any thoughts/suggestions would be truly appreciated!

I am trying to setup logging on ubuntu server 20.04.4 using ufw, but I'll take non-ufw advice as well. I am running a test https server on port 20000 and want to log all connections to it. Here's what I did.

ufw allow log-all 20000/tcp

Here's my ufw status:

To          Action          From          
--          ---------       -----
20000/tcp   ALLOW IN        Anywhere         (log-all)

Now the only records I see in my log file (/var/log/ufw.log) are the "blocks" being generated from other rules. I am able to connect to the server from outside, and my test server runs fine (*delivers the content I need*). But I just don't see any records pertaining to this rule in ufw logs. What might I be missing? Edit 1: Since I cannot comment yet, I am reacting to @mashuptwice's advice here. My ufw logging is on (low). If I did

ufw logging medium

wouldn't that apply to all rules? I only need extra logging for this specific rule.

I am trying to set up a nftables firewall on my archlinux distribution that only allows traffic through a vpn (and blocks all ipv6 traffic in order to prevent any ipv6 leaks) I have been playing around with it for a while now and ended up with a configuration that lets me browse the web, even though as far as I understand nftable so far, it should not let me do that. The ruleset is pretty short and looks like this: table inet filter { chain input { type filter hook input priority 0; policy drop; jump base_checks ip saddr VPN_IP_ADRESS udp sport openvpn accept } chain forward { type filter hook forward priority 0; policy drop; } chain output { type filter hook output priority 0; policy drop; ip daddr VPN_IP_ADRESS udp dport openvpn accept oifname "tun0" accept } chain base_checks { ct state { related, established} accept ct state invalid drop } } I tried to find my way thorugh with trial and error and had many other rules in there, but with just this, i am able to connect to the VPN server first and then browse the web. Once I remove the last rule from the outout chain though, it won't let me browse the web anymore. I am completely new to this and pretty much overall clueless, trying to learn. Unfortunately, the documentation on nftables is not that extensive, so I am kind of stuck at the moment. From what I understand so far, this setup should allow to make a connection to the vpn but it should not allow any other incoming traffic - yet I can browse the web without problems. Does anyone know why it works and how i should proceed with the setup of nftables to get a more complete setup?

I know you can add rules one by one. But is there a way to add rules in one go - For instance, this is how you add rules in ufw in Debian - $ sudo ufw allow 80/tcp $ sudo ufw allow 443/tcp $ sudo ufw allow 22/udp Now instead of doing it 1 by 1, is there a way to do it all at once ? I did try - $ sudo ufw allow 80/tcp 443/tcp 22/udp but that didn't work, any ideas ?

I need to unlock only outgoing 443 and 80 port, only for navigate through internet, actually im using the rules: ufw default deny incoming ufw default deny outgoing ufw allow out from any to any port 443 proto tcp ufw allow out from any to any port 80 proto tcp ufw enable But unfortunally ufw blocks all internet, and the pages does not load. Do you have any solution to my problem or another alternative? Note: With CSF config server firewall, is not necessary the incoming traffic in the 443 and 80 ports for connect to internet only the outgoing 443 and 80, but in ufw how i can do it?

My home topology: router1 (192.168.1.1) - D-Link dsl2540u server with static IP available from Internet (ADSL via ppoe). 4 LAN ports. ---------- router2 (192.168.1.2) - D-Link DIR-300 with OpenWRT. Plays role of WiFi access point. 4 LAN ports + WAN port.

							 Home PC (connects to router1 via DHCP)
							|				   			
internet ------ router1-----
                            |
							 router2 (OpenVPN server on OpenWRT)

On router1 I set up NAT Virtual Servers and can connect to my router via SSH or OpenVPN (tcp on 443 port) OpenVPN server works fine and all traffic goes via tun interface after connection. OpenVPN server config (if matter):

--script-security 2
mode		server
dev               tun
port              443
proto             tcp

server            10.0.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.1.1" # Change this to your router's LAN IP Address
push "route 192.168.1.0 255.255.255.0" # Change this to your network

client-config-dir ccd
client-to-client
tls-server
dh                /etc/openvpn/dh2048.pem
ca                /etc/openvpn/CA_cert.pem
cert              /etc/openvpn/certs/server.pem
key               /etc/openvpn/keys/server.pem
crl-verify        /etc/openvpn/crl/crl.pem
tls-auth          /etc/openvpn/ta.key 0
#comp-lzo
keepalive         10 120
tun-mtu           1500
mssfix            1450
persist-key
persist-tun
verb              3
log /var/log/openvpn.log

My goal is OpenVPN tunnel with Internet from my home router1. At now I can connect to OpenVPN server but all traffic that goes via tunnel does not reach Internet. Firewall rules on router2 (OpenWRT):

iptables -t nat -A prerouting_wan -p tcp --dport 443 -j ACCEPT
iptables -A input_wan -p tcp --dport 443 -j ACCEPT

iptables -t nat -A prerouting_lan -p tcp --dport 443 -j ACCEPT
iptables -A input_lan -p tcp --dport 443 -j ACCEPT


iptables -I INPUT -i tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT

It's definitely a problem with routing but I have no enough knowledges to solve it.

I have this iptables where all working except tcp/udp port 3478 and 5349. $ cat /etc/sysconfig/iptables # Generated by iptables-save v1.4.7 on Thu Nov 21 10:21:41 2013 *filter :FORWARD ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -p tcp -m tcp --dport 3478 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5349 -j ACCEPT -A INPUT -p udp -m udp --dport 5349 -j ACCEPT -A INPUT -p udp -m udp --dport 3478 -j ACCEPT -A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5222 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5269 -j ACCEPT -A INPUT -p udp -m udp -m string --dport 5080 -j DROP --string "friendly-scanner" --algo bm --to 65535 -A INPUT -p udp -m udp -m string --dport 5060 -j DROP --string "friendly-scanner" --algo bm --to 65535 -A INPUT -p tcp -m tcp --dport 5081 -j ACCEPT -A INPUT -p udp -m udp --dport 5081 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5080 -j ACCEPT -A INPUT -p udp -m udp --dport 5080 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5061 -j ACCEPT -A INPUT -p udp -m udp --dport 5061 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5060 -j ACCEPT -A INPUT -p udp -m udp --dport 5060 -j ACCEPT -A INPUT -p udp -m udp --dport 16000:42000 -j ACCEPT -A INPUT -p tcp -m tcp --dport 7007 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state -m tcp --dport 22 --state NEW -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A INPUT -s 178.162.205.224/32 -j DROP -A INPUT -s 65.55.44.100/32 -j DROP -A INPUT -s 178.162.205.224/32 -j DROP -A INPUT -s 91.218.247.162/32 -j DROP -A INPUT -s 85.25.78.58/32 -j DROP -A INPUT -s 91.218.247.162/32 -j DROP -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A INPUT -j ACCEPT COMMIT # Completed on Thu Nov 21 10:21:41 2013 # Generated by webmin *mangle :FORWARD ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT # Completed # Generated by webmin *nat :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT # Completed

I am testing NFtables and am attempting to set up a basic routing firewall on a linux machine with 2 interfaces, ens37 and ens38. Here is the ifconfig output for these 2 interfaces. ens37: flags=4163 mtu 1500 inet 192.168.0.3 netmask 255.255.255.0 broadcast 192.168.0.255 ether 00:0c:29:74:33:e7 txqueuelen 1000 (Ethernet) RX packets 20 bytes 2524 (2.4 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 156 bytes 9952 (9.7 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens38: flags=4163 mtu 1500 inet 192.168.0.4 netmask 255.255.255.0 broadcast 192.168.0.255 ether 00:0c:29:74:33:f1 txqueuelen 1000 (Ethernet) RX packets 147 bytes 9340 (9.1 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 18 bytes 1672 (1.6 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 I am wanting to emulate ens38 being a WAN port, and block all non-lan-initiated traffic that is inbound, but allow LAN traffic outbound. I have these rules set up in /etc/nftables.conf : #!/usr/sbin/nft -f flush ruleset table ip filter { # allow all packets sent by the firewall machine itself chain output { type filter hook output priority 100; policy accept; } # allow LAN to firewall, disallow WAN to firewall chain input { type filter hook input priority 0; policy accept; iifname "ens37" accept iifname "ens38" drop } # allow packets from LAN to WAN, and WAN to LAN if LAN initiated the connection chain forward { type filter hook forward priority 0; policy drop; iifname "ens37" oifname "ens38" accept iifname "ens38" oifname "ens37" ct state related,established accept } } To test if the rules are successful, I am setting up a listener with netcat: nc -lp 80 -s 192.168.0.3 Then I connect from the other interface using netcat: nc 192.168.0.3 80 -s 192.168.0.4 My issue is that these nftables rules are not blocking traffic from the emulated WAN port. The netcat connections work perfectly fine bidirectionally, which is not what I am looking for. If I run nft list table filter, I get the rules I am expecting to see as output. I am new to nftables, how can I get these rules to run against these two interfaces correctly? What is wrong with my current approach?

On Fedora 24, a web server (Node.js) is running (standalone, no apache/nginx) on port 5000. http://localhost:5000 works How to make it accessible on port 80? Tried this systemctl restart firewalld firewall-cmd --add-service=http --permanent firewall-cmd --add-masquerade --permanent firewall-cmd --add-forward-port=port=80:proto=tcp:toport=5000 firewall-cmd --list-all FedoraWorkstation (active) target: default icmp-block-inversion: no interfaces: wlp3s0 sources: services: mdns ssh dhcpv6-client samba-client https http ports: 1025-65535/tcp 1025-65535/udp protocols: masquerade: yes forward-ports: port=80:proto=tcp:toport=5000:toaddr= source-ports: icmp-blocks: rich rules: **Additional info** Tried all the above with --zone=external too Running node as root on port 80 works. Note, there's no IPv4: netstat -tpln Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd tcp 0 0 0.0.0.0:4433 0.0.0.0:* LISTEN 3977/deluge-gtk tcp 0 0 0.0.0.0:51157 0.0.0.0:* LISTEN 3977/deluge-gtk tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN 900/postgres tcp 0 0 0.0.0.0:17500 0.0.0.0:* LISTEN 3203/dropbox tcp 0 0 127.0.0.1:17600 0.0.0.0:* LISTEN 3203/dropbox tcp 0 0 127.0.0.1:17603 0.0.0.0:* LISTEN 3203/dropbox tcp6 0 0 :::111 :::* LISTEN 1/systemd tcp6 0 0 :::4433 :::* LISTEN 3977/deluge-gtk tcp6 0 0 :::51157 :::* LISTEN 3977/deluge-gtk tcp6 0 0 :::5432 :::* LISTEN 900/postgres tcp6 0 0 :::17500 :::* LISTEN 3203/dropbox tcp6 0 0 :::34017 :::* LISTEN 10532/code tcp6 0 0 :::5858 :::* LISTEN 30394/node tcp6 0 0 :::5000 :::* LISTEN 30394/node

OS: CentOS 7 This is a question that is bordering on two issues. I have a docker machine running where I recently installed the PLEX container from linuxserver/plex. The current problem is that I cannot access the site to configure PLEX https://localhost:32400/web. In my attempts to determine why this is occurring, I noticed that port 32400 appeared to be closed even though it should've been opened when the container was created, I am using the host network. I attempted to see if I could access the site using curl curl -i http://localhost:32400 curl -i http://10.0.1.200:32400 I then verified open ports with NMAP #nmap 10.0.1.200 Starting Nmap 6.40 ( http://nmap.org ) at 2019-01-18 12:52 CST Nmap scan report for 10.0.1.200 Host is up (0.00049s latency). Not shown: 999 closed ports PORT STATE SERVICE 22/tcp open ssh Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds So clearly port 32400 is not open, so I went to firewall-cmd #sudo firewall-cmd --get-active-zones public interfaces: eno1 #sudo firewall-cmd --zone=public --add-port=32400/tcp --permanent success #sudo firewall-cmd --reload success I also checked to see if it was open #sudo firewall-cmd --zone=public --list-ports 32400/tcp However, NMAP still shows its closed. Any idea why firewalld would show an open port on the docker host machine but it is actually closed? I'm not even sure this will get the site working for Plex. ---------- Verification of what Kramer had suggested that it was possible my interface was not setup # ip addr 3: eno1: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 inet 10.0.1.200/24 brd 10.0.1.255 scope global noprefixroute dynamic eno1 #firewall-cmd --zone=public --list-interfaces eno1

With ufw disable on remote postgres system i'm able to connect from my local system However, the connection does not work when I ufw enable as shown below: C:\Users\HOME>telnet 80.240.24.195 5432 Connecting To 80.240.24.195...Could not open connection to the host, on port 5432: Connect failed Below is my postgres configuration at the time of restart. cat /etc/postgresql/12/main/postgresql.conf # - Connection Settings - listen_addresses = '*' # what IP address(es) to listen on; # comma-separated list of addresses; # defaults to 'localhost'; use '*' for all # (change requires restart) port = 5432 # (change requires restart) max_connections = 100 # (change requires restart) #superuser_reserved_connections = 3 # (change requires restart) unix_socket_directories = '/var/run/postgresql' # comma-separated list of directories cat /etc/postgresql/12/main/pg_hba.conf # Database administrative login by Unix domain socket local all postgres peer # TYPE DATABASE USER ADDRESS METHOD # "local" is for Unix domain socket connections only local all all peer # IPv4 local connections: host all all 127.0.0.1/32 md5 host all all 0.0.0.0/0 md5 # IPv6 local connections: host all all ::1/128 md5 telnet works when tried from the postgres host itself, but then I try to make the connection from my local laptop it fails. root@DKERP:/# ufw status numbered Status: active To Action From -- ------ ---- [ 1] 22 ALLOW IN Anywhere [ 2] 8069 ALLOW IN Anywhere [ 3] 443/tcp DENY IN Anywhere [ 4] 443 DENY IN Anywhere [ 5] 80/tcp DENY IN Anywhere [ 6] 80,443,5432/tcp DENY IN Anywhere [ 7] 80 DENY IN Anywhere [ 8] 4433/tcp DENY IN Anywhere [ 9] 5432/tcp ALLOW IN Anywhere 22 (v6) ALLOW IN Anywhere (v6) 8069 (v6) ALLOW IN Anywhere (v6) 443/tcp (v6) DENY IN Anywhere (v6) 443 (v6) DENY IN Anywhere (v6) 80/tcp (v6) DENY IN Anywhere (v6) 80,443,5432/tcp (v6) DENY IN Anywhere (v6) 80 (v6) DENY IN Anywhere (v6) 4433/tcp (v6) DENY IN Anywhere (v6) 5432/tcp (v6) ALLOW IN Anywhere (v6) Can you please suggest what needs to be further done to get the postgres to connect to work from my local laptop?

I have a simple two server config of keepalived. The master/backup selection is working fine but I can't connect to the VIP from the backup server. When I try connecting, on the master I can see ARP requests from the backup server and responses from the master; on the backup server I only see the requests (i.e., I don't see the ARP responses from the master). Master keepalived.conf:

vrrp_script haproxy-check {
    script "/usr/bin/pgrep python"
    interval 5
}
 
vrrp_instance haproxy-vip {
    state MASTER
    priority 101
    interface eth0
    virtual_router_id 47
    advert_int 3
 
    unicast_src_ip 192.168.122.4
    unicast_peer {
        192.168.122.9
    }
 
    virtual_ipaddress {
        192.168.122.250
    }
 
    track_script {
        haproxy-check weight 20
    }
}

Backup keepalived.conf:

vrrp_script haproxy-check {
    script "/usr/bin/pgrep python"
    interval 5
}

vrrp_instance haproxy-vip {
    state BACKUP
    priority 99
    interface eth0
    virtual_router_id 47
    advert_int 3

    unicast_src_ip 192.168.122.9
    unicast_peer {
        192.168.122.4
    }

    virtual_ipaddress {
        192.168.122.250
    }

    track_script {
        haproxy-check weight 20
    }
}

ip addr on master:

2: eth0:  mtu 1458 qdisc pfifo_fast state UP group default qlen 1000
    link/ether fa:16:3e:9e:e8:18 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.4/24 brd 192.168.122.255 scope global noprefixroute dynamic eth0
       valid_lft 55567sec preferred_lft 55567sec
    inet 192.168.122.250/32 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::571a:df5f:930c:2b57/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

And on backup:

2: eth0:  mtu 1458 qdisc pfifo_fast state UP group default qlen 1000
    link/ether fa:16:3e:2e:59:3d brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.9/24 brd 192.168.122.255 scope global noprefixroute dynamic eth0
       valid_lft 79982sec preferred_lft 79982sec
    inet6 fe80::f816:3eff:fe2e:593d/64 scope link 
       valid_lft forever preferred_lft forever

tcpdump from master:

# tcpdump -nni eth0 arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:44:06.299398 ARP, Request who-has 192.168.122.250 tell 192.168.122.9, length 28
11:44:06.299435 ARP, Reply 192.168.122.250 is-at fa:16:3e:9e:e8:18, length 28
11:44:07.298939 ARP, Request who-has 192.168.122.250 tell 192.168.122.9, length 28
11:44:07.298985 ARP, Reply 192.168.122.250 is-at fa:16:3e:9e:e8:18, length 28
11:44:08.300920 ARP, Request who-has 192.168.122.250 tell 192.168.122.9, length 28
11:44:08.300954 ARP, Reply 192.168.122.250 is-at fa:16:3e:9e:e8:18, length 28
11:44:09.303039 ARP, Request who-has 192.168.122.250 tell 192.168.122.9, length 28
11:44:09.303062 ARP, Reply 192.168.122.250 is-at fa:16:3e:9e:e8:18, length 28

And from the backup:

# tcpdump -nni eth0 arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:44:39.430367 ARP, Request who-has 192.168.122.250 tell 192.168.122.9, length 28
11:44:40.431810 ARP, Request who-has 192.168.122.250 tell 192.168.122.9, length 28
11:44:41.433847 ARP, Request who-has 192.168.122.250 tell 192.168.122.9, length 28
11:44:42.435979 ARP, Request who-has 192.168.122.250 tell 192.168.122.9, length 28
11:44:43.437814 ARP, Request who-has 192.168.122.250 tell 192.168.122.9, length 28

I don't believe it's a firewall issue (iptables -L | grep -i arp doesn't show anything), is there a kernel setting that could be causing an issue? Any suggestions for debugging? OS is Centos 7, keepalived is 2.1.5.

I'm running a server where iptables is configured with a default DROP policy and I’ve only explicitly allowed certain ports (e.g., HTTP, HTTPS, SSH on port 22, etc.). Despite never adding a rule for port 1111 that i configured to listen also for ssh, I can still successfully SSH into port 1111 from an external IP (my phone’s hotspot). I’ve confirmed the firewall script sets a DROP policy for all incoming connections except the ports I allow, and yet 1111 remains open. I’ve ruled out loopback traffic, and I’m not reusing an established connection. The big mystery is why port 1111 is accessible even though iptables seems to show it should be dropped.

case "$1" in
    start)
        echo "[Firewall] Démarrage des règles complètes..."

        # Reset
        $IPT -t filter -F
        $IPT -t filter -X
        # Politique par défaut : tout bloquer
        $IPT -P INPUT DROP
        $IPT -P FORWARD DROP
        $IPT -P OUTPUT DROP
        # Reset
        #$IPT -t filter -F
        #$IPT -t filter -X
        # Connexions déjà établies
        $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
        $IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
        #$IPT -A INPUT -j ACCEPT
        #$IPT -A OUTPUT -j ACCEPT
        #SSH
        $IPT -I INPUT 1 -p tcp --dport 22 ! -s $ENTREPRISE_IP -j DROP
        #Loopback
        $IPT -I INPUT 1 -i lo -j ACCEPT
        $IPT -I OUTPUT 1 -o lo -j ACCEPT

        # HTTP/HTTPS
        $IPT -A INPUT -p tcp --dport 80 -j ACCEPT
        $IPT -A OUTPUT -p tcp --dport 80 -j ACCEPT
        $IPT -A INPUT -p tcp --dport 443 -j ACCEPT
        $IPT -A INPUT -p tcp --dport 8443 -j ACCEPT
        $IPT -A OUTPUT -p tcp --dport 443 -j ACCEPT
        # ICMP limité
        $IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
        $IPT -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

        # Anti scan/paquets suspects
        $IPT -A INPUT -m state --state INVALID -j DROP
        $IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

        # Protection contre SYN flood
        $IPT -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j ACCEPT
        $IPT -A INPUT -p tcp --syn -j DROP

        # SSH uniquement depuis une IP précise
        $IPT -A INPUT -p tcp --dport 22 -s 77.159.220.158 -j ACCEPT
        $IPT -A INPUT -p tcp --dport 22 -j DROP
        #$IPT -A OUTPUT -p tcp --dport 22 -j ACCEPT , à revoir si le serveur se connecte ailleurs avec ssh

        # DNS (résolution uniquement)
        $IPT -A OUTPUT -p udp --dport 53 -j ACCEPT
        $IPT -A OUTPUT -p tcp --dport 53 -j ACCEPT
        $IPT -A INPUT -p tcp --dport 53 -j ACCEPT
        $IPT -A INPUT -p tcp --dport 53 -j ACCEPT

        # FTP (SFTP personnalisé ? sur port 2222)
        $IPT -A INPUT -p tcp --dport 2222 -m state --state NEW -j ACCEPT
        $IPT -A OUTPUT -p tcp --dport 2222 -s 149.202.189.40 -j ACCEPT

        # Mail (port 587)
        $IPT -A INPUT -p tcp --dport 587 -j ACCEPT
        $IPT -A OUTPUT -p tcp --dport 587 -j ACCEPT #à revoir

        # MySQL (accès restreint à IP entreprise)
        $IPT -A INPUT -p tcp --dport 3306 -s $ENTREPRISE_IP -j ACCEPT

        # Nagios
        $IPT -A INPUT -p tcp --dport 5666 -s 149.202.189.40 -j ACCEPT
        $IPT -A OUTPUT -p tcp --dport 5666 -j ACCEPT

        # NTP
        $IPT -A OUTPUT -p udp --dport 123 -j ACCEPT

        # YAZ (port 210) à discuter
        $IPT -A INPUT -p tcp --dport 210 -j ACCEPT
        $IPT -A OUTPUT -p tcp --dport 210 -j ACCEPT


        echo "[Firewall] Règles complètes appliquées."
        exit 0
    ;;

    stop)
        # Reset et tout autoriser
        echo "[Firewall] Mode minimal (SSH uniquement)..."
        $IPT -F
        $IPT -X
        $IPT -P INPUT DROP
        $IPT -P FORWARD DROP
        $IPT -P OUTPUT DROP

        #$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
        #$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
        #$IPT -A INPUT -i lo -j ACCEPT
        #$IPT -A OUTPUT -o lo -j ACCEPT
        #$IPT -A INPUT -p tcp --dport 22 -s $ENTREPRISE_IP -j ACCEPT

        exit 0
    ;;

    restart)
        $0 stop
        sleep 1
        $0 start
        exit 0
    ;;

    *)
        echo "Usage: /etc/init.d/firewall {start|stop|restart}"
        exit 1
    ;;
esac

root@betalimbgallery:/home/ubuntu# iptables -L -v
Chain INPUT (policy DROP 5 packets, 220 bytes)
 pkts bytes target     prot opt in     out     source               destination
 8669 3126K ACCEPT     all  --  lo     any     anywhere             anywhere
   15   900 DROP       tcp  --  any    any    !158.220.159.77.rev.sfr.net  anywhere             tcp dpt:ssh
 6565 2460K ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
    4   208 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:http
   31  1920 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:https
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:8443
  211  6966 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request
  257 10304 DROP       all  --  any    any     anywhere             anywhere             state INVALID
 1833  224K DROP       tcp  --  any    any     anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
   74  3880 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 3
    1    52 DROP       tcp  --  any    any     anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN
    0     0 ACCEPT     tcp  --  any    any     158.220.159.77.rev.sfr.net  anywhere             tcp dpt:ssh
    0     0 DROP       tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:domain
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:domain
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:2222 state NEW
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:submission
    0     0 ACCEPT     tcp  --  any    any     158.220.159.77.rev.sfr.net  anywhere             tcp dpt:mysql
    0     0 ACCEPT     tcp  --  any    any     149.202.189.40       anywhere             tcp dpt:nrpe
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:z3950

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy DROP 2 packets, 80 bytes)
 pkts bytes target     prot opt in     out     source               destination
 8669 3126K ACCEPT     all  --  any    lo      anywhere             anywhere
 8572 8164K ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:http
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:https
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-reply
   26  2045 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:domain
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:domain
    0     0 ACCEPT     tcp  --  any    any     149.202.189.40       anywhere             tcp dpt:2222
  259 15520 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:submission
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:nrpe
    5   380 ACCEPT     udp  --  any    any     anywhere             anywhere             udp dpt:ntp
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:z3950
root@betalimbgallery:/home/ubuntu#

I am working on Debian Stable and it is working very well. I see apf-firewall to simplify iptables. I want my firewall to only allow web browsing (including forms) and block all other network access. How is this possible with apf-firewall? Or could I do it with FireHol software? It seems to have simple configuration commands: version 6 interface4 eth0 home server dns accept server ftp accept server samba accept server squid accept server dhcp accept server http accept server ssh accept server icmp accept interface4 ppp+ internet server smtp accept server http accept server ftp accept Which lines should I keep if I want only web browsing to be permitted? Edit: Will following 2 rules using nftables be sufficient for my needs? nft add rule ip filter input tcp dport 80 ct state new,established accept nft add rule ip filter input tcp dport 443 ct state new,established accept

Physician using Fedora 21 - I have very limited knowledge of Linux. I cannot make sense of iptables in Fedora. I used Debian before but moved away from Debian in great disgust after I realized their default firewall accepted all incoming. Now I use Fedora 21 and would like to install GUFW or Firestarter. Can someone help?

# Goal # I'd like to have two LANs: lan0 and lan1. lan0 is unencrypted traffic; lan1 will be an always-active VPN. I haven't configured the VPN, so it's currently just a second unencrypted network. I'm hoping to configure it as such: # Symptoms # Unfortunately, lan1 (named LAN1_INTERFACE in the configuration files) isn't working. - can't join WiFi network: - lan1 interface (LAN1_INTERFACE) doesn't have an IP addres: I suspect that the firewall isn't properly configured. What am I missing? Do I have any other issues that need to be addressed? # Configuration files # /etc/config/network: config interface 'loopback' option ifname 'lo' option proto 'static' option ipaddr '127.0.0.1' option netmask '255.0.0.0' config globals 'globals' option ula_prefix 'fd22:91e8:0e0f::/48' config interface 'wan' option ifname 'eth1.201' option proto 'pppoe' option username 'user_name' option password 'password' option ipv6 '0' option _orig_ifname 'eth1' option _orig_bridge 'false' option mtu '1492' config interface 'lan' option ifname 'eth0' option force_link '1' option type 'bridge' option proto 'static' option ipaddr '192.168.1.1' option netmask '255.255.255.0' option ip6assign '60' option _orig_ifname 'eth0 wlan0' option _orig_bridge 'true' config interface 'lan1_interface' option ifname 'eth2' option force_link '1' option type 'bridge' option proto 'static' option ipaddr '192.168.2.1' option netmask '255.255.255.0' option _orig_ifname 'eth2 wlan1' option _orig_bridge 'true' config interface 'vpn_interface' option ifname 'tun0' option proto 'none' config switch option name 'switch0' option reset '1' option enable_vlan '1' config switch_vlan option device 'switch0' option vlan '1' option ports '0 1 2 3 5' option vid '1' config switch_vlan option device 'switch0' option vlan '2' option ports '4 6' option vid '2' /etc/config/wireless: config wifi-device 'radio0' option type 'mac80211' option channel '36' option hwmode '11a' option path 'platform/soc/soc:pcie-controller/pci0000:00/0000:00:02.0/0000:02:00.0' option htmode 'VHT80' option disabled '0' option txpower '23' option country 'US' config wifi-iface option device 'radio0' option mode 'ap' option disabled '0' option encryption 'psk2+tkip+aes' option key 'password' option network 'lan' option ssid 'Router' config wifi-device 'radio1' option type 'mac80211' option channel '11' option country 'US' option hwmode '11g' option path 'platform/soc/soc:pcie-controller/pci0000:00/0000:00:01.0/0000:01:00.0' option htmode 'HT20' option disabled '0' option txpower '19' config wifi-iface option device 'radio1' option mode 'ap' option disabled '0' option encryption 'psk2+tkip+aes' option key 'password' option network 'lan1_interface' option ssid 'Router [VPN]' /etc/config/dhcp: config dnsmasq option domainneeded '1' option boguspriv '1' option localise_queries '1' option rebind_protection '1' option rebind_localhost '1' option local '/lan/' option expandhosts '1' option authoritative '1' option readethers '1' option leasefile '/tmp/dhcp.leases' option resolvfile '/tmp/resolv.conf.auto' option localservice '1' option nonwildcard '0' option domain 'lan' option port '5353' option dhcpscript '/etc/resolver/dhcp_host_domain_ng.py' config dhcp 'lan' option interface 'lan' option start '100' option limit '150' option leasetime '12h' option dhcpv6 'server' option ra 'server' option ra_management '1' list dhcp_option '6,192.168.1.1' config dhcp 'wan' option interface 'wan' option ignore '1' config odhcpd 'odhcpd' option maindhcp '0' option leasefile '/tmp/hosts/odhcpd' option leasetrigger '/usr/sbin/odhcpd-update' config dhcp 'lan1_interface' option start '100' option leasetime '12h' option limit '150' option interface 'lan1_interface' list dhcp_option '6,192.168.2.1' /etc/config/firewall: config defaults option syn_flood '1' option input 'ACCEPT' option output 'ACCEPT' option forward 'REJECT' # # includes # config include option path '/etc/firewall.user' config include option path '/usr/share/firewall/turris' option reload '1' config include option path '/etc/firewall.d/with_reload/firewall.include.sh' option reload '1' config include option path '/etc/firewall.d/without_reload/firewall.include.sh' option reload '0' config include 'miniupnpd' option type 'script' option path '/usr/share/miniupnpd/firewall.include' option family 'any' option reload '1' # # zones # config zone option name 'wan' option network 'wan wan6' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' config zone option name 'vpn_zone' option network 'vpn_interface' option input 'REJECT' option forward 'REJECT' option output 'ACCEPT' option masq '1' option mtu_fix '1' config zone option name 'lan' option network 'lan' option input 'ACCEPT' option output 'ACCEPT' option forward 'ACCEPT' config zone option name 'lan1_zone' option network 'lan1_interface' option output 'ACCEPT' option input 'ACCEPT' option forward 'ACCEPT' # # fowarding # config forwarding option dest 'wan' option src 'lan' config forwarding option dest 'vpn_zone' option src 'lan1_zone' config forwarding option dest 'wan' option src 'lan1_zone' # # IPv4 rules # config rule option name 'Allow-DHCP-Renew' option src 'wan' option proto 'udp' option dest_port '68' option target 'ACCEPT' option family 'ipv4' config rule option name 'Allow-Ping' option src 'wan' option proto 'icmp' option icmp_type 'echo-request' option family 'ipv4' option target 'ACCEPT' config rule option name 'Allow-IGMP' option src 'wan' option proto 'igmp' option family 'ipv4' option target 'ACCEPT' # # IPv6 rules # config rule option name 'Allow-DHCPv6' option src 'wan' option proto 'udp' option src_ip 'fe80::/10' option src_port '547' option dest_ip 'fe80::/10' option dest_port '546' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-MLD' option src 'wan' option proto 'icmp' option src_ip 'fe80::/10' list icmp_type '130/0' list icmp_type '131/0' list icmp_type '132/0' list icmp_type '143/0' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-ICMPv6-Input' option src 'wan' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' list icmp_type 'router-solicitation' list icmp_type 'neighbour-solicitation' list icmp_type 'router-advertisement' list icmp_type 'neighbour-advertisement' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' config rule option name 'Allow-ICMPv6-Forward' option src 'wan' option dest '*' option proto 'icmp' list icmp_type 'echo-request' list icmp_type 'echo-reply' list icmp_type 'destination-unreachable' list icmp_type 'packet-too-big' list icmp_type 'time-exceeded' list icmp_type 'bad-header' list icmp_type 'unknown-header-type' option limit '1000/sec' option family 'ipv6' option target 'ACCEPT' # # rules # config rule option src 'wan' option dest 'lan' option proto 'esp' option target 'ACCEPT' config rule option src 'wan' option dest 'lan' option dest_port '500' option proto 'udp' option target 'ACCEPT' config rule option target 'ACCEPT' option proto 'tcp udp' option dest_port '5353' option name 'Allow Guest DNS Access' option src 'lan1_zone' config rule option target 'ACCEPT' option proto 'udp' option dest_port '67-68' option name 'Allow Guest DHCP Access' option src 'lan1_zone' ** edit ** Router: [Turris Omnia](https://omnia.turris.cz/en/) Should the second LAN's dhcp_option really be '6,192.168.2.1' or '6,192.168.1.1'? I don't understand what the 6 does, either.

I recently implemented fail2ban on a fresh debian server which left me with some default iptables configuration automatically, root@plutarchy:/etc/apache2# iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N fail2ban-ssh -A INPUT -p tcp -m multiport --dports 2222 -j fail2ban-ssh -A fail2ban-ssh -j RETURN Now, when I add some old iptables rules that I don't want to run through fail2ban, I end up with the following, -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -N fail2ban-ssh -A INPUT -p tcp -m multiport --dports 2222 -j fail2ban-ssh -A INPUT -s 127.0.0.1/32 -i lo -j ACCEPT -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 2222 -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -j DROP -A fail2ban-ssh -j RETURN Note that I need to add the line **-A INPUT -p tcp --dport 2222 -j ACCEPT** or I cannot ssh into the box. Will fail2ban still protect ssh (port 2222) when I have this line inserted? If not, how can I make sure ssh still goes through fail2ban while I have port 80 opened for normal operation?