iptables INPUT Chain default policy

[nicholaswkc]

Dear all forumer, I had set the INPUT Chain policy to drop but my intellij IDE automation testing not able to make connection to the outside world.

I want to make all three chains policy default to drop and only allow outbound connections and blocks all incoming connections.

Im using Centos Stream 9.

Please help. Thanks in advance.

[jlehtone]

First, there is no iptables. The kernel has now nftables.

Second, the firewall rules are by default managed by FirewallD and
firewalld's default is to:
1. Allow outgoing traffic
2. Reject routed traffic
3. All incoming traffic is in zone 'public'

The zone public has rules:
1. Allow incoming new connections for: cockpit, dhcpv6-client, ssh
2. Reject everything else

If you rather drop everything new that comes in, then switch the interfaces to zone 'drop'.

[nicholaswkc]

First, there is no iptables. The kernel has now nftables.

Second, the firewall rules are by default managed by FirewallD and
firewalld's default is to:
1. Allow outgoing traffic
2. Reject routed traffic
3. All incoming traffic is in zone 'public'

The zone public has rules:
1. Allow incoming new connections for: cockpit, dhcpv6-client, ssh
2. Reject everything else

If you rather drop everything new that comes in, then switch the interfaces to zone 'drop'.

I had set the firewall default zone to drop but i still worry my firewall is not secure enough as OPNSense firewall.

Questions:
How to block private IP and bogon networks?

[jlehtone]

First, you can look at what firewalld does for you with: nft list ruleset

If you are not happy with that and can't find a way to tell the firewalld to do what you desire, then disable the firewalld.service, enable the nftables.service, and write a ruleset that you think is better.

However, do remember that firewall rules are tricky unless you really know what you are doing
and ask would Red Hat set up a "weak wall" by default in their enterprise product (RHEL).

[nicholaswkc]

First, you can look at what firewalld does for you with: nft list ruleset

If you are not happy with that and can't find a way to tell the firewalld to do what you desire, then disable the firewalld.service, enable the nftables.service, and write a ruleset that you think is better.

However, do remember that firewall rules are tricky unless you really know what you are doing
and ask would Red Hat set up a "weak wall" by default in their enterprise product (RHEL).

I try to loop into the nft list ruleset but i don't understand it. Any resources that i can refer?

[jlehtone]

There are two semi-related things in what you see.

One is the nftables syntax. It differs from iptables syntax.
One can read the description of syntax: https://wiki.nftables.org/wiki-nftables ... 10_minutes
Or look at examples: https://linux-audit.com/nftables-beginn ... filtering/ https://wiki.gentoo.org/wiki/Nftables/Examples

The more distracting thing is that FirewallD generates a deep tree of chains where most branches do nothing. They are there for FirewallD to be able to add (optional) rules in correct order. A lot of fluff that is ok for algorithm, but a pain for human to filter.

Extra fun is that you have now a ruleset that uses zone 'public'. If you tell the FirewallD to use zone 'drop', you do get a different ruleset. Asking "What did change?" by looking at the two rulesets is not quite for humans.

[nicholaswkc]

There are two semi-related things in what you see.

One is the nftables syntax. It differs from iptables syntax.
One can read the description of syntax: https://wiki.nftables.org/wiki-nftables ... 10_minutes
Or look at examples: https://linux-audit.com/nftables-beginn ... filtering/ https://wiki.gentoo.org/wiki/Nftables/Examples

The more distracting thing is that FirewallD generates a deep tree of chains where most branches do nothing. They are there for FirewallD to be able to add (optional) rules in correct order. A lot of fluff that is ok for algorithm, but a pain for human to filter.

Extra fun is that you have now a ruleset that uses zone 'public'. If you tell the FirewallD to use zone 'drop', you do get a different ruleset. Asking "What did change?" by looking at the two rulesets is not quite for humans.

Thanks for your prompt reply. A billion thanks for your help.

Questions:
1. In firewall-cmd, we can made runtime-to-permanent, is there any features of nftables. I want to test the firewall rules first before made permanent. If yes, what command?

2. My docker cannot pull any image from internet and I can see from the sudo nft list ruleset has something to do with it.

This is my current rule set by firewalld in attachment. You will see something related to docker.

nftRuleSet - Copy.txt

(7.49 KiB) Downloaded 16 times

3. Please review these two sets of rules. Which one is better(First or Second)? Second is better right.

First Firewall Rules

define LinuxHintNet = 192.168.0.0/16
define AllowPorts = {80,443}

add table inet Restrictive
add chain ip Restrictive Incoming { type filter hook input priority 0; policy drop; }
add chain ip Restrictive Redirect { type filter hook forward priority 0; policy drop; }
add chain ip Restrictive Outgoing { type filter hook output priority 0; policy drop; }

add rule ip Restrictive Incoming iifname lo counter accept
add rule ip Restrictive Incoming oifname lo counter accept

add rule ip Restrictive Incoming tcp sport $AllowPorts counter accept
add rule ip Restrictive Outgoing tcp dport $AllowPorts counter accept
add rule ip Restrictive Incoming udp sport $AllowPorts counter accept
add rule ip Restrictive Outgoing udp dport $AllowPorts counter accept

sudo nft -f firewall.nft
sudo nft list ruleset

Second Firewall Rules
https://wiki.gentoo.org/wiki/Nftables/E ... nd_IPv6.29

[jlehtone]

1. In firewall-cmd, we can made runtime-to-permanent, is there any features of nftables. I want to test the firewall rules first before made permanent. If yes, what command?

The firewalld has its config stored in files. The service reads the config from files to memory (runtime) on boot (and on some firewall-cmd commands).
The ruleset in kernel is generated from the runtime config.

With firewall-cmd you can modify either the config in files (which is used after reboot) or the runtime config, which updates ruleset in kernel immediately.

Similarly, the nftables.service has config stored in files and reads them on boot to generate the ruleset into kernel.
You edit the files, the "permanent" config, however you like to edit files.

You can modify individual rules in kernel with the command 'nft', or you can create more rules into file and load it. As long as the nftables.service does not know about your use that file, you can reboot back to the "stored config".


Your 'restrictive' drops a lot more than the RHEL default ruleset. What if docker (and more crucial system applications) do actually send out other packets than to tcp/80 and tcp/443?

[nicholaswkc]

1. In firewall-cmd, we can made runtime-to-permanent, is there any features of nftables. I want to test the firewall rules first before made permanent. If yes, what command?

The firewalld has its config stored in files. The service reads the config from files to memory (runtime) on boot (and on some firewall-cmd commands).
The ruleset in kernel is generated from the runtime config.

With firewall-cmd you can modify either the config in files (which is used after reboot) or the runtime config, which updates ruleset in kernel immediately.

Similarly, the nftables.service has config stored in files and reads them on boot to generate the ruleset into kernel.
You edit the files, the "permanent" config, however you like to edit files.

You can modify individual rules in kernel with the command 'nft', or you can create more rules into file and load it. As long as the nftables.service does not know about your use that file, you can reboot back to the "stored config".


Your 'restrictive' drops a lot more than the RHEL default ruleset. What if docker (and more crucial system applications) do actually send out other packets than to tcp/80 and tcp/443?

Backup current ruleset and flush the current ruleset?
Can you tell me how to load nft ruleset into kernel temporalily and load the nft config file permanenetly?

I'm using this firewall rules at below.

https://wiki.gentoo.org/wiki/Nftables/E ... nd_IPv6.29

[jlehtone]

See https://access.redhat.com/documentation ... et-filters