Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
It looks like you leave the loopback interface open for spoofing. It should only accept input and output to and from its own address range.
Why are you rate limiting HTTPS and not HTTP?
You also risk locking yourself out with SSH if you fat finger the IP address range or need to log in from another. That should be open but the authentication limited to only either keys or certificates with password authentication off.
Port 80 (HTTP) is necessary with HTTPS if you are setting up Let's Encrypt certificates for your TLS. The CertBot, or other method, will need to occasionally publish something for verification.
Since you default a generic output policy of Allow, then the extra lines explicitly allowing HTTP and HTTPS are not needed. If you turn the output policy to Drop, then you will need to also open up outgoing DNS and presumably SMTP or other operational services.
A loose set of rules which could be converted:
Code:
#!/usr/sbin/nft -f
# Clear all prior state
flush ruleset
# Basic IPv4/IPv6 stateful firewall
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# accept local host traffic
iifname "lo" ip saddr 127.0.0.0/8 ip daddr 127.0.0.0/8 \
counter accept
iifname "lo" ip6 saddr ::1 ip6 daddr ::1 \
counter accept
# Accept traffic originated from us
ct state { established, related } accept
# Drop invalid connections
ct state invalid drop
# Reject AUTH to make it fail fast
tcp dport 113 reject with icmpx type port-unreachable
tcp dport 22 ct state new limit rate 4/minute counter accept
tcp dport 80 ct state new accept
tcp dport 443 ct state new accept
# ICMPv4
# Accept ICMP
ip protocol icmp icmp type {
echo-reply, # type 0
destination-unreachable, # type 3
echo-request, # type 8
time-exceeded, # type 11
parameter-problem, # type 12
} accept
# ICMPv6
# Accept basic IPv6 functionality
ip6 nexthdr icmpv6 icmpv6 type {
destination-unreachable, # type 1
packet-too-big, # type 2
time-exceeded, # type 3
parameter-problem, # type 4
echo-request, # type 128
echo-reply, # type 129
} accept
# Allow IPv6 SLAAC
ip6 nexthdr icmpv6 icmpv6 type {
nd-router-solicit, # type 133
nd-router-advert, # type 134
nd-neighbor-solicit, # type 135
nd-neighbor-advert, # type 136
} ip6 hoplimit 255 accept
# Allow IPv6 multicast listener discovery on link-local
ip6 nexthdr icmpv6 icmpv6 type {
mld-listener-query, # type 130
mld-listener-report, # type 131
mld-listener-reduction, # type 132
mld2-listener-report, # type 143
} ip6 saddr fe80::/10 accept
# Accept DHCPv6 replies from IPv6 link-local addresses
ip6 saddr fe80::/10 udp sport 547 udp dport 546 accept
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
It looks like you leave the loopback interface open for spoofing. It should only accept input and output to and from its own address range.
Why are you rate limiting HTTPS and not HTTP?
You also risk locking yourself out with SSH if you fat finger the IP address range or need to log in from another. That should be open but the authentication limited to only either keys or certificates with password authentication off.
Port 80 (HTTP) is necessary with HTTPS if you are setting up Let's Encrypt certificates for your TLS. The CertBot, or other method, will need to occasionally publish something for verification.
Since you default a generic output policy of Allow, then the extra lines explicitly allowing HTTP and HTTPS are not needed. If you turn the output policy to Drop, then you will need to also open up outgoing DNS and presumably SMTP or other operational services.
A loose set of rules which could be converted:
Code:
#!/usr/sbin/nft -f
# Clear all prior state
flush ruleset
# Basic IPv4/IPv6 stateful firewall
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# accept local host traffic
iifname "lo" ip saddr 127.0.0.0/8 ip daddr 127.0.0.0/8 \
counter accept
iifname "lo" ip6 saddr ::1 ip6 daddr ::1 \
counter accept
# Accept traffic originated from us
ct state { established, related } accept
# Drop invalid connections
ct state invalid drop
# Reject AUTH to make it fail fast
tcp dport 113 reject with icmpx type port-unreachable
tcp dport 22 ct state new limit rate 4/minute counter accept
tcp dport 80 ct state new accept
tcp dport 443 ct state new accept
# ICMPv4
# Accept ICMP
ip protocol icmp icmp type {
echo-reply, # type 0
destination-unreachable, # type 3
echo-request, # type 8
time-exceeded, # type 11
parameter-problem, # type 12
} accept
# ICMPv6
# Accept basic IPv6 functionality
ip6 nexthdr icmpv6 icmpv6 type {
destination-unreachable, # type 1
packet-too-big, # type 2
time-exceeded, # type 3
parameter-problem, # type 4
echo-request, # type 128
echo-reply, # type 129
} accept
# Allow IPv6 SLAAC
ip6 nexthdr icmpv6 icmpv6 type {
nd-router-solicit, # type 133
nd-router-advert, # type 134
nd-neighbor-solicit, # type 135
nd-neighbor-advert, # type 136
} ip6 hoplimit 255 accept
# Allow IPv6 multicast listener discovery on link-local
ip6 nexthdr icmpv6 icmpv6 type {
mld-listener-query, # type 130
mld-listener-report, # type 131
mld-listener-reduction, # type 132
mld2-listener-report, # type 143
} ip6 saddr fe80::/10 accept
# Accept DHCPv6 replies from IPv6 link-local addresses
ip6 saddr fe80::/10 udp sport 547 udp dport 546 accept
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
include "/etc/nftables.d/*.nft"
Hello,
Thank you so much for your reply.
Quote:
It looks like you leave the loopback interface open for spoofing. It should only accept input and output to and from its own address range.
How?
Quote:
Why are you rate limiting HTTPS and not HTTP?
Sorry, I forgot it!
Quote:
Since you default a generic output policy of Allow, then the extra lines explicitly allowing HTTP and HTTPS are not needed. If you turn the output policy to Drop, then you will need to also open up outgoing DNS and presumably SMTP or other operational services.
I use Tor and OpenVPN on this web server. Tor must access the outside of the server to communicate. Am I wrong?
Are the following lines necessary?
Code:
-A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.