• We did not send an email asking for donations - please read this post.

Problem with iptables on Debian 11

robinek

New Member
Joined
Nov 10, 2020
Messages
2
Reaction score
0
Credits
24
First necessary information:
Code:
uname -a
Linux debian2 5.10.0-18-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64 GNU/Linux
Code:
dpkg -l | grep netfilter-persistent
ii  netfilter-persistent                  1.0.15                           all          boot-time loader for netfilter configuration
Code:
[email protected]:~$ update-alternatives --list iptables
/usr/sbin/iptables-legacy
/usr/sbin/iptables-nft
Now, iptables rules:
Code:
#!/bin/sh

echo "Starting Firewall..."

iptables -F
iptables -F -t nat
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

conntrack -F


iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m conntrack --ctstate NEW,INVALID -j LOG --log-prefix "ininvalid: "


iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP
iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
iptables -t mangle -A PREROUTING -f -j DROP
iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP

iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT


#iptables - A INPUT -m state --state INVALID -j LOG --log-prefix "ininvalid: "
# --log-level 4

# tylko sync
iptables - A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP

iptables -A INPUT -p tcp --dport 137 -j DROP
iptables -A INPUT -p udp --dport 137 -j DROP
iptables -A INPUT -p tcp --dport 138 -j DROP
iptables -A INPUT -p udp --dport 138 -j DROP
iptables -A INPUT -p tcp --dport 445 -j DROP
iptables -A INPUT -p udp --dport 445 -j DROP



iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP

iptables -A OUTPUT -m conntrack --ctstate NEW,INVALID -j LOG --log-prefix "outinvalid: "

iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix "outinvalid: " --log-level 4

iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP

iptables -A OUTPUT -p icmp -m icmp --icmp-type 0 -j DROP



# Drop everything else
iptables -P INPUT   DROP
iptables -P FORWARD DROP
iptables -P OUTPUT  DROP

ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP
It does not mean which way I tray to set up firewall, I always get a message
Code:
iptables-restore: line 2 failed

What this message means, Google have no answer..

 
Last edited:
$100 Digital Ocean Credit
Get a free VM to test out Linux!

Linux.org Hosting Donations
Consider making a donation


Top