Yes, but you need additional magic to have rules load at boot. The cool thing about iptables-persistent is that the default rules automatically load at boot.
For Debian paths are "/etc/iptables/rules.v4" and "/etc/iptables/rules.v6". Other way: Code: #netfilter-persistent save I also don't agree with dropping all fragmented packets. TCP packets must not be fragmented, so we can drop them. ICMP packets almost never are fragmented, so we may drop fragmented icmp packets as well. But it is perfectly fine for udp packets to be fragmented.
Linux noob question (sorry if this isn't the right thread for it): Years ago I had ZoneAlarm on a Windows 98 machine. It was an easy to use firewall: the first time any executable tried to access the Internet, ZA would simply ask if I wanted to allow or deny it, then it would remember the decision for the next time. Trying to make the switch over to Linux from Windows. Is there a simple firewall like that available for Linux (Kubuntu)? I've tried GUFW but I'm not expert enough to start creating rules and such. Thanks.
Well, this is Windows-style thinking The repositories of the various Linux distributions contain open-source packages which are trustworthy. There is no spyware like in Windows. Hence, outbound connections are usually legitimate and need not be controlled. That said, it's easily possible to prevent net access for specific applications with Firejail by adding net none to the respective profile. I've noticed that there is the "Douane personal firewall for GNU/Linux". I've never tried it - but I bet that it will probably cause more trouble than anything else.
Thanks very much, I'll look into those. I do get what you're saying about Windows-style thinking, and will keep it in mind.
Some apps in Linux run as specific users, and you can allow or block by user ID. But then, if they start as root, and then drop privileges, that won't help. It's easiest to block all outgoing traffic, and then allow just what you want. For some stuff, by destination IP address and port number. For other stuff, such as the Tor client by user ID (i.e., debian-tor).
Hmmm, never used it. But I see https://forum.voidlinux.org/t/allow...-to-have-network-access-iptables-cgroups/4813 It seems like you could incorporate that in an app wrapper script. I wonder why I haven't heard more about it.
Oh, cgroups have been in kernel for very long time. Just like linux namespaces. cgroups = what resources (network,memory,CPU etc...) process(es) are allowed to use namespace = what resources (network,PID,etc..) processes are allowed to see with the addtion of Linux capabilities you can have a perfectly isolated, super-light VM (or "container" as the marketing term used by some applications)that contains only the process or processes the user wants. No need to install full guest OS. Apps like docker, firejail etc... use all those basic building blocks to create their lil sandboxes (or "containers") EDIT: This reminds me: I really should start wiriting part 2 https://www.orwell1984.today/Sandboxing_network_software_for_Linux_programmers_part1.pdf
Probably. But as mentioned above you can easily block net access with Firejail. There is also this script (which I've never tried) that claims to be able to block (specific) net requests of specific applications.
You mean firewall that blocks stuff in layer 7 of OSI model? There is but it's so horribly horribly horribly old, needed separate patches for kernel and never got into main kernel. https://github.com/l7-filter/netfilter-layer7
I meant by using cgroups. I mean, it's pretty technical. Do any of the common iptables frontends/GUIs include cgroups?
Upon returning fully to Linux I realized Unreal Engine can be a bit bitchy about my rules. After a little research the solution is to enable multicast on loopback. I'll edit the thread soon and do a general update on OP as well. Main thing is to not LOG everything. Now I leave my output open and all logs are disabled as this causes systemd's journal to either grow exceptionally big or to just flood it with the logs (meaning you'll probably miss other important logs if something happens and you need to do 'journalctl').
I'm a little bit confused. I already allow everything on loopback, why would I need to allow musticast on it? Code: iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # allow all on loopback Still searching how I'd have the lines bellow in iptables form and permanent: Code: route add -net 224.0.0.0 netmask 240.0.0.0 dev lo ifconfig lo multicast EDIT: Testing to allow everything on FORWARD/lo as well. EDIT2: Allowing everything to be forwarded on loopback worked.
I am currently adding the last finishing touches to my new Arch laptop. Again I am thinking that a firewall would be needed. But seeing how ufw/iptables/... only let me set system wide rules, I wonder if it makes any sense at all? Port 80/443 will always be open for the whole system. Any malicious package/malware can simply use that port and enjoy free connectivity. What use is iptables/ufw then?
On desktop incoming (Input) TCP port 80 usually doesn't need to be opened. Outcoming... yes, they must be opened. You may want Apparmor, SELinux or Firejail (or some cgroup-based application segregation) to disable access to Internet per program basis.
But TCP out 80 needs to be opened I believe? I use firejail but it only is able to block networks that I manually set a .profile for. I would rather block all, check logs and then step-by-step allow access for what is popping up in my logs. Also, how does one block network access for geoclue, webgkit2,... with firejail?
Great iptable configuration to help guide people into iptables. I'm going to give it a go, first time on linux and this seems fairly straight forward.