Hi Steve, Steve Litt writes:
> Hi all, > > I'm now at the stage where I need a firewall on my Devuan VM guest, and > I don't know how to do it. I have the iptables package installed, and > /usr/sbin/iptables is a command, but I have no idea where to go from > there. Is there a file that iptables uses to define which ports are > blocked? > > I'm used to iptables being a daemon, and that seems not to be the case > in Devuan. No, iptables is not a daemon. It's just a utility to (re)configure the rules used by the kernel. It has been for as long as I know and that goes over a decade back in time. I have been hooking my iptables configuration into ifupdown. Below is the /etc/network/interfaces for my laptop. I use it in combination with netplug. Do not uncomment the #allow-hotplug eth0 line. Doing so leads to a delay when booting. # interfaces(5) -- file used by ifup(8) and ifdown(8) # Only bring up the loopback interface automatically during boot. # Any other interfaces are handled by other software in a later stage # of the boot process or in reaction to interface (dis)connect events. auto lo # Loopback interface # This interface should be brought up first so that it can be used to # set up the system's packet filtering policy *before* any interfaces # become available. To achieve this the `pre-up` phase is used. # The configuration below aims to implement a deny-all policy for all # but *sollicited* replies and `localhost` traffic first. iface lo inet loopback ## Configure IPv4 packet filter policy pre-up /sbin/iptables -P INPUT DROP pre-up /sbin/iptables -A INPUT \ --match state --state ESTABLISHED,RELATED \ --jump ACCEPT pre-up /sbin/iptables -A INPUT \ --source 127.0.0.1/8 --destination 127.0.0.1/8 \ --jump ACCEPT down /sbin/iptables -F INPUT iface lo inet6 loopback ## Configure IPv6 packet filter policy pre-up /sbin/ip6tables -P INPUT DROP pre-up /sbin/ip6tables -A INPUT \ --match state --state ESTABLISHED,RELATED \ --jump ACCEPT pre-up /sbin/ip6tables -A INPUT \ --source ::1/128 --destination ::1/128 \ --jump ACCEPT down /sbin/ip6tables -F INPUT # Primary wired interface #allow-hotplug eth0 iface eth0 inet dhcp I nuked the wireless interface bit for brevity as it doesn't relate to setting up iptables. For additional rules, see the iptables manual page and the iptables-extensions manual page. Other people may prefer using iptables-save/iptables-restore. You could hook those into /etc/network/interfaces instead. Hope this helps, -- Olaf Meeuwissen, LPIC-2 FSF Associate Member since 2004-01-27 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13 F43E B8A4 A88A F84A 2DD9 Support Free Software https://my.fsf.org/donate Join the Free Software Foundation https://my.fsf.org/join _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng