# How to deny all incoming connections with iptables/nftables?

## hjkl

Hi,

I'm wanted to use an iptables frontend but I'm having issues with them (some errors, no idea).

My issue with iptables is: the syntax is complicated, same with nftables.

How would I make all incoming connections be denied for IPv6 & IPv4?

Thanks!

----------

## pietinger

First of all you must know: With iptables you can filter only IPv4. For IPv6 you would need ip6tables. Do you really use both ?

If yes, I recommend nftables. With nftables you can do filtering for both.

If not, I recommend iptables because it is older and more stable (I am watching the kernel patches)

If you want to allow all outgoing (= no filtering here) and disallow all incoming packets it it very easy:

# clear all exsisting rules

iptables -F

iptables -X

# set default actions

iptables -P INPUT       DROP

iptables -P OUTPUT      ACCEPT

iptables -P FORWARD     DROP

# you must allow internal communications

iptables -A INPUT       -i lo -j ACCEPT

iptables -A OUTPUT      -o lo -j ACCEPT

# this line is needed to allow all packets which are answers to exsisting sessions

iptables -A INPUT       -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# if you want also to log not allowed incoming packets enable this line

# iptables -A INPUT       -j LOG --log-prefix "DROPED: "

----------

## hjkl

 *pietinger wrote:*   

> First of all you must know: With iptables you can filter only IPv4. For IPv6 you would need ip6tables. Do you really use both ?
> 
> If yes, I recommend nftables. With nftables you can do filtering for both.
> 
> If not, I recommend iptables because it is older and more stable (I am watching the kernel patches)
> ...

 

Well, I do use IPv6 so I guess nftables would be my case, although this is helpful.

Should I use the above commands even if IPv6 is being used since iptables is IPv4 only?

----------

## pietinger

 *fullbyte wrote:*   

> Should I use the above commands even if IPv6 is being used since iptables is IPv4 only?

 

No. If you really use both you should take nftables. There is a nice command: "iptables-translate" to translate iptables-commands into nftables-commands. See also: https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables

But you dont need it, if you take a look into this page:

https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes

At the very end of this page there is a simple IP/IPv6 Firewall.

----------

## hjkl

 *pietinger wrote:*   

>  *fullbyte wrote:*   Should I use the above commands even if IPv6 is being used since iptables is IPv4 only? 
> 
> No. If you really use both you should take nftables. There is a nice command: "iptables-translate" to translate iptables-commands into nftables-commands. See also: https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables
> 
> But you dont need it, if you take a look into this page:
> ...

 

Thanks, I'll try it out.

Still is pretty complicated for me to understand though.

----------

## Hu

If you want to stay with iptables, then use the commands that pietinger gave.  That will restrict IPv4.  Then take those commands, replace iptables with ip6tables in every command, and run the result to restrict IPv6.  Porting IPv4 to IPv6 isn't always this easy, but since none of the commands actually inspect source/destination address, this one is easy.

----------

## hjkl

 *Hu wrote:*   

> If you want to stay with iptables, then use the commands that pietinger gave.  That will restrict IPv4.  Then take those commands, replace iptables with ip6tables in every command, and run the result to restrict IPv6.  Porting IPv4 to IPv6 isn't always this easy, but since none of the commands actually inspect source/destination address, this one is easy.

 

Cheers! I didn't know that.

----------

## mike155

 *fullbyte wrote:*   

> How would I make all incoming connections be denied for IPv6 & IPv4?

 

Do you really want to disable all incoming traffic? That's highly unusual! If you really want that, it might be better to just shut down the interface.

Or do you want to disable incoming TCP connections, but allow outgoing TCP connections? If that's the case, disabling the INPUT chain is probably the wrong answer. The right answer would be to disable incoming packets with the SYN flag set.

----------

## pietinger

 *mike155 wrote:*   

> If that's the case, disabling the INPUT chain is probably the wrong answer. [...]

 

This is wrong. Allowing only related packets and droping the rest (via default action) is more usual than droping some packets (with SYN) and allowing the rest !

 *mike155 wrote:*   

> [...] The right answer would be to disable incoming packets with the SYN flag set.

 

No, this is not as secure as the usual solution.

----------

