|
1 | 1 | # Firewalls |
2 | 2 |
|
3 | | -## iptables |
| 3 | +By default, the `iptables` package is installed on the base system. However, |
| 4 | +iptables is now considered deprecated on Linux, with nftables as its |
| 5 | +replacement. |
4 | 6 |
|
5 | | -By default, the `iptables` package is installed on the base system. It provides |
6 | | -[iptables(8)/ip6tables(8)](https://man.voidlinux.org/iptables.8). The related |
7 | | -services use the `/etc/iptables/iptables.rules` and |
8 | | -`/etc/iptables/ip6tables.rules` ruleset files, which must be created by the |
9 | | -system administrator. |
| 7 | +## Section Contents |
10 | 8 |
|
11 | | -Two example rulesets are provided in the `/etc/iptables` directory: |
12 | | -`empty.rules` and `simple_firewall.rules`. |
| 9 | +- [iptables](./iptables.md) |
| 10 | +- [nftables](./nftables.md) |
13 | 11 |
|
14 | | -### Applying the rules at boot |
15 | | - |
16 | | -To apply iptables rules at runit stage 1, install the `runit-iptables` package. |
17 | | -This adds a core-service which restores the `iptables.rules` and |
18 | | -`ip6tables.rules` rulesets. |
19 | | - |
20 | | -Alternatively, to apply these rules at stage 2, add the following to |
21 | | -`/etc/rc.local`: |
22 | | - |
23 | | -``` |
24 | | -if [ -e /etc/iptables/iptables.rules ]; then |
25 | | - iptables-restore /etc/iptables/iptables.rules |
26 | | -fi |
27 | | -
|
28 | | -if [ -e /etc/iptables/ip6tables.rules ]; then |
29 | | - ip6tables-restore /etc/iptables/ip6tables.rules |
30 | | -fi |
31 | | -``` |
32 | | - |
33 | | -After rebooting, check the active firewall rules: |
34 | | - |
35 | | -``` |
36 | | -# iptables -L |
37 | | -# ip6tables -L |
38 | | -``` |
39 | | - |
40 | | -### Applying the rules at runtime |
41 | | - |
42 | | -`iptables` comes with two runit services, `iptables` and `ip6tables`, to quickly |
43 | | -flush or restore the `iptables.rules` and `ip6tables.rules` rulesets. Once these |
44 | | -services are [enabled](../services/index.md#enabling-services), you can flush |
45 | | -the rulesets by downing the relevant service, e.g.: |
46 | | - |
47 | | -``` |
48 | | -# sv down iptables |
49 | | -``` |
50 | | - |
51 | | -and restore them by upping the relevant service, e.g.: |
52 | | - |
53 | | -``` |
54 | | -# sv up ip6tables |
55 | | -``` |
56 | | - |
57 | | -## nftables |
58 | | - |
59 | | -`nftables` replaces `iptables`, `ip6tables`, `arptables` and `ebtables` |
60 | | -(collectively referred to as `xtables`). The [nftables |
61 | | -wiki](https://wiki.nftables.org/wiki-nftables/index.php/Main_Page) describes |
62 | | -[the main |
63 | | -differences](https://wiki.nftables.org/wiki-nftables/index.php/Main_differences_with_iptables) |
64 | | -from the `iptables` toolset. |
65 | | - |
66 | | -To use `nftables`, install the `nftables` package, which provides |
67 | | -[nft(8)](https://man.voidlinux.org/nft.8). It also provides |
68 | | -[iptables-translate(8)/ip6tables-translate(8)](https://man.voidlinux.org/iptables-translate.8) |
69 | | -and |
70 | | -[iptables-restore-translate(8)/ip6tables-restore-translate(8)](https://man.voidlinux.org/iptables-restore-translate.8), |
71 | | -which convert `iptables` rules to `nftables` rules. |
72 | | - |
73 | | -### Applying the rules at boot |
74 | | - |
75 | | -To apply nftables rules at runit stage 1, install the `runit-nftables` package. |
76 | | -This adds a core-service which restores the ruleset in `/etc/nftables.conf`. |
77 | | - |
78 | | -### Applying the rules at runtime |
79 | | - |
80 | | -The `nftables` package provides the `nftables` service, which uses rules from |
81 | | -`/etc/nftables.conf`. Once you [enable](../services/index.md#enabling-service) |
82 | | -the `nftables` service, to load the rules, run: |
83 | | - |
84 | | -``` |
85 | | -# sv up nftables |
86 | | -``` |
87 | | - |
88 | | -To flush the rules, run: |
89 | | - |
90 | | -``` |
91 | | -# sv down nftables |
92 | | -``` |
0 commit comments