Firewall

iptables

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Access from static ip

iptables -A INPUT -s 24.25.26.27 -m state --state NEW -p tcp --dport 22 -j ACCEPT

# Drop rules

iptables -A INPUT -m state --state INVALID -j DROP

iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP

iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP

iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

Clear all iptables rules

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT

iptables -t nat -F

iptables -t mangle -F

iptables -F

iptables -X

firewalld

apt install firewalld

systemctl start firewalld

systemctl enable firewalld

systemctl status firewalld

# Access from static ip

firewall-cmd --zone=internal --permanent --add-source=24.25.26.27

firewall-cmd --zone=internal --permanent --remove-service=dhcpv6-client

firewall-cmd --zone=internal --permanent --remove-service=samba-client

firewall-cmd --zone=internal --permanent --remove-service=mdns

firewall-cmd --zone=public --permanent --remove-service=dhcpv6-client

firewall-cmd --zone=public --permanent --remove-service=ssh

firewall-cmd --zone=public --permanent --add-service=http

firewall-cmd --zone=public --permanent --add-service=https

# Show rules

firewall-cmd --zone=internal --list-all

firewall-cmd --zone=public --list-all

# Apply & save rules

firewall-cmd --reload

*Docker must be restart, after apply firewalld rules.

Sample ipv6 options:

sudo firewall-cmd --permanent --zone=trusted --add-source=fe80::db50:21c0:5df1:ae8e/64

sudo firewall-cmd --reload

firewalld for Debian

Installation iptables 1.8.5 to Debian 10

echo "deb http://ftp.de.debian.org/debian buster-backports main" >> /etc/apt/sources.list

sudo apt update

apt-cache madison packet # show accessible packets

apt install packet=version # install required version packet

apt install libxtables12=1.8.5-3~bpo10+1

apt install netbase=6.1~bpo10+1

apt install libnftnl11=1.1.7-1~bpo10+1

apt install iptables=1.8.5-3~bpo10+1