Hy. I just tested the FreedomBox once again and I am realy happy with your project.
I will like to use it for home, but I will like also some particular Firewall setup, especially against the NMAP scanner.
On a classic Debian firewall, I use the fallowing IP tables configuration to allow ONLY the ESTABLISHED OR RELATED CONNECTIONS to pass into my router everything else being drop by default. The code is below where eth0
is my WAN and eth1
is my LAN. :
# Generated by iptables-save v1.6.0 on Tue May 21 09:07:41 2019
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Tue May 21 09:07:41 2019
# Generated by iptables-save v1.6.0 on Tue May 21 09:07:41 2019
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Tue May 21 09:07:41 2019
# Generated by iptables-save v1.6.0 on Tue May 21 09:07:41 2019
*filter
:OUTPUT ACCEPT [0:0]
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -m conntrack -i eth0 --ctstate ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -m conntrack -i eth0 -o eth1 --ctstate ESTABLISHED,RELATED -j ACCEPT
COMMIT
# Completed on Tue May 21 09:07:41 2019
My quiescence is how can i replicate the same configuration, only the established or related connections to be allows into my router, everything else to be doped.
I have no experience with Firewalls (i`m just learning now) and I will like to replicate those setups on your firewall but be able to use/change (add wifi or remove cards) configuration but not always modify the IPTABLES. Can you help me please. Thank you.