How to, Linux

Disabling IPv6 and Configuring nftables on Debian

14 Sep

In this guide, we’ll cover how to properly disable IPv6 and set up nftables firewall rules on a Debian server. We’ll focus on creating a secure configuration that logs SSH attempts and blocks potential threats.

Disabling IPv6

To disable IPv6 on a Debian server:

  1. Edit the sysctl configuration file:
    sudo nano /etc/sysctl.conf
  2. Add these lines at the end of the file:
    net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1
  3. Apply the changes: 
    sudo sysctl -p

Configuring nftables

Here’s a sample nftables configuration that logs SSH attempts and blocks IPs:


#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    set whitelist {
        type ipv4_addr
        elements = { 192.168.1.100, 10.0.0.1, 172.16.0.50 }
    }

    set blocklist {
        type ipv4_addr
        flags dynamic
    }

    set ssh_limiter {
        type ipv4_addr
        size 65535
        flags dynamic
        timeout 24h
    }

    chain input {
        type filter hook input priority 0;
        policy drop;

        # Allow established connections
        ct state established,related accept

        # Allow loopback traffic
        iif lo accept

        # Allow traffic from whitelisted IPs
        ip saddr @whitelist accept

        # SSH rate limiting and blocking
        tcp dport 22 add @ssh_limiter { ip saddr limit rate 3/day } counter log prefix "SSH_ATTEMPT: " accept
        tcp dport 22 add @blocklist { ip saddr timeout 99y } drop

        # Drop traffic from blocklisted IPs
        ip saddr @blocklist drop
    }

    chain forward {
        type filter hook forward priority 0;
        policy drop;
    }

    chain output {
        type filter hook output priority 0;
        policy accept;
    }
}

Key Features:

  • Logs all SSH attempts
  • Blocks source IPs of SSH attempts for 99 years
  • Allows established connections
  • Drops all other incoming traffic

Applying the Configuration

  1. Save the configuration to /etc/nftables.conf
  2. Load the rules: 
    sudo nft -f /etc/nftables.conf
  3. Enable nftables service: 
    sudo systemctl enable nftables.service

Conclusion

This setup provides a solid foundation for securing your Debian server by disabling IPv6 and implementing strict firewall rules with nftables. Remember to adjust the configuration based on your specific needs and regularly review your security measures.

Tags:
,
Back to list
Older 0day Attacks: A Looming Threat in Cybersecurity

Leave a Reply