In this guide, we’ll cover how to properly disable IPv6 and set up nftables firewall rules on a Debian server. We’ll focus on creating a secure configuration that logs SSH attempts and blocks potential threats.
Disabling IPv6
To disable IPv6 on a Debian server:
- Edit the sysctl configuration file:
sudo nano /etc/sysctl.conf
- Add these lines at the end of the file:
net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1
- Apply the changes:
sudo sysctl -p
Configuring nftables
Here’s a sample nftables configuration that logs SSH attempts and blocks IPs:
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
set whitelist {
type ipv4_addr
elements = { 192.168.1.100, 10.0.0.1, 172.16.0.50 }
}
set blocklist {
type ipv4_addr
flags dynamic
}
set ssh_limiter {
type ipv4_addr
size 65535
flags dynamic
timeout 24h
}
chain input {
type filter hook input priority 0;
policy drop;
# Allow established connections
ct state established,related accept
# Allow loopback traffic
iif lo accept
# Allow traffic from whitelisted IPs
ip saddr @whitelist accept
# SSH rate limiting and blocking
tcp dport 22 add @ssh_limiter { ip saddr limit rate 3/day } counter log prefix "SSH_ATTEMPT: " accept
tcp dport 22 add @blocklist { ip saddr timeout 99y } drop
# Drop traffic from blocklisted IPs
ip saddr @blocklist drop
}
chain forward {
type filter hook forward priority 0;
policy drop;
}
chain output {
type filter hook output priority 0;
policy accept;
}
}
Key Features:
- Logs all SSH attempts
- Blocks source IPs of SSH attempts for 99 years
- Allows established connections
- Drops all other incoming traffic
Applying the Configuration
- Save the configuration to
/etc/nftables.conf
- Load the rules:
sudo nft -f /etc/nftables.conf
- Enable nftables service:
sudo systemctl enable nftables.service
Conclusion
This setup provides a solid foundation for securing your Debian server by disabling IPv6 and implementing strict firewall rules with nftables. Remember to adjust the configuration based on your specific needs and regularly review your security measures.