Firewall
See also: wiki/linux-sysadmin
iptables
# must be run as root
$ iptables -L
$ iptables -A INPUT -p tcp --dport 22 -j ACCEPT
$ iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
# delete a rule
$ iptables -L --line-numbers
$ iptables -D INPUT 3
# deny everything except SSH/HTTP/HTTPS
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
firewalld
$ firewall-cmd --list-all
$ firewall-cmd --get-active-zones
$ firewall-cmd --list-all --zone=tailscale
# list open ports
# (only shows explicit ports, not those from services)
$ firewall-cmd --list-ports
# allow/deny HTTP traffic
$ firewall-cmd --zone=public --add-service=http
$ firewall-cmd --zone=public --remove-service=http
# allow/deny a specific port
$ firewall-cmd --zone=public --add-port=8888/tcp
$ firewall-cmd --zone=public --remove-port=8888/tcp
# save changes
$ firewall-cmd --runtime-to-permanent
# create a zone
$ firewall-cmd --permanent --new-zone=tailscale
$ firewall-cmd --zone=tailscale --change-interface=tailscale0 --permanent