“One cannot live by rebellion, and I want to live.”

Firewall

See also: wiki/linux-sysadmin

iptables

# must be run as root
$ iptables -L
$ iptables -A INPUT -p tcp --dport 22 -j ACCEPT
$ iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT

# delete a rule
$ iptables -L --line-numbers
$ iptables -D INPUT 3

# deny everything except SSH/HTTP/HTTPS
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp  -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp  -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited

firewalld

$ firewall-cmd --list-all
$ firewall-cmd --get-active-zones
$ firewall-cmd --list-all --zone=tailscale

# list open ports
# (only shows explicit ports, not those from services)
$ firewall-cmd --list-ports

# allow/deny HTTP traffic
$ firewall-cmd --zone=public --add-service=http
$ firewall-cmd --zone=public --remove-service=http

# allow/deny a specific port
$ firewall-cmd --zone=public --add-port=8888/tcp
$ firewall-cmd --zone=public --remove-port=8888/tcp

# save changes
$ firewall-cmd --runtime-to-permanent

# create a zone
$ firewall-cmd --permanent --new-zone=tailscale
$ firewall-cmd --zone=tailscale --change-interface=tailscale0 --permanent