Firewalls

iptables

By default, the iptables package is installed on the base system. It provides iptables(8)/ip6tables(8). The related services use the /etc/iptables/iptables.rules and /etc/iptables/ip6tables.rules ruleset files, which must be created by the system administrator.

Two example rulesets are provided in the /etc/iptables directory: empty.rules and simple_firewall.rules.

Applying the rules at boot

To apply iptables rules at runit stage 1, install the runit-iptables package. This adds a core-service which restores the iptables.rules and ip6tables.rules rulesets.

Alternatively, to apply these rules at stage 2, add the following to /etc/rc.local:

if [ -e /etc/iptables/iptables.rules ]; then
  iptables-restore /etc/iptables/iptables.rules
fi

if [ -e /etc/iptables/ip6tables.rules ]; then
  ip6tables-restore /etc/iptables/ip6tables.rules
fi

After rebooting, check the active firewall rules:

# iptables -L
# ip6tables -L

Applying the rules at runtime

iptables comes with two runit services, iptables and ip6tables, to quickly flush or restore the iptables.rules and ip6tables.rules rulesets. Once these services are enabled, you can flush the rulesets by downing the relevant service, e.g.:

# sv down iptables

and restore them by upping the relevant service, e.g.:

# sv up ip6tables

nftables

nftables replaces iptables, ip6tables, arptables and ebtables (collectively referred to as xtables). The nftables wiki describes the main differences from the iptables toolset.

To use nftables, install the nftables package, which provides nft(8). It also provides iptables-translate(8)/ip6tables-translate(8) and iptables-restore-translate(8)/ip6tables-restore-translate(8), which convert iptables rules to nftables rules.

Applying the rules at boot

To apply nftables rules at runit stage 1, install the runit-nftables package. This adds a core-service which restores the ruleset in /etc/nftables.conf.

Applying the rules at runtime

The nftables package provides the nftables service, which uses rules from /etc/nftables.conf. Once you enable the nftables service, to load the rules, run:

# sv up nftables

To flush the rules, run:

# sv down nftables