-
-
Notifications
You must be signed in to change notification settings - Fork 520
System rules
Since v1.3.0-rc.1 you can configure iptables
rules by editing the file /etc/opensnitchd/system-fw.json
.
OpenSnitch will ensure that the rules you have configured there are not deleted from the system.
If you configure the daemon to deny everything that is not specifically allowed by default, many services will be blocked, like VPNs.
In order to allow this type of traffic, you can add a rule like this (notice that the Table is mangle):
{
"SystemRules": [
{
"Rule": {
"Description": "Allow pptp VPNs",
"Table": "mangle",
"Chain": "OUTPUT",
"Parameters": "-p gre",
"Target": "ACCEPT",
"TargetParameters": ""
}
}
]
}
In this case we allow GRE traffic (-p gre
) to allow PPTP connections, or you can allow traffic point to point (-p udp --dport 1194
). Whatever you can do with iptables.
Besides this, some services like OpenVPN uses ICMP to keep the tunnel up. Needless to say that ICMP is very important for network communications:
{
"SystemRules": [
{
"Rule": {
"Description": "Allow OUTPUT ICMP",
"Table": "mangle",
"Chain": "OUTPUT",
"Parameters": "-p icmp",
"Target": "ACCEPT",
"TargetParameters": ""
},
},
{
"Rule": {
"Description": "Allow OUTPUT ICMPv6",
"Table": "mangle",
"Chain": "OUTPUT",
"Parameters": "-p ipv6-icmp",
"Target": "ACCEPT",
"TargetParameters": ""
}
}
]
}
(you can allow only echo and reply
: -p icmp --icmp-type echo-request
)
Some more examples:
{
"SystemRules": [
{
"Rule": {
"Description": "",
"Table": "mangle",
"Chain": "OUTPUT",
"Parameters": "-p tcp ! --syn -m conntrack --ctstate NEW",
"Target": "DROP",
"TargetParameters": ""
}
},
{
"Rule": {
"Description": "",
"Table": "filter",
"Chain": "OUTPUT",
"Parameters": "-m conntrack --ctstate UNTRACKED,INVALID",
"Target": "DROP",
"TargetParameters": ""
}
},
{
"Rule": {
"Description": "",
"Table": "mangle",
"Chain": "PREROUTING",
"Parameters": "-m conntrack --ctstate INVALID,UNTRACKED",
"Target": "DROP",
"TargetParameters": ""
}
}
]
}
Allow nfs connections to mount a remote share:
{
"Rule": {
"Description": "Allow nfs",
"Table": "mangle",
"Chain": "OUTPUT",
"Parameters": "-p tcp --dport 2049",
"Target": "ACCEPT",
"TargetParameters": ""
}
}
The list of protocols you can allow or deny are defined in the file /etc/protocols
In order to intercept connections from containers, you need to select in Preferences->Nodes->Process monitor method: ebpf
, and add the following rule to /etc/opensnitchd/system-fw.json
:
{
"Rule": {
"Enabled": true,
"Description": "",
"Table": "mangle",
"Chain": "FORWARD",
"Parameters": "-m conntrack --ctstate NEW",
"Target": "NFQUEUE",
"TargetParameters": "--queue-num 0 --queue-bypass"
}
}
OpenSnitch system rules cannot be used yet with nftables as of v1.4.0, it's scheduled to be added for v1.5.0.
However if you need to use nftables you can combine OpenSnitch interception with the nftables firewall service:
- Edit
/etc/opensnitchd/default-config.json
and set "Firewall" to "nftables". - Edit
/etc/nftables.conf
and add these rules:
#!/usr/sbin/nft -f
# docs: https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_server
# flush ruleset
# inet == ipv4 && ipv6
# the name of the tables and hooks is not random, OpenSnitch adds filter and mangle, and output chains
table inet filter {
chain input {
# block by default incoming connections
type filter hook input priority filter; policy drop;
# allow already established connections
ct state { established, related } accept
ct state invalid drop
# allow ssh
# tcp dport { 22 } accept
}
}
- Enable nftables service:
$ sudo systemctl enable nftables
$ sudo systemctl start nftables
In future versions you will be able to configure these rules from the GUI, but for now you have to add the rules to the file /etc/opensnitchd/system-fw.json
.
If you need or want a GUI, or you'd like to have more control on the rules, maybe you should try UFW, FwBuilder and the like.
Please help us make this wiki better.
How to submit changes: https://github.com/evilsocket/opensnitch/blob/wiki/README.md
- Installation
- Getting started
- Configuration
- Compilation
- GUI translations
- FAQs and common errors
- Examples OpenSnitch in action