ROON-CORE: Security / Firewall

Now install nftables as firewall:

sudo apt-get install nftables -y

start it

sudo systemctl enable nftables.service
sudo systemctl start nftables
sudo systemctl status nftables

edit your /etc/nftables.rules

sudo nano /etc/nftables.rules

# Define your local LAN Subnet
define lan = 192.168.1.0/24
define loopback = "lo"

table inet filter {
        chain input {
                type filter hook input priority filter; policy drop;
                # let´s be statefull
                ct state established,related accept
                # Needed for ROON Server
                iifname $loopback counter accept

                meta pkttype multicast counter accept
                meta pkttype broadcast counter accept
                # allow ssh access
                tcp dport 22 accept
                # roon comms
                ip saddr $lan udp dport 9003 counter accept
                ip saddr $lan tcp dport 9300-9339 counter accept

                # Apple Airplay
                ip saddr $lan udp dport 32768-65535 counter accept
                # Devialet Air
                ip saddr $lan tcp dport 32768-65535 counter accept
                log prefix "nftables: " flags all
        }

        chain output {
                type filter hook output priority filter; policy accept;
        }
}

Let´s see if it worked:

sudo nano /etc/nftables.conf

should look like:

#!/usr/sbin/nft -f

flush ruleset
include "/etc/nftables.rules"

and finaly test it by restarting

sudo systemctl restart nftables
sudo nft -s list ruleset

and to see the firewal log for bug fixing:

sudo journalctl -f -k | grep 'nftables'

or see the history:

sudo journalctl -k | grep 'nftables'