github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #2107] Firejail with iptables for LAN only doesn't work #1425

New issue

Closed

opened 2026-05-05 08:05:23 -06:00 by gitea-mirror · 5 comments

gitea-mirror commented

2026-05-05 08:05:23 -06:00

Owner

Originally created by @greencopper on GitHub (Sep 6, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2107

I am trying to jail a game so that only LAN is visible.

I am running firejail like this:

firejail --noprofile --net=enp3s0 --netfilter=firejail-only-local.net mygame

Then I have an iptables script that looks like this:

# Default policies
-P INPUT DROP
-P OUTPUT DROP
-P FORWARD DROP

# Accept loopback
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

# Keep State for already stablished traffic
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow LAN
-A INPUT -s 192.168.1.0/24 -j ACCEPT
-A OUTPUT -d 192.168.1.0/24 -j ACCEPT

COMMIT

If I change the default policy to "ACCEPT" then the games on the LAN can see each other, but once I set the default policy to "DROP" and then only accept the specific IP range of 192.168.1.0/24, then they cannot see each other.

Is this a firejail issue?

How do I set this up correctly so that LAN ONLY is working?

Originally created by @greencopper on GitHub (Sep 6, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/2107 I am trying to jail a game so that only LAN is visible. I am running firejail like this: ``` firejail --noprofile --net=enp3s0 --netfilter=firejail-only-local.net mygame ``` Then I have an iptables script that looks like this: ``` # Default policies -P INPUT DROP -P OUTPUT DROP -P FORWARD DROP # Accept loopback -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT # Keep State for already stablished traffic -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow LAN -A INPUT -s 192.168.1.0/24 -j ACCEPT -A OUTPUT -d 192.168.1.0/24 -j ACCEPT COMMIT ``` If I change the default policy to "ACCEPT" then the games on the LAN can see each other, but once I set the default policy to "DROP" and then only accept the specific IP range of 192.168.1.0/24, then they cannot see each other. Is this a firejail issue? How do I set this up correctly so that LAN ONLY is working?

gitea-mirror

2026-05-05 08:05:23 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 08:05:26 -06:00

Author

Owner

@reinerh commented on GitHub (Sep 7, 2018):

Do those rules work outside of firejail?
And when you run firejail --noprofile --net=enp3s0 --netfilter=firejail-only-local.net /sbin/ifconfig does it have an IP address from the same range?

@reinerh commented on GitHub (Sep 7, 2018): Do those rules work outside of firejail? And when you run `firejail --noprofile --net=enp3s0 --netfilter=firejail-only-local.net /sbin/ifconfig` does it have an IP address from the same range?

gitea-mirror commented

2026-05-05 08:05:27 -06:00

Author

Owner

@greencopper commented on GitHub (Sep 8, 2018):

Yes to both.

@greencopper commented on GitHub (Sep 8, 2018): Yes to both.

gitea-mirror commented

2026-05-05 08:05:27 -06:00

Author

Owner

@netblue30 commented on GitHub (Sep 9, 2018):

I am on Debian, kernel 4.9. It looks like the format of the first 4 lines in your filter is bad:

$ sudo firejail --netfilter=nf --noprofile --net=eth0
Parent pid 3751, child pid 3752
The new log directory is /proc/3752/root/var/log
iptables-restore: line 2 failed
Error: failed to run /sbin/iptables-restore
Error: proc 3751 cannot sync with peer: unexpected EOF
Peer 3752 unexpectedly exited with status 1

It complains about "iptables-restore: line 2 failed". It looks like the format used by iptables-save/iptables-restore is a little different than the regular iptables format. You need to replace the lines with the following:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

You also need to take in account your DNS setting. If you have your DNS set for your home router at 192.168.1.1, the DNS requests will still go out. Example:

$ sudo firejail --netfilter=nf --noprofile --net=eth0 --dns=192.168.1.1
Parent pid 3774, child pid 3775
The new log directory is /proc/3775/root/var/log

Interface        MAC                IP               Mask             Status
lo                                  127.0.0.1        255.0.0.0        UP    
eth0-3774        8e:48:36:5f:fc:82  192.168.1.220    255.255.255.0    UP    
Default gateway 192.168.1.1
DNS server 192.168.1.1

Child process initialized in 1678.38 ms
root@debian:/home/netblue/work/github/firejail# ping google.com
PING google.com (172.217.7.14) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
^C
--- google.com ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3079ms

#

So the guy managed to resolve google.com, but was not able to send anything out.

@netblue30 commented on GitHub (Sep 9, 2018): I am on Debian, kernel 4.9. It looks like the format of the first 4 lines in your filter is bad: ````` $ sudo firejail --netfilter=nf --noprofile --net=eth0 Parent pid 3751, child pid 3752 The new log directory is /proc/3752/root/var/log iptables-restore: line 2 failed Error: failed to run /sbin/iptables-restore Error: proc 3751 cannot sync with peer: unexpected EOF Peer 3752 unexpectedly exited with status 1 ````` It complains about "iptables-restore: line 2 failed". It looks like the format used by iptables-save/iptables-restore is a little different than the regular iptables format. You need to replace the lines with the following: ````` *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] ````` You also need to take in account your DNS setting. If you have your DNS set for your home router at 192.168.1.1, the DNS requests will still go out. Example: ````` $ sudo firejail --netfilter=nf --noprofile --net=eth0 --dns=192.168.1.1 Parent pid 3774, child pid 3775 The new log directory is /proc/3775/root/var/log Interface MAC IP Mask Status lo 127.0.0.1 255.0.0.0 UP eth0-3774 8e:48:36:5f:fc:82 192.168.1.220 255.255.255.0 UP Default gateway 192.168.1.1 DNS server 192.168.1.1 Child process initialized in 1678.38 ms root@debian:/home/netblue/work/github/firejail# ping google.com PING google.com (172.217.7.14) 56(84) bytes of data. ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ^C --- google.com ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time 3079ms # ````` So the guy managed to resolve google.com, but was not able to send anything out.

gitea-mirror commented

2026-05-05 08:05:28 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Oct 3, 2018):

@greencopper did @netblue30's suggestion work?

@chiraag-nataraj commented on GitHub (Oct 3, 2018): @greencopper did @netblue30's suggestion work?

gitea-mirror commented

2026-05-05 08:05:29 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 26, 2019):

@greencopper I'm closing here due to inactivity, please fell free to reopen if you have more questions.

@rusty-snake commented on GitHub (Jun 26, 2019): @greencopper I'm closing here due to inactivity, please fell free to reopen if you have more questions.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1425

No description provided.

Rows
Columns