Linked by Andrew Youll on Sat 9th Jul 2005 11:54 UTC, submitted by Martin
Internet & Networking If you use Linux a good deal, you should know how to set up a firewall to help protect your system and your network. This tutorial will guide you through the steps you should take in order to makes IPTables work for you.
Order by: Score:
Thanks
by rmtatum on Sat 9th Jul 2005 12:00 UTC
rmtatum
Member since:
2005-07-09

This is just what I needed. I use linux a lot, I'm just new to the networking part of computer science. The tutorial does a great job laying a basic foundation of network terminology needed to build an iptables firewall. Thanks for the post Andrew.

Reply Score: 2

Checkpoint
by Anonymous on Sat 9th Jul 2005 12:58 UTC
Anonymous
Member since:
---

Is IPtables equivalent to Checkpoint Firewall's capabalities?

Reply Score: 0

RE: Checkpoint
by orestes on Sat 9th Jul 2005 13:21 UTC in reply to "Checkpoint"
orestes Member since:
2005-07-06

This article may shed some light on the subject.

http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss143_art31...

Reply Score: 1

RE: Checkpoint
by Vonskippy on Sun 10th Jul 2005 01:03 UTC in reply to "Checkpoint"
Vonskippy Member since:
2005-07-10

Yes if you think that a Moped Engine is the equivalent to a Chevy V8. Checkpoint is a full featured Firewall appliance, IPTables is the foundation for Linux packet filtering.

Reply Score: 1

RE[2]: Checkpoint
by Anonymous on Sun 10th Jul 2005 04:21 UTC in reply to "RE: Checkpoint"
Anonymous Member since:
---

Using iptables allows you to add some programming into the fray. Nice when you want to develop your own solution. One feature from BSD I would like to see is the ability to scrub packets for identifiers. Makes it harder for someone to profile your system.

Reply Score: 0

If you use linux a good deal
by Anonymous on Sat 9th Jul 2005 13:25 UTC
Anonymous
Member since:
---

I haven't even read this post, but I do use linux a good deal. I don't know why you need to understand how to write IPTable rules if you use linux. I use an implementation written by someone who actually knows what they're talking about rather than me trying to learn it.
Additionally, if it is expected that you should know about iptables because you use linux, then regardless of what OS you use, you should know how to prepare and implement an effective firewall strategy.

Reply Score: 1

HTML Reports
by revragnarok on Sat 9th Jul 2005 14:02 UTC
revragnarok
Member since:
2005-07-09

If you want pretty reports to be e-mailed daily, check out ADMLogger (used to be called Fireparse) at http://freshmeat.net/projects/admlogger

Reply Score: 1

frozentux.org tutorial
by jsumners on Sat 9th Jul 2005 14:54 UTC
jsumners
Member since:
2005-07-06

I found the tutorial at http://iptables-tutorial.frozentux.net/iptables-tutorial.html to be exactly what I needed. It is very clear and complete. I reference it whenever I have a question.

Reply Score: 1

quick firewall
by ikaro on Sat 9th Jul 2005 15:12 UTC
ikaro
Member since:
2005-07-06

There is quicktables, a simple bash script that, depending of your input, creates a iptables firewall. Easy and fast.

Reply Score: 1

RE: quick firewall
by ikaro on Sat 9th Jul 2005 15:13 UTC in reply to "quick firewall"
ikaro Member since:
2005-07-06
shorewall
by Anonymous on Sat 9th Jul 2005 15:18 UTC
Anonymous
Member since:
---

I would recommend shorewall.This ip-tables script is mature and enables you to quickly lockdown traffic.

Reply Score: 0

RE: shorewall
by Anonymous on Sat 9th Jul 2005 15:47 UTC in reply to "shorewall"
Anonymous Member since:
---

Hear-hear. Shorewall is a very good frontend to iptables and very balanced in terms of usability vs complexity. Not only can you lock down your box by editing (minute changes only) human-readable config files, but you can also build a perfectly functional internet gateway for your SOHO in a matter of minutes. There's a gotcha on Debian, though - for some weird reason a few default config files are gunzipped. Not to be missed if you want to spare yourself some embarrasing moments ;)

Reply Score: 0

ipfilter
by Anonymous on Sat 9th Jul 2005 17:38 UTC
Anonymous
Member since:
---

I'd say try ipfilter by Darrien Ried - for the longest time there wasn't a port to Linux but finally he got around to doing it.

http://coombs.anu.edu.au/~avalon/

For all the *BSD folks out there ipfilter is old old news.

Milione

Reply Score: 0

RE: ipfilter
by Anonymous on Sat 9th Jul 2005 17:57 UTC in reply to "ipfilter"
Anonymous Member since:
---

Thanks for this link! I'll try it because iptables syntax really sucks...

When is going Linux to have PF from OpenBSD ported ? We really need to improve this area, I'm very dissatisfied with iptables syntax/concept...

Reply Score: 0

RE[2]: ipfilter
by Anonymous on Sat 9th Jul 2005 18:05 UTC in reply to "RE: ipfilter"
Anonymous Member since:
---

I've just downloaded ip_fil4.1.8 from Darren's site, typing 'less INSTALL.Linux' I get: 'Linux is no longer supported.'

Huh ?

Reply Score: 0

Might as well learn IPTables
by Anonymous on Sat 9th Jul 2005 17:59 UTC
Anonymous
Member since:
---

I've messed with some firewalls on Linux and found them complex enough that I decided to just learn IPTables instead. The knowledge is obviously more useful in the long run.

Most of the stock firewall programs on default configuration end up with extra rules -- I hate that. I want my firewall to be exactly as complex as it needs to be, but no more.

Additionally, most machines I run don't even need a firewall. If every service that listens to a port is a service that must be open to everyone at all times, then what use is a firewall? I can block off ports that nothing is listening to anyway... yay.

Reply Score: 0

Firestarter
by archiesteel on Sat 9th Jul 2005 18:06 UTC
archiesteel
Member since:
2005-07-02

I like it, it's very user-friendly and quite capable:

http://www.fs-security.com/

Reply Score: 1

RE: Firestarter
by irbis on Sat 9th Jul 2005 19:37 UTC in reply to "Firestarter"
irbis Member since:
2005-07-08

Firestarter is nice, especially for desktop users or those new to Linux as it is GUI-based and easy to configure. I often install it first after a new Linux installation when I want a working firewall up fast. The firewall included in Bastille is nice and relatievly easy too.

One small Firestarter downside is that it depends on many GTK/GNOME/X components. For example, if there's no need for Gnome or even X, or one would have to remove some X or Gnome libraries (maybe because of dependency problems etc.), the dependencies may cause Firestarter to be removed too.

Server/expert users may need more configurability and flexibility too. For them something like FireHOL would probably be good.

Reply Score: 1

RE[2]: ipfilter
by Anonymous on Sat 9th Jul 2005 18:13 UTC
Anonymous
Member since:
---

When is going Linux to have PF from OpenBSD ported ? We really need to improve this area, I'm very dissatisfied with iptables syntax/concept...

I would mind to see pf arise in penguina but not because it's syntax is easier to comprehand (it's not) but it would add more sophisticated features most users wouldn't benefit from.

Thanks for this link! I'll try it because iptables syntax really sucks...

You might as well give shorewall a try:
http://www.shorewall.net/

A tightly configured shorewall (SOHO) system could/would involve something like:

"all all DROP" in the policy file
And for a box that only mails and browses the web with a static ip-address from for eg router 10.0.0.1 put the following in the rules file in the shorewall directory:

-------------------------------------------------
ACCEPT fw net:10.0.0.1 UDP 53 #dns (=ip-querry)#
ACCEPT fw net tcp 25 #smtp (sending mail)#
ACCEPT fw net tcp 80 #http (=web)#
ACCEPT fw net tcp 110 #pop (=receiving mail)#
ACCEPT fw net tcp 443 #https (web secure)#
-------------------------------------------------

The result is a system that DROPS everything by default and only allows the traffic to go on to the net that's described in the rules file.It's that simple.

Reply Score: 0

rectification
by Anonymous on Sat 9th Jul 2005 18:14 UTC
Anonymous
Member since:
---

I obviously meant wouldn't mind :-)

Reply Score: 0

Shameless plug...
by Anonymous on Sat 9th Jul 2005 19:57 UTC
Anonymous
Member since:
---

http://www.killerwall.net

It's designed to be easy to configure, as well as powerful and flexible. For most users it's a matter of:

1) Unarchiving
2) Setting perms on the script as root
3) './killerwall autoconf stealth' (it will even detect when it need to configure for NAT, as opposed to just a host based firewall)

4) './killerwall start'
5) If you like what you see add it to your init (read the README included in the archive).

At this stage you'll have a stateful firewall with all ports closed that blocks unsolicited ICMP.

Reply Score: 0

Optimizing
by John Nilsson on Sat 9th Jul 2005 23:46 UTC
John Nilsson
Member since:
2005-07-06

Anyone got a tutorial on how to optimize iptables and conntrack for speed?

Reply Score: 1

Iptables syntax
by Anonymous on Sun 10th Jul 2005 08:18 UTC
Anonymous
Member since:
---

I really like iptables. It's easy to use when you first learn it and albeit the manual-page is somewhat restricted in information it is a good reference.

How come iptables-syntax sucks?

Reply Score: 0

RE[1]Iptables syntax
by Anonymous on Sun 10th Jul 2005 08:53 UTC
Anonymous
Member since:
---

How come iptables-syntax sucks?

It really doesn't.But it's not fun for everybody to know everything and a good frontend would get them their job done faster.Ip-tables covers a lot of target ground.

Reply Score: 0

No need to hand-code iptables anymore
by Anonymous on Sun 10th Jul 2005 10:31 UTC
Anonymous
Member since:
---

After years of hand-crafting iptables rules, I finally switched over to shorewall and never looked back.

Shorewall is simply amazing. Highly recommended as the best firewall to generate and maintain iptables rules.

Another is firehol.

Everything else I've tried doesn't come close to the quality of shorewall and firehol. If you pick either of these, you're way ahead of the game.

Reply Score: 0

Anonymous
Member since:
---

After years of hand-crafting iptables rules, I finally switched over to shorewall and never looked back.

Know what you mean :-)

Reply Score: 0

Excellent
by Anonymous on Sun 10th Jul 2005 10:52 UTC
Anonymous
Member since:
---

Ive been a Linux admin/user for 8 years now and IPtables has been the biggest pain in my @ss. This is the best breakdown I have seen to date. Great job and thank you!
-nX

Reply Score: 0

Shorewall
by zombie process on Sun 10th Jul 2005 16:39 UTC
zombie process
Member since:
2005-07-08

Shorewall does indeed rock. I was under the impression that the project had been abandoned by the main dev since it was eating his life - has anyone picked up the pieces?

Reply Score: 1

Thanks
by Anonymous on Sun 10th Jul 2005 17:17 UTC
Anonymous
Member since:
---

Thank you guys . I use firestarter but I want something more flexible . The links given would be useful ;) .

Reply Score: 0

@ ikaro: Thanks!
by 1c3d0g on Mon 11th Jul 2005 14:44 UTC
1c3d0g
Member since:
2005-07-06

Like anyonymous above me has said, the links are very helpful. Many thanks! :-)

And the one below is a very n00b-friendly firewall:
http://www.simonzone.com/software/guarddog/

Reply Score: 1