OSNews

This is just what I needed. I use linux a lot, I'm just new to the networking part of computer science. The tutorial does a great job laying a basic foundation of network terminology needed to build an iptables firewall. Thanks for the post Andrew.

Is IPtables equivalent to Checkpoint Firewall's capabalities?

I haven't even read this post, but I do use linux a good deal. I don't know why you need to understand how to write IPTable rules if you use linux. I use an implementation written by someone who actually knows what they're talking about rather than me trying to learn it.
Additionally, if it is expected that you should know about iptables because you use linux, then regardless of what OS you use, you should know how to prepare and implement an effective firewall strategy.

If you want pretty reports to be e-mailed daily, check out ADMLogger (used to be called Fireparse) at http://freshmeat.net/projects/admlogger

I found the tutorial at http://iptables-tutorial.frozentux.net/iptables-tutorial.html to be exactly what I needed. It is very clear and complete. I reference it whenever I have a question.

There is quicktables, a simple bash script that, depending of your input, creates a iptables firewall. Easy and fast.

I would recommend shorewall.This ip-tables script is mature and enables you to quickly lockdown traffic.

I'd say try ipfilter by Darrien Ried - for the longest time there wasn't a port to Linux but finally he got around to doing it.

http://coombs.anu.edu.au/~avalon/

For all the *BSD folks out there ipfilter is old old news.

Milione

I've messed with some firewalls on Linux and found them complex enough that I decided to just learn IPTables instead. The knowledge is obviously more useful in the long run.

Most of the stock firewall programs on default configuration end up with extra rules -- I hate that. I want my firewall to be exactly as complex as it needs to be, but no more.

Additionally, most machines I run don't even need a firewall. If every service that listens to a port is a service that must be open to everyone at all times, then what use is a firewall? I can block off ports that nothing is listening to anyway... yay.

I like it, it's very user-friendly and quite capable:

http://www.fs-security.com/

When is going Linux to have PF from OpenBSD ported ? We really need to improve this area, I'm very dissatisfied with iptables syntax/concept...

I would mind to see pf arise in penguina but not because it's syntax is easier to comprehand (it's not) but it would add more sophisticated features most users wouldn't benefit from.

Thanks for this link! I'll try it because iptables syntax really sucks...

You might as well give shorewall a try:
http://www.shorewall.net/

A tightly configured shorewall (SOHO) system could/would involve something like:

"all all DROP" in the policy file
And for a box that only mails and browses the web with a static ip-address from for eg router 10.0.0.1 put the following in the rules file in the shorewall directory:

-------------------------------------------------
ACCEPT fw net:10.0.0.1 UDP 53 #dns (=ip-querry)#
ACCEPT fw net tcp 25 #smtp (sending mail)#
ACCEPT fw net tcp 80 #http (=web)#
ACCEPT fw net tcp 110 #pop (=receiving mail)#
ACCEPT fw net tcp 443 #https (web secure)#
-------------------------------------------------

The result is a system that DROPS everything by default and only allows the traffic to go on to the net that's described in the rules file.It's that simple.

I obviously meant wouldn't mind :-)

http://www.killerwall.net

It's designed to be easy to configure, as well as powerful and flexible. For most users it's a matter of:

1) Unarchiving
2) Setting perms on the script as root
3) './killerwall autoconf stealth' (it will even detect when it need to configure for NAT, as opposed to just a host based firewall)

4) './killerwall start'
5) If you like what you see add it to your init (read the README included in the archive).

At this stage you'll have a stateful firewall with all ports closed that blocks unsolicited ICMP.

Anyone got a tutorial on how to optimize iptables and conntrack for speed?

I really like iptables. It's easy to use when you first learn it and albeit the manual-page is somewhat restricted in information it is a good reference.

How come iptables-syntax sucks?

How come iptables-syntax sucks?

It really doesn't.But it's not fun for everybody to know everything and a good frontend would get them their job done faster.Ip-tables covers a lot of target ground.

After years of hand-crafting iptables rules, I finally switched over to shorewall and never looked back.

Shorewall is simply amazing. Highly recommended as the best firewall to generate and maintain iptables rules.

Another is firehol.

Everything else I've tried doesn't come close to the quality of shorewall and firehol. If you pick either of these, you're way ahead of the game.

After years of hand-crafting iptables rules, I finally switched over to shorewall and never looked back.

Know what you mean :-)

Ive been a Linux admin/user for 8 years now and IPtables has been the biggest pain in my @ss. This is the best breakdown I have seen to date. Great job and thank you!
-nX

Shorewall does indeed rock. I was under the impression that the project had been abandoned by the main dev since it was eating his life - has anyone picked up the pieces?

Thank you guys . I use firestarter but I want something more flexible . The links given would be useful .

Like anyonymous above me has said, the links are very helpful. Many thanks! :-)

And the one below is a very n00b-friendly firewall:
http://www.simonzone.com/software/guarddog/