If you use Linux a good deal, you should know how to set up a firewall to help protect your system and your network. This tutorial will guide you through the steps you should take in order to makes IPTables work for you.
If you use Linux a good deal, you should know how to set up a firewall to help protect your system and your network. This tutorial will guide you through the steps you should take in order to makes IPTables work for you.
This is just what I needed. I use linux a lot, I’m just new to the networking part of computer science. The tutorial does a great job laying a basic foundation of network terminology needed to build an iptables firewall. Thanks for the post Andrew.
Is IPtables equivalent to Checkpoint Firewall’s capabalities?
This article may shed some light on the subject.
http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss143_art31…
Yes if you think that a Moped Engine is the equivalent to a Chevy V8. Checkpoint is a full featured Firewall appliance, IPTables is the foundation for Linux packet filtering.
Using iptables allows you to add some programming into the fray. Nice when you want to develop your own solution. One feature from BSD I would like to see is the ability to scrub packets for identifiers. Makes it harder for someone to profile your system.
I haven’t even read this post, but I do use linux a good deal. I don’t know why you need to understand how to write IPTable rules if you use linux. I use an implementation written by someone who actually knows what they’re talking about rather than me trying to learn it.
Additionally, if it is expected that you should know about iptables because you use linux, then regardless of what OS you use, you should know how to prepare and implement an effective firewall strategy.
If you want pretty reports to be e-mailed daily, check out ADMLogger (used to be called Fireparse) at http://freshmeat.net/projects/admlogger
I found the tutorial at http://iptables-tutorial.frozentux.net/iptables-tutorial.html to be exactly what I needed. It is very clear and complete. I reference it whenever I have a question.
There is quicktables, a simple bash script that, depending of your input, creates a iptables firewall. Easy and fast.
the url:
http://qtables.radom.org/
I would recommend shorewall.This ip-tables script is mature and enables you to quickly lockdown traffic.
Hear-hear. Shorewall is a very good frontend to iptables and very balanced in terms of usability vs complexity. Not only can you lock down your box by editing (minute changes only) human-readable config files, but you can also build a perfectly functional internet gateway for your SOHO in a matter of minutes. There’s a gotcha on Debian, though – for some weird reason a few default config files are gunzipped. Not to be missed if you want to spare yourself some embarrasing moments
I’d say try ipfilter by Darrien Ried – for the longest time there wasn’t a port to Linux but finally he got around to doing it.
http://coombs.anu.edu.au/~avalon/
For all the *BSD folks out there ipfilter is old old news.
Milione
Thanks for this link! I’ll try it because iptables syntax really sucks…
When is going Linux to have PF from OpenBSD ported ? We really need to improve this area, I’m very dissatisfied with iptables syntax/concept…
I’ve just downloaded ip_fil4.1.8 from Darren’s site, typing ‘less INSTALL.Linux’ I get: ‘Linux is no longer supported.’
Huh ?
I’ve messed with some firewalls on Linux and found them complex enough that I decided to just learn IPTables instead. The knowledge is obviously more useful in the long run.
Most of the stock firewall programs on default configuration end up with extra rules — I hate that. I want my firewall to be exactly as complex as it needs to be, but no more.
Additionally, most machines I run don’t even need a firewall. If every service that listens to a port is a service that must be open to everyone at all times, then what use is a firewall? I can block off ports that nothing is listening to anyway… yay.
I like it, it’s very user-friendly and quite capable:
http://www.fs-security.com/
Firestarter is nice, especially for desktop users or those new to Linux as it is GUI-based and easy to configure. I often install it first after a new Linux installation when I want a working firewall up fast. The firewall included in Bastille is nice and relatievly easy too.
One small Firestarter downside is that it depends on many GTK/GNOME/X components. For example, if there’s no need for Gnome or even X, or one would have to remove some X or Gnome libraries (maybe because of dependency problems etc.), the dependencies may cause Firestarter to be removed too.
Server/expert users may need more configurability and flexibility too. For them something like FireHOL would probably be good.
When is going Linux to have PF from OpenBSD ported ? We really need to improve this area, I’m very dissatisfied with iptables syntax/concept…
I would mind to see pf arise in penguina but not because it’s syntax is easier to comprehand (it’s not) but it would add more sophisticated features most users wouldn’t benefit from.
Thanks for this link! I’ll try it because iptables syntax really sucks…
You might as well give shorewall a try:
http://www.shorewall.net/
A tightly configured shorewall (SOHO) system could/would involve something like:
“all all DROP” in the policy file
And for a box that only mails and browses the web with a static ip-address from for eg router 10.0.0.1 put the following in the rules file in the shorewall directory:
————————————————-
ACCEPT fw net:10.0.0.1 UDP 53 #dns (=ip-querry)#
ACCEPT fw net tcp 25 #smtp (sending mail)#
ACCEPT fw net tcp 80 #http (=web)#
ACCEPT fw net tcp 110 #pop (=receiving mail)#
ACCEPT fw net tcp 443 #https (web secure)#
————————————————-
The result is a system that DROPS everything by default and only allows the traffic to go on to the net that’s described in the rules file.It’s that simple.
I obviously meant wouldn’t mind 🙂
http://www.killerwall.net
It’s designed to be easy to configure, as well as powerful and flexible. For most users it’s a matter of:
1) Unarchiving
2) Setting perms on the script as root
3) ‘./killerwall autoconf stealth’ (it will even detect when it need to configure for NAT, as opposed to just a host based firewall)
4) ‘./killerwall start’
5) If you like what you see add it to your init (read the README included in the archive).
At this stage you’ll have a stateful firewall with all ports closed that blocks unsolicited ICMP.
Anyone got a tutorial on how to optimize iptables and conntrack for speed?
I really like iptables. It’s easy to use when you first learn it and albeit the manual-page is somewhat restricted in information it is a good reference.
How come iptables-syntax sucks?
How come iptables-syntax sucks?
It really doesn’t.But it’s not fun for everybody to know everything and a good frontend would get them their job done faster.Ip-tables covers a lot of target ground.
After years of hand-crafting iptables rules, I finally switched over to shorewall and never looked back.
Shorewall is simply amazing. Highly recommended as the best firewall to generate and maintain iptables rules.
Another is firehol.
Everything else I’ve tried doesn’t come close to the quality of shorewall and firehol. If you pick either of these, you’re way ahead of the game.
After years of hand-crafting iptables rules, I finally switched over to shorewall and never looked back.
Know what you mean 🙂
Ive been a Linux admin/user for 8 years now and IPtables has been the biggest pain in my @ss. This is the best breakdown I have seen to date. Great job and thank you!
-nX
Shorewall does indeed rock. I was under the impression that the project had been abandoned by the main dev since it was eating his life – has anyone picked up the pieces?
Thank you guys . I use firestarter but I want something more flexible . The links given would be useful .
Like anyonymous above me has said, the links are very helpful. Many thanks! 🙂
And the one below is a very n00b-friendly firewall:
http://www.simonzone.com/software/guarddog/