Tutorial About IPTABLES

NatureNMoon

Moderator
Joined
Jul 8, 2016
Messages
44
Points
71
I have just checked all the iptables scripts and I have seen that there are a lot of mistakes about IPTABLES Scripts, let me say the first mistake. You shouldn't use "ACCEPT" in your iptables scripts. This rule creates many backdoors and bugs, it may affect your servers very very bad. Instead of ACCEPT, please use RETURN. If you ask why? check the example below;

You wanted to create your iptables and you wanted to block unused protocols, ports or whatever you wanted... and you wrote this script.

Code:
-i externalinterface -p tcp --dport 80 -j ACCEPT
-i externalinterface -p udp --dport 9987-j ACCEPT
-i externalinterface -p tcp --dport 22 -j ACCEPT
-i externalinterface -p tcp --dport 80 -m connlimit --connlimit-above 15 -j DROP
-i externalinterface -j DROP
The rule, -i externalinterface -p tcp --dport 80 -m connlimit --connlimit-above 15 -j DROP, cannot work well, because there is a rule above which includes "--dport 80 ACCEPT". However, if you use RETURN instead of ACCEPT, your connlimit rule will be worked well by IPTABLES. Moreover, when someone attacks you by using "80 tcp port", they cannot enter into your network!

All in all, you SHOULDN'T USE "ACCEPT" in your iptables rules!

Use RETURN and keep your network alive ;)

Best Regards;
Daniel QUINN
 

Asphyxia

Server Monkey
Administrator
Joined
Apr 25, 2015
Messages
1,340
Points
252
Age
26
Location
North America
Someone needs to make a bloody YouTube video on iptables (nftables aka Netfilter). I am sure there is an easier way to have this explained! Too many times have I heard "Oh man, I am locked out of SSH (22)." A built-in web interface that is seriously protected with 2FA (SMS/email) and password makes sense.

Their documentation is confusing to anyone that isn't a network engineer:

http://ipset.netfilter.org/iptables.man.html .. honestly someone needs to write a beautiful web-based interface and I honestly am considering doing this.

There are some GUI-related options and simpler alternatives to iptables, because with the Netfilter way - you are essentially programming a firewall. Nothing wrong with programming a firewall, but some people simply do not have the interest in learning to "code a firewall" through scripting it all out.

Options:
This is a desktop app http://gufw.org/ "Because a extremely powerful and complex tool like a firewall need not be at odds with the design".. powered by UFW.
Ubuntu's solution is https://help.ubuntu.com/community/UFW (this is wrapped by gufw above, not iptables)
A beautiful ruby-based solution https://github.com/Intika-Linux-Firewall/Iptables-Editor-Gui
Another desktop app http://fwbuilder.sourceforge.net/4.0/screenshots.shtml (looks like cpp files, C++), source available https://sourceforge.net/projects/fwbuilder/files/Current_Packages/5.1.0/fwbuilder-5.1.0.3599.tar.gz/download
People mentioned https://help.ubuntu.com/community/Firestarter but this appears helpless, not maintained
Pretty darn good and VERY simple https://www.configserver.com/cp/csf.html
http://www.shorewall.net/ is a 2017 option
http://turtlefirewall.sourceforge.net/ (possibly usable with Webmin for a web interface), seems outdated though

"Thanks You. But i am looking for one which only offers Firewall. I already have VestaCP installed on my other server but as for this one i am looking for something that offers advanced Firewall options like Blocking Packets Containing Subtring as seen in picture in post."

One drawback to a lot of these "simpler" firewall tools, they appear to lack some more advanced functions like in the quote above (taken from askubuntu). VestaCP is open source and offers a web-based firewall interface but there simply is not a thoroughly developed web interface fully wrapping iptables nor one powerful enough to perform the above quote request.

So while I agree using iptables correctly is important, I also understand the need for a simpler offering to the Linux community.
 

NatureNMoon

Moderator
Joined
Jul 8, 2016
Messages
44
Points
71
So while I agree using iptables correctly is important, I also understand the need for a simpler offering to the Linux community.
Nowadays, many people pay a lot of money for firewalls, actually this IS NOT necessary. You can easily code your firewall if you are interested. A lot of people think that they know IPTABLES(or the others) well, Sadly, they just know nothing. Also, they do not like reading the article. I am planning create some videos about network security in cheaper way!.
And the videos will be in English and Turkish languages.
 

Top