Tutorial About IPTABLES

NatureNMoon

Restricted
Jul 8, 2016
70
124
86
I have just checked all the iptables scripts and I have seen that there are a lot of mistakes about IPTABLES Scripts, let me say the first mistake. You shouldn't use "ACCEPT" in your iptables scripts. This rule creates many backdoors and bugs, it may affect your servers very very bad. Instead of ACCEPT, please use RETURN. If you ask why? check the example below;

You wanted to create your iptables and you wanted to block unused protocols, ports or whatever you wanted... and you wrote this script.

Code:
-i externalinterface -p tcp --dport 80 -j ACCEPT
-i externalinterface -p udp --dport 9987 -j ACCEPT
-i externalinterface -p tcp --dport 22 -j ACCEPT
-i externalinterface -p tcp --dport 80 -m connlimit --connlimit-above 15 -j DROP
-i externalinterface -j DROP

The rule, -i externalinterface -p tcp --dport 80 -m connlimit --connlimit-above 15 -j DROP, cannot work well, because there is a rule above which includes "--dport 80 ACCEPT". However, if you use RETURN instead of ACCEPT, your connlimit rule will be worked well by IPTABLES. Moreover, when someone attacks you by using "80 tcp port", they cannot enter into your network!

All in all, you SHOULDN'T USE "ACCEPT" in your iptables rules!

Use RETURN and keep your network alive ;)

Best Regards;
Daniel QUINN
 
Last edited:

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
Someone needs to make a bloody YouTube video on iptables (nftables aka Netfilter). I am sure there is an easier way to have this explained! Too many times have I heard "Oh man, I am locked out of SSH (22)." A built-in web interface that is seriously protected with 2FA (SMS/email) and password makes sense.

Their documentation is confusing to anyone that isn't a network engineer:

http://ipset.netfilter.org/iptables.man.html .. honestly someone needs to write a beautiful web-based interface and I honestly am considering doing this.

There are some GUI-related options and simpler alternatives to iptables, because with the Netfilter way - you are essentially programming a firewall. Nothing wrong with programming a firewall, but some people simply do not have the interest in learning to "code a firewall" through scripting it all out.

Options:
This is a desktop app http://gufw.org/ "Because a extremely powerful and complex tool like a firewall need not be at odds with the design".. powered by UFW.
Ubuntu's solution is https://help.ubuntu.com/community/UFW (this is wrapped by gufw above, not iptables)
A beautiful ruby-based solution https://github.com/Intika-Linux-Firewall/Iptables-Editor-Gui
Another desktop app http://fwbuilder.sourceforge.net/4.0/screenshots.shtml (looks like cpp files, C++), source available https://sourceforge.net/projects/fw...es/5.1.0/fwbuilder-5.1.0.3599.tar.gz/download
People mentioned https://help.ubuntu.com/community/Firestarter but this appears helpless, not maintained
Pretty darn good and VERY simple https://www.configserver.com/cp/csf.html
http://www.shorewall.net/ is a 2017 option
http://turtlefirewall.sourceforge.net/ (possibly usable with Webmin for a web interface), seems outdated though

"Thanks You. But i am looking for one which only offers Firewall. I already have VestaCP installed on my other server but as for this one i am looking for something that offers advanced Firewall options like Blocking Packets Containing Subtring as seen in picture in post."

One drawback to a lot of these "simpler" firewall tools, they appear to lack some more advanced functions like in the quote above (taken from askubuntu). VestaCP is open source and offers a web-based firewall interface but there simply is not a thoroughly developed web interface fully wrapping iptables nor one powerful enough to perform the above quote request.

So while I agree using iptables correctly is important, I also understand the need for a simpler offering to the Linux community.
 

NatureNMoon

Restricted
Jul 8, 2016
70
124
86
So while I agree using iptables correctly is important, I also understand the need for a simpler offering to the Linux community.
Nowadays, many people pay a lot of money for firewalls, actually this IS NOT necessary. You can easily code your firewall if you are interested. A lot of people think that they know IPTABLES(or the others) well, Sadly, they just know nothing. Also, they do not like reading the article. I am planning create some videos about network security in cheaper way!.
And the videos will be in English and Turkish languages.
 

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
people pay a lot of money for firewalls, actually this IS NOT necessary
Do you recommend people have a separate server for their firewall or just use iptables on the same server as they are running other services? I am sure this depends on what they are hosting or how many servers are being protected?
 

NatureNMoon

Restricted
Jul 8, 2016
70
124
86
Do you recommend people have a separate server for their firewall or just use iptables on the same server as they are running other services? I am sure this depends on what they are hosting or how many servers are being protected?
a separeted server for firewall would be great for them. But, many people use IPTABLES to protect themselves, not protect their ALL servers. It depends on why they use iptables. IPTABLES(or the other tools for firewall) and the applications they use are in the same server. It can be an important issue when the (d)dos attacks comes.


If you ask me, you MUST create a network like below;

Router
Backbone Switch
Firewall
Local Network Switch
Your network(your servers and the rest)

If you use your dedicated or virtual servers for both firewall and games(or the others) at the same time, your operation system is going to work slowly. This is going to affect your system very bad.

If you have money a lot, you must create a network as I mentioned above.

And, you can also use NTUBLE to prevent ddos attacks before coming into your network. Ntuble can drop all the packets on NIC.
You can also use netfilter module, you can search my netfilter module on this website. It was for DNS Amplification attack, if you know how you can code, you can create your own firewall. Netfilter module and NTUBLE are the things which don't affect your systems as much as iptables. The best options to prevent ddos attacks are NTUBLE and NETFILTER these days. Furthermore, they are the cheaper ways.
 
Last edited:
Top