Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


iptables wrappers?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

iptables wrappers?

I quite like bare iptables. It's easy and straightforward. Simple things like port forwarding, blocking, nat, quite easy to do. My choice will always be bare iptables, or, the coming nftables.

However, some people prefer wrappers around iptables. I often use csffor servers other people have to use, most of the time combined with Directadmin or just the csf web ui. I also quite like lfd, which does almost the same as fail2ban or denyhosts.

I've written a snippet with my most used commands and config settings: https://raymii.org/s/articles/Configserver_Firewall_and_Security_CSF_LFD.html

There is also shorewall. I've never used it.

Then ufw. Default on Ubuntu. Redhat now ships firewalld. Systemd might even soon start integrating a firewall, who knows.

What do you use as a firewall and more important why?

Comments

  • Bare iptables, it does what I need and I'm too lazy to learn anything else.

  • LeeLee Veteran

    I only ever use bare iptables now, I rarely use a control panel and each VPS/server I have needs limited contact with the outside world. So I find it easier just to start with access to SSH and drop everything else until I need something else and open it up.

    I used CSF once before but found it just got in my way.

  • ValdikSSValdikSS Member
    edited October 2014

    I would recommend you ferm. It is not "usual" iptables wrapper, but it's a C-like language for writing iptables, ip6tables, ebtables and arptables rules with variables, arrays and functions. It's very, very convenient when you need to make a lot of similar rules, which are different only by interface, for example.

    It looks like this:

    @include 'vpn.vars';
    
    # IPv4
    table filter {
        # Create sshguard chain because it can disappear
        chain sshguard;
    
        chain INPUT {
            jump sshguard;
        }
    
        chain FORWARD {
            policy DROP;
            if $VPN of $WAN ACCEPT;
            if ($WAN $TOR) of $VPN mod conntrack ctstate (ESTABLISHED RELATED) ACCEPT;
        }
    }
    
    table nat {
        chain PREROUTING {
            if $VPN daddr $TOR_FAKE_HOST proto tcp dport 80 DNAT to @cat($I2PTOR_HOST, ':', $I2PTOR_PORT);
        }
        chain POSTROUTING {
            of $WAN MASQUERADE;
            of $TOR daddr $TOR_HOST MASQUERADE;
        }
    }
    
    # IPv6
    domain ip6 {
        table filter {
            chain FORWARD {
                policy DROP;
                if $VPN of $WAN6 ACCEPT;
                if $WAN6 of $VPN ACCEPT;
            }
        }
    }
    

    And vpn.vars:

    # WAN interface
    @def $WAN = venet0;
    # IPv6 interface (if tunnel is used, else use $WAN here)
    @def $WAN6 = ipv6tun;
    # I2P and Tor interface
    @def $TOR = tor;
    # VPN interfaces
    @def $VPN = (vpn+ ipsec0);
    # I2P and Tor host and port for redirects
    @def $TOR_FAKE_HOST = 192.168.99.98;
    @def $TOR_HOST = 192.168.99.1;
    @def $TOR_PORT = 8888;
    

    It doesn't restrict you in any way, as other wrappers, but quite the contrary. It's amazing!

    Thanked by 2Microlinux Lee
  • Bare iptables for me too.

Sign In or Register to comment.