This chapter covers the iptables firewall administration program used to build a Netfilter firewall. For those of you who are familiar with or accustomed to the older ipfwadm and ipchains programs used with the IPFW technology, iptables will look very similar to those programs. However, it is much more feature-rich and flexible, and it is very different on subtle levels.
iptables: the Linux Firewall Administration Program
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
… Who’s the geekiest of the all? This looks extremely useful – a web article with some real meat in it for a change – and I’ve downloaded the printer-friendly version for study later. However, I wonder how many folks other than IT professionals really get to grips with IP tables when there are excellent programs like Shoreline (Shorewall) that do it all for you (or IPCop and the like on dedicated boxes)? I guess a little knowledge could be a dangerous thing if you make mistakes with DIY scripts around basic security like a good firewall.
If you’re looking to manage iptables rulesets without the learning curve of rolling your own (or even if you fully comprehend iptables, but want an easy method to manage them), check out
http://www.killerwall.net/
It is a distro agnostic tool that may simplify your life. In spite of the lack of a GUI, it’s still extremely easy to configure and deploy. Some key features include:
1). It scales well. It can be used as a host based firewall or a multi-homed, multiple network NAT bastion host. It can autoconfigure itself (or you can do it manually) for either situation based on your network configuration.
2). It’s fast. For what it does, it generates a high performance, lean ruleset.
3). It defaults to all ports closed to inbound, unsolicited packets, but it’s stateful, so it allows replies for data you’ve sent to come back in.
4). If you want ports opened or forwarded, it’s easy to do. Even if you do have ports opened, remote hosts will be unable actively TCP finger print your firewall or forwarded hosts.
5). It has an ACL feature that you can configure to allow only certain hosts or networks access to ports or protocols. The ACL rulesets can be manipulated independently of the baseline firewall ruleset.
6). It’s easy to use.
If you like what you’ve read so far, I recommend the CVS version at:
http://www.killerwall.net/download/killerwall.0.99-CVS-03Jan05-0552…
Read the README included the tarball, it explains what to do in detail.
but how does IPTables compare to OpenBSD’s PF? I really don’t use Linux so I’m not familiar with anything Linux related. Some insight into the similarities/differences would be greatly appreciated.
Obviously, I’m looking for answers from people that are experienced in both IPTables and OpenBSD’s PF.
Thanks!
I use both– admin several redhat oracle dbs. IMHO, iptables is primative compare to pf on OpenBSD and FreeBSD. Just read the fine docs to get a understaning of the different features.
Coming from the other side, as someone with experience of iptables, I’d like to see a comparison with BSD’s pf, as I’ve heard good things about it.
Except the functionality provided by netfilter extension modules pf is at least equal.
I prefer pf over netfilter because of its better human readable ruleset file. It’s much more straight then a iptables command.
And i don’t know a tool like pftop for linux. May be someone will show of one?!
polarizers 2 cent
http://www.codixx.de/polarizer.html
you may like to check out iptraf
I used to use OpenBSD on our firewalls for years. I really love pf. It’s syntax always made 100x more sense to me than IPtables. Its much easier to read.
However, IPtables in Linux does have some advantages over pf. For one it’s quite a bit faster than pf. And the big one for me and the reason I moved to using a Linux firewall is that iptables can use external modules to handle work for special applications. There are external modules in Linux for making things that normally can’t be NATed very well work much better like FTP, VoIP, and IPsec etc.
Having spent so much time learning about how to manage a firewall using pf really helped in picking up iptables. Of course even iptables is not all that hard compared to ipchains which Linux used to use back when I first started using openbsd.
I’d love to see more than anecdotal evidence suggesting iptables is faster than PF. There was a paper _years_ ago that compared iptables, ipfilter and PF; at the time, iptables was marginally faster because it wasn’t tracking states properly.
I don’t see any advantage to the netfilter modules, with the possible exception of L7 filtering. There is a built-in ftp proxy, QoS support (for VoIP), and IPsec filtering native to PF. Not to mention a lot of other features that Linux/iptables can’t touch… pfsync (stateful synchronization), sasyncd (IPsec SA synchronization), etc.
-jd
OpenBSD is about security over anything else, so a slight
performance loss for more security features is to be
expected.
I don’t mind using either IPTables or PF. They do the
job I need them to do.
http://www.iptablesrocks.org
$44.99 USD
Only covers Linux Firewalls. Maybe they should have had some advanced routing or maybe it does but the cover says firewalls.
I wouldn’t buy it if it did have advanced routing topics. http://lartc.org/largc is all I need.
An advanced script I wrote to handle iptables firewalls in a very easy way:
http://projects.leisink.org/index.php?page=firetable
Just a little correction to this thread:
pf hasn’t got an internal FTP proxy. It defers FTP to an external “module” (a separate program) called ftp-proxy.
While I don’t know anything about the relative speed of the two, I think there were some major speedups in pf’s favor in the OpenBSD 3.7 timeframe, at least for some operations. Ref. e.g.:
http://www.openbsd.org/faq/pf/tables.html