Stopping by just to say thank you for this fantastic script. I just used it on a web server with a couple of modifications. Saved me a ton of work and time.
Not sure if you guys cares but if you guys are bored like me during the covid times you can stream all the new series on instaflixxer. Have been binge watching with my girlfriend for the last days :)
To keep reaction times of the netfilter short, I usually put rules for reply packets as well as established or related connections quite early into the chains and only later on add rules to accept new incoming connections. While it usually doesn't do much pain if a client has to wait a bit for netfilter to process the initial SYN packet, once the connection has been established, processing runs significantly quicker. Plus you'd also want to add rules to both the PREROUTING and the OUTPUT chains of the raw table that exempt traffic to the loopback device from being conntracked, thereby reducing the overhead. Since localhost traffic (127.0.0.1 or ::1 depending on which variant of IP you are using) isn't routed, there's no need to keep track of the packets.
This make now 10 years that I work with linux server, but I never loved to work with iptable. Shorewall is so much more easy for me... And intuitive, that the most important part...
What about ufw (uncomplicated firewall)? A tutorial for beginners to understand even further. Also great tutorial! This also helps for beginners to start doing something advanced.
Oh nice to see. I did the final setup of my own VPN which spans across all my devices, homenetwork and the endpoint is in a datacenter. All done with wireguard and iptables. Finally my devices have IPv6 adresses.
Good video! I use UFW on my systems as I believe it uses iptables, behind the scenes. After watching your video, I went to my Linux Mint system and ran the "iptables -nL" command and saw the rules setup by UFW. If UFW, at least, uses iptables why advocate for manually writing your own firewall rules? Isn't using your script(s) akin to using a GUI firewall tool? I can certainly see writing firewall rules by hand to learn how iptables works and discovering the power of netfilter. I've done this before and while the learning experience can be painful, it's definitely useful. Still, good video. I think it would be great to develop a tutorial on configuring an IPv6 firewall. While writing this post, I ran the "man iptables" command on my Mint system and discovered the "ip6tables" command. So, I think a tutorial discussing an IPv6 firewall would be of use. :) Thanks for posting!
Did you "cd" at 9:40 because I try (systemctl enable iptables) and get this error "Failed to enable unit: Unit file iptables.service does not exist." ugh followed to a T! but this happens!
This is much better than UFW because you can customize by building small programs and then add a crontab to it just for fun( you dont really need to do that). I remember a few years ago I got so obsessed with iptables that my Apache server was overwhelmed by all the scripts I created for it. I was a fun sandbox experience though.
I went a bit further with SSH services and other services such as VPN, CLOUD. I restricted the acces of these service to only a few source IP adresses to narrow down the attack vector even more. All other packets are just droped. But Im wondering if those rules are optimal 🤔
Have you done a video on NFtabes for Debian? I need to set up a firewall for the kids in the house. They are not doing homework during the day when they are suppose to. If not, could you please...
i use fail2ban rather than rate limiting, fail2ban watches the log files and bans (via iptables) a ip if 3 (configurable) failed logins occur for a (configurable) period of time. it also watches other things than ssh , such as ftp, apache(nginx etc) , and more.
Unnecessary when you make use of the recent match. It merely requires two more chains for each service that you intend to protect, one of which you jump to from one of the main chains (i. e. INPUT and/or FORWARD). You then can do both rate limiting and blacklisting (a procedure that I'm using on my server in conjunction with pubkey authorization). So far no breach of SSH, and various attempts to break in are quickly caught by the ABL mechanism and blocked for two hours. It also spares you the hassle of repeartedly adding and removing iptables rules, because that is done automatically on the netfilter level.
Is this only for people running servers? Like would even running mild game server with you as host, would this apply/be necessary? Is there any drawback/why isn't this enabled by default?
Hello!!! Super good video, thank you. I activate the script on Debian/Xfce but by default It should block traffic from port 80, right? It shouldn't allow me to download files on the Internet, but it does. Or I'm wrong?
I have no experience with Debian 10. I have recently installed it to use it as a lab. I looked up information on the Internet on how to DISABLE Debian firewall, but all I have found are articles on how to set a firewall on Debian. I have noticed that neithe ufw nor firewall-cmd are found. Does it mean that by default, Debian installations have no firewall set?
I added the firewall to my linux Arch install, but now my Synology NAS is locked out, can you let me know how I can allow it through, or worst case how I can permanently disable the firewall script from loading
Nice simple little intro to iptables. I only ever use public/private key access to my ssh server from the internet - password disabled - and I don't have a firewall other than the NAT setup on my router. I then set up a new key for each device I need to connect from; my phone, my laptop, my work machine via PuTTY. That way, if I need to kill access from one device, I just delete the public key from authorized_keys. I only leave the one port publicly accessible on my router, which is 443 to make getting out of my work network simple, then that is mapped over to 22 on the ssh box. I keep getting hammered by all and sundry but because it's a PKI only ssh on a non-standard port no-one has ever got past the first step and it's really easy for me to get in from out in the wild.
Ratelimit SSH - you said you thought it might be a problem for you to login if someone is spamming the server but it turned out not to b a problem, care to explain why its not a problem?
Thank's a lot, you provide such a fantastic content ! very useful i leaned a lot and by the way may i ask a question ? what are the rules we have to make in iptables so we can download usung torrent client ???
Great video man, thanks! Finally someone who is also prefering iptables over all the utilities :D What about a video on tunneling traffic from machine a to machine b and accessing the private network of machine b? :) greetings
I use FreeBSD. I am not interested in changing. However I wanted to see what the tables looked like, but you talked about other things too much. I waited and fast-forwarded. Maybe listing the minute at which you get to the rules? I just left without seeing the rules
awww... no link to the GitHub in the description for us lazy folks? lol Keep up the great work Chris :) oh, and if you want the link: github.com/ChrisTitusTech/firewallsetup
In Arch, does anyone know how to install the Module that lets you run limit? example: # iptables -A logdrop -m limit --limit 5/m --limit-burst 10 -j LOG - Chris, good stuff I enjoy watching your videos.
Lately I've been looking into only allowing SSH over Wireguard. I think that would eliminate any need for tarpitting or anything like that. If sshd only listens for connections on the Wireguard interface, then sshd can't be attacked by anybody who's not already on my VPN. I don't really see any downside for personal use, except for the added CPU load of Wireguard encrypting everything.
If Wireguard already offers protection and encryption, you are doing things twice here (both Wireguard and ssh are encrypting the traffic). To avoid the redundancy, you should consider to either make ssh accessible from the outside world (if you need extra protection, switch from username/password to pubkey authentication with a long key, best also backed up with an ABL) or do away with ssh on the VPN and replace that with something that doesn't rely on encryption. I have two options of getting onto my server: SSH on the regular port (pubkey authentication to make brute-forcing moot) that is protected by an ABL, or Telnet via Strongswan. So far nobody has managed to break in.
@@Robidu1973 Using telnet instead of ssh just because you're on a VPN is nuts. There is no real reason to avoid SSH-on-Wireguard, the perf impact is negligible and there are no TCP-on-TCP sort of issues.
I like you, but sometimes your advice just doesn't work. I have a Linux Mint computer, and the command systemctl enable iptables doesn't work. I did everything else, and I am glad it was on a VM running Linux Mint instead of my main computer running the same OS, since that seemed to yield unexpected results. A reboot seems to have reset everything back in order, but how can I be sure? This is the second time your advice on settings in Linux didn't work.
It looks great, except that it doesn't work in a stock U19.04, as the whole iptables service infrastructure isn't there, so you can't start it, etc, or do anything else with it. Even loading it and trying failes for a plethora of other reasons. From that point on, nothing here works, so it fails the 30 second test. A Shame, it would have been good.
I'd point out that you can't trust the firewall above you. Our firewall server went down and everything was just passed on through until it was fixed and back up, the firewall on my web servers (the're really MY servers, the company just thinks they're theirs) had to take over and it instantly started throwing out attempts at pretty much whatever you can imagine as fast as it could. Ufw is a great interface to iptables, far easier to deal with in my opinion but it is an intermediary so if you can deal directly with iptables and not have the ufw service running that's one less link in your chain. You really didn't explain how to remove rules in iptables or add bad guys to the table or figuring out that bad guys are actually trying to do bad things, and that's more important than just setting one up and forgetting you have it, you have to be vigilant in watching those logs both manually DAILY and with something like jail2ban watching constantly and locking the bad guys out when they show up, and you have to know the good guys tried to get in and got locked out for some reason so you can let them back in. Whether you're using ufw or using iptables directly, watch those logs boys and girls, they're there for a reason. As far as ssh, I always set my own port for every server and a different port for every server. Keeps the attempts down and .ssh/config makes it easy.
Do the world a favor, show the world how to secure linux desktops by removing port 80 for DDoS purposes and Windows 10 disabling port 80 in the windows 10 registry. Thanks. Harwood CSA.
The easiest way to configure a firewall on linux that I've seen is with NixOS's configuration file. I think when I had NixOs installed was the only time I've had a configured firewall running :/
I think you should not install arch packages with -Sy (one of the arch support guys in the arch irc told me that). You should either install with -S or first do sudo pacman -Syu and then install with just -S. Reason is that by doing -Sy you are installing the latest package, when the rest of your system is built on older packages from the last time you ran sudo pacman -Syu. And you should never just run sudo pacman -Sy either. Obviously all the same applies if using if using an AUR helper like yay. Sorry my memory is not 100%, but I hope I'm not making a mistake with what I wrote.
Stopping by just to say thank you for this fantastic script. I just used it on a web server with a couple of modifications. Saved me a ton of work and time.
Not sure if you guys cares but if you guys are bored like me during the covid times you can stream all the new series on instaflixxer. Have been binge watching with my girlfriend for the last days :)
@Harold Uriel yea, been using instaflixxer for years myself :)
Thanks for the tutorial Chris. I was always not clear with iptables. For me, ufw and gufw for gui are really simple to use.
It is just too complicated!
If you need more detail on iptables, just do a _man iptables-extensions_ to get info on advanced features.
To keep reaction times of the netfilter short, I usually put rules for reply packets as well as established or related connections quite early into the chains and only later on add rules to accept new incoming connections.
While it usually doesn't do much pain if a client has to wait a bit for netfilter to process the initial SYN packet, once the connection has been established, processing runs significantly quicker. Plus you'd also want to add rules to both the PREROUTING and the OUTPUT chains of the raw table that exempt traffic to the loopback device from being conntracked, thereby reducing the overhead. Since localhost traffic (127.0.0.1 or ::1 depending on which variant of IP you are using) isn't routed, there's no need to keep track of the packets.
This make now 10 years that I work with linux server, but I never loved to work with iptable.
Shorewall is so much more easy for me... And intuitive, that the most important part...
What about ufw (uncomplicated firewall)? A tutorial for beginners to understand even further. Also great tutorial! This also helps for beginners to start doing something advanced.
I'll also go over it, ufw is very common in a lot of Linux distros. I personally prefer iptables, but I know I am a minority on this.
Oh nice to see. I did the final setup of my own VPN which spans across all my devices, homenetwork and the endpoint is in a datacenter. All done with wireguard and iptables. Finally my devices have IPv6 adresses.
Why not nftables? Better performance, syntax, combined rules and protocals, etc.
Good video! I use UFW on my systems as I believe it uses iptables, behind the scenes. After watching your video, I went to my Linux Mint system and ran the "iptables -nL" command and saw the rules setup by UFW. If UFW, at least, uses iptables why advocate for manually writing your own firewall rules? Isn't using your script(s) akin to using a GUI firewall tool? I can certainly see writing firewall rules by hand to learn how iptables works and discovering the power of netfilter. I've done this before and while the learning experience can be painful, it's definitely useful.
Still, good video. I think it would be great to develop a tutorial on configuring an IPv6 firewall. While writing this post, I ran the "man iptables" command on my Mint system and discovered the "ip6tables" command. So, I think a tutorial discussing an IPv6 firewall would be of use. :) Thanks for posting!
One reason I use iptables directly is because docker uses iptables in a way that makes it incompatible with the changes done to iptables by ufw.
I am Titu, nice to meet u. Titus for Titu & vice versa.
*finally something of use ..😊*
Harsh! Haha ;)
Did you "cd" at 9:40 because I try (systemctl enable iptables) and get this error "Failed to enable unit: Unit file iptables.service does not exist." ugh followed to a T! but this happens!
Can this be use for the ip6tables also?
This is much better than UFW because you can customize by building small programs and then add a crontab to it just for fun( you dont really need to do that). I remember a few years ago I got so obsessed with iptables that my Apache server was overwhelmed by all the scripts I created for it. I was a fun sandbox experience though.
I went a bit further with SSH services and other services such as VPN, CLOUD.
I restricted the acces of these service to only a few source IP adresses to narrow down the attack vector even more.
All other packets are just droped.
But Im wondering if those rules are optimal 🤔
Is it advisable to use -m conntrack and --ctstate rather than -m state and --state?
Thank you, Chris. I've saved this one.
Have you done a video on NFtabes for Debian? I need to set up a firewall for the kids in the house. They are not doing homework during the day when they are suppose to. If not, could you please...
i use fail2ban rather than rate limiting, fail2ban watches the log files and bans (via iptables) a ip if 3 (configurable) failed logins occur for a (configurable) period of time. it also watches other things than ssh , such as ftp, apache(nginx etc) , and more.
Unnecessary when you make use of the recent match. It merely requires two more chains for each service that you intend to protect, one of which you jump to from one of the main chains (i. e. INPUT and/or FORWARD). You then can do both rate limiting and blacklisting (a procedure that I'm using on my server in conjunction with pubkey authorization). So far no breach of SSH, and various attempts to break in are quickly caught by the ABL mechanism and blocked for two hours.
It also spares you the hassle of repeartedly adding and removing iptables rules, because that is done automatically on the netfilter level.
Is this only for people running servers? Like would even running mild game server with you as host, would this apply/be necessary? Is there any drawback/why isn't this enabled by default?
Thanks for putting this on github. Can you please put the github link in the description?
Hello!!! Super good video, thank you. I activate the script on Debian/Xfce but by default It should block traffic from port 80, right? It shouldn't allow me to download files on the Internet, but it does. Or I'm wrong?
I have no experience with Debian 10. I have recently installed it to use it as a lab. I looked up information on the Internet on how to DISABLE Debian firewall, but all I have found are articles on how to set a firewall on Debian. I have noticed that neithe ufw nor firewall-cmd are found. Does it mean that by default, Debian installations have no firewall set?
how can I disable libvirt's firewall rules that set up on boot?
I added the firewall to my linux Arch install, but now my Synology NAS is locked out, can you let me know how I can allow it through, or worst case how I can permanently disable the firewall script from loading
Just wonderful Chris :)
Nice simple little intro to iptables.
I only ever use public/private key access to my ssh server from the internet - password disabled - and I don't have a firewall other than the NAT setup on my router. I then set up a new key for each device I need to connect from; my phone, my laptop, my work machine via PuTTY. That way, if I need to kill access from one device, I just delete the public key from authorized_keys.
I only leave the one port publicly accessible on my router, which is 443 to make getting out of my work network simple, then that is mapped over to 22 on the ssh box.
I keep getting hammered by all and sundry but because it's a PKI only ssh on a non-standard port no-one has ever got past the first step and it's really easy for me to get in from out in the wild.
Great Video!
Noob question: How to enable ssh (port 22) only on our local network, and not the outside world ? :)
Something like "iptables -A INPUT -s 192.168.x.0/24 -j ACCEPT" should do it.
Ratelimit SSH - you said you thought it might be a problem for you to login if someone is spamming the server but it turned out not to b a problem, care to explain why its not a problem?
Thank's a lot, you provide such a fantastic content !
very useful i leaned a lot
and by the way may i ask a question ? what are the rules we have to make in iptables so we can download usung torrent client ???
Great video man, thanks! Finally someone who is also prefering iptables over all the utilities :D What about a video on tunneling traffic from machine a to machine b and accessing the private network of machine b? :)
greetings
Quick and easy. Thanks.
ur the man!!!
is there a firewall software like netlimiter4? i'm so tired of doing everything in console
This is gold!
Great video Chris, I personally use netfilter for my home routing. Love IPtables
Very informative, thanks.
Very useful. Thank you.
Thank you for sharing. Security is so important but, unfortunately, it's often overlooked.
Going to add this to my LM 19.2 box, as well as the hosts file entries I have and the pfSense FW it all sits behind...
Thanks, much appreciated
Cool video.
very useful! thanks
I'd suggest adding rsource to the rate limiting rules.
I use FreeBSD. I am not interested in changing. However I wanted to see what the tables looked like, but you talked about other things too much. I waited and fast-forwarded. Maybe listing the minute at which you get to the rules? I just left without seeing the rules
How about the same video but for nftables?
I hope there's an nftables tutorial incoming.
how to make an old router into firewall? can it be done
thanks for sharing...
awww... no link to the GitHub in the description for us lazy folks? lol
Keep up the great work Chris :)
oh, and if you want the link:
github.com/ChrisTitusTech/firewallsetup
If you came here for SSH Tarpit : 6:00
Thats why is better to setup ssh on some high random port and add ip filter to allow only from trusted location.. cheers
The same video about firewall, please
Next vid, how to change and secure SSH Port😍
In Arch, does anyone know how to install the Module that lets you run limit? example: # iptables -A logdrop -m limit --limit 5/m --limit-burst 10 -j LOG - Chris, good stuff I enjoy watching your videos.
Thank you
thanks mr
Is it good for desktop too?
Doesn't this Firewall have GUI?... 😓
Chris how do you completely block CHINA, RUSSIA and INDIA by using Iptable for Arch Linux.
Yay iptables
Lately I've been looking into only allowing SSH over Wireguard. I think that would eliminate any need for tarpitting or anything like that. If sshd only listens for connections on the Wireguard interface, then sshd can't be attacked by anybody who's not already on my VPN. I don't really see any downside for personal use, except for the added CPU load of Wireguard encrypting everything.
If Wireguard already offers protection and encryption, you are doing things twice here (both Wireguard and ssh are encrypting the traffic).
To avoid the redundancy, you should consider to either make ssh accessible from the outside world (if you need extra protection, switch from username/password to pubkey authentication with a long key, best also backed up with an ABL) or do away with ssh on the VPN and replace that with something that doesn't rely on encryption.
I have two options of getting onto my server: SSH on the regular port (pubkey authentication to make brute-forcing moot) that is protected by an ABL, or Telnet via Strongswan. So far nobody has managed to break in.
@@Robidu1973 Using telnet instead of ssh just because you're on a VPN is nuts. There is no real reason to avoid SSH-on-Wireguard, the perf impact is negligible and there are no TCP-on-TCP sort of issues.
@@johngreco7171 If it's not recommended to do things within a VPN that you don't do on the external zone, why use a VPN in the first place?
I like you, but sometimes your advice just doesn't work.
I have a Linux Mint computer, and the command systemctl enable iptables doesn't work. I did everything else, and I am glad it was on a VM running Linux Mint instead of my main computer running the same OS, since that seemed to yield unexpected results. A reboot seems to have reset everything back in order, but how can I be sure? This is the second time your advice on settings in Linux didn't work.
Here: github.com/ChrisTitusTech/firewallsetup
"universal firewall" what's that?
Well, you proved that is not easy.
I would like to see nftables
It looks great, except that it doesn't work in a stock U19.04, as the whole iptables service infrastructure isn't there, so you can't start it, etc, or do anything else with it. Even loading it and trying failes for a plethora of other reasons. From that point on, nothing here works, so it fails the 30 second test. A Shame, it would have been good.
I'd point out that you can't trust the firewall above you. Our firewall server went down and everything was just passed on through until it was fixed and back up, the firewall on my web servers (the're really MY servers, the company just thinks they're theirs) had to take over and it instantly started throwing out attempts at pretty much whatever you can imagine as fast as it could. Ufw is a great interface to iptables, far easier to deal with in my opinion but it is an intermediary so if you can deal directly with iptables and not have the ufw service running that's one less link in your chain. You really didn't explain how to remove rules in iptables or add bad guys to the table or figuring out that bad guys are actually trying to do bad things, and that's more important than just setting one up and forgetting you have it, you have to be vigilant in watching those logs both manually DAILY and with something like jail2ban watching constantly and locking the bad guys out when they show up, and you have to know the good guys tried to get in and got locked out for some reason so you can let them back in. Whether you're using ufw or using iptables directly, watch those logs boys and girls, they're there for a reason. As far as ssh, I always set my own port for every server and a different port for every server. Keeps the attempts down and .ssh/config makes it easy.
seems like Chris thinks UFW stands for Universal FireWall
Do the world a favor, show the world how to secure linux desktops by removing port 80 for DDoS purposes and Windows 10 disabling port 80 in the windows 10 registry. Thanks.
Harwood CSA.
The easiest way to configure a firewall on linux that I've seen is with NixOS's configuration file. I think when I had NixOs installed was the only time I've had a configured firewall running :/
Using a script instead of a program feels like six of one side, and half-a-dozen on the other.
I think you should not install arch packages with -Sy (one of the arch support guys in the arch irc told me that). You should either install with -S or first do sudo pacman -Syu and then install with just -S. Reason is that by doing -Sy you are installing the latest package, when the rest of your system is built on older packages from the last time you ran sudo pacman -Syu. And you should never just run sudo pacman -Sy either. Obviously all the same applies if using if using an AUR helper like yay. Sorry my memory is not 100%, but I hope I'm not making a mistake with what I wrote.
marry me (meant in a non-creepy way)
I used to manage my iptables rules with a nice program named fwbuilder (which actually is discontiued, but still works) fwbuilder.sourceforge.net/