firewall & pinguin: iptables where do thou go?
it is said that when using “ip-sets” iptables and nftables achieve almost same performance (amounts of ips possible to block, without server becoming slow/unresponsive)
Redhat and nftables on DDoS “so the only thing to fall back to is establishing a blacklist for all the different source IP addresses” (src) (which is exactly what iptables + cron + autoban.sh a simple bash script does)
the #3rd concept: bpfilter
and: will already established iptables scripts keep on working?
“We like iptables after all, this tool has been serving us (and will likely keep serving still for a while in many deployments) to filter out traffic on both per-packet and per-flow basis, log suspicious traffic activity, perform NAT and many other things.
It comes with more than a hundred of extensions that have been contributed along the last 15 years!.
Nevertheless, the iptables framework suffers from limitations that cannot be easily worked around:
- Avoid code duplication and inconsistencies:
- Many of the iptables extensions are protocol specific
- so there is no a consolidated way to match packet fields
- instead there is one extension for each protocol that it supports
- this bloats the codebase with very similar code to perform a similar task: payload matching
- Faster packet classification through enhanced generic set and map infrastructure
- Simplified dual stack IPv4/IPv6 administration, through the new inet family that allows you to register base chains that see both IPv4 and IPv6 traffic
- Better dynamic ruleset updates support
- Provide a Netlink API for third party applications, just as other Linux Networking and Netfilter subsystem do
- Address syntax inconsistencies and provide nicer and more compact syntax (aha aha X-D)
These, among other things not listed here, triggered the nftables development which was originally presented to the Netfilter community in the 6th Netfilter Workshop in Paris (2008, France).” (src: wiki.nftables.org)
rule of thumb:
test if the rules perform as expected/the firewall behaves as expected, from a second machine with a different ip (otherwise self-lockout).
about:
FirewallD is written in Python, by some guy that works at RedHat.
(Python is even slower than PHP… so whenever one adds like 1000x rules… the reload takes AGES! X-D (overall one is pretty pissed right now, and again and again it seems iptables was better (with all it’s shortcomings, like interrupting running connections)
CentOS7 uses firewalld which is a frontend for nftables or iptables.
(whatever is installed)
(WARNING! nftables mimiks backward compatibility with iptables (the command is available and seems to work, but actually nftables is in charge, this could lead to confusion)
(it is even possible that both nftables AND iptables are installed https://unix.stackexchange.com/questions/511940/how-to-prevent-iptables-and-nftables-rules-from-running-simultaneously)
Should I mix nftables and iptables/ebtables/arptables rulesets?
No, unless you know what you are doing.
also:
overall firewalld is a pretty complex tool.
firewalld ships by default on the following Linux distributions:[6]
- CentOS 7 and newer
- Fedora 18 and newer
- Red Hat Enterprise Linux 7 and newer
firewalld is enabled by default in all the distributions that rely on it as their default firewall. firewalld is also available as one of many firewall options in the package repository of many other popular distributions such as Debian.[10](src)
grafical frontend / gui gnome2 / mate desktop:
# install gui yum install firewall-applet
tested with:
hostnamectl Operating System: CentOS Linux 7 (Core) Architecture: x86-64 Kernel: Linux 3.10.0-693.17.1.el7.x86_64 firewall-cmd -V 0.4.4.4 yum list installed|grep firewall firewalld.noarch 0.4.4.4-6.el7 @anaconda firewalld-filesystem.noarch 0.4.4.4-6.el7 @anaconda python-firewall.noarch 0.4.4.4-6.el7 @anaconda
lets get started:
# list all opened ports firewall-cmd --list-ports # list all rules firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: ssh dhcpv6-client ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="193.201.0.0/16" reject rule family="ipv4" source address="36.155.0.0/16" reject firewall-cmd --get-active-zones public interfaces: eth0 # list rules for a specific zone firewall-cmd --zone=home --list-all
for example, if your zone is public and you want to open port 80:
firewall-cmd --zone=public --add-port=80/tcp --permanent
reload the firewall for changes to take effect:
firewall-cmd --reload
to check scan port from client:
nmap -v -p 0-65535 -sS 192.168.0.94 PORT STATE SERVICE 22/tcp open ssh 80/tcp open http
# monitor your logs # without color find /var/log/ -type f \( -name "*" \) ! -path '*.gz*' -exec tail -n0 -f "$file" {} + # with color (needs ccze, not available anymore in CentOS8) apt install ccze find /var/log/ -type f \( -name "*" \) ! -path '*.gz*' -exec tail -n0 -f "$file" {} + | ccze
# when you found and abusive ip # ban/block ip (also ping) firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='123.123.123.123' reject" # "Destination Port Unreachable" # strange enough: this seems to only be valid/working for newly created connections, not existing connections # (if ping started before block is activated, ping continues X-D) # unban/unblock ip (also ping) # also: had to "unban" --remove-rich-rule and reload several times, until it was unbanned firewall-cmd --permanent --remove-rich-rule="rule family='ipv4' source address='123.123.123.123' reject" # overview over all rules firewall-cmd --list-all # maybe works better # ban ip (but ping still allowed) firewall-cmd --permanent --zone=drop --add-source=123.123.123.123 # unban ip firewall-cmd --permanent --zone=drop --remove-source=123.123.123.123 # block specific ip for 15min firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='193.201.224.218' reject" --timeout 15m # block specific ip forever firewall-cmd --timeout 15m --add-rich-rule="rule family='ipv4' source address='193.201.224.218' reject" # block specific subnet firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='193.201.0.0/16' reject" firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='36.155.0.0/16' reject" # you can view the rules in this config file # ... "great" this file was removed in CentOS8... cat /etc/firewalld/direct.xml
Links:
nice tutorial: https://computingforgeeks.com/how-to-install-and-configure-firewalld-on-debian/
ip to country mapping: https://www.iplocation.net/
https://www.startpage.com/do/dsearch?query=find+country+by+ip&cat=web&pl=opensearch&language=english
https://dwaves.de/2017/07/27/centos7-iptables-firewall-replaced-by-firewalld/
project website: http://www.firewalld.org/
liked this article?
- only together we can create a truly free world
- plz support dwaves to keep it up & running!
- (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
- really really hate advertisement
- contribute: whenever a solution was found, blog about it for others to find!
- talk about, recommend & link to this blog and articles
- thanks to all who contribute!