firewall & pinguin: iptables where do thou go?

it is said that when using “ip-sets” iptables and nftables achieve almost same performance (amounts of ips possible to block, without server becoming slow/unresponsive)

Redhat and nftables on DDoS “so the only thing to fall back to is establishing a blacklist for all the different source IP addresses” (src) (which is exactly what iptables + cron + a simple bash script does)

the #3rd concept: bpfilter

2018-02: “The Linux kernel currently supports two separate network packet-filtering mechanisms: iptables and nftables.
For the last few years, it has been generally assumed that nftables would eventually replace the older iptables implementation;
few people expected that the kernel developers would, instead, add a third packet filter.
But that would appear to be what is happening with the newly announced bpfilter mechanism.
Bpfilter may eventually replace both iptables and nftables, but there are a lot of questions that will need to be answered first.” (src:
even faster X-D

and: will already established iptables scripts keep on working?

We like iptables after all, this tool has been serving us (and will likely keep serving still for a while in many deployments) to filter out traffic on both per-packet and per-flow basis, log suspicious traffic activity, perform NAT and many other things.

It comes with more than a hundred of extensions that have been contributed along the last 15 years!.

Nevertheless, the iptables framework suffers from limitations that cannot be easily worked around:

  • Avoid code duplication and inconsistencies:
    • Many of the iptables extensions are protocol specific
    • so there is no a consolidated way to match packet fields
    • instead there is one extension for each protocol that it supports
    • this bloats the codebase with very similar code to perform a similar task: payload matching
  • Faster packet classification through enhanced generic set and map infrastructure
  • Simplified dual stack IPv4/IPv6 administration, through the new inet family that allows you to register base chains that see both IPv4 and IPv6 traffic
  • Better dynamic ruleset updates support
  • Provide a Netlink API for third party applications, just as other Linux Networking and Netfilter subsystem do
  • Address syntax inconsistencies and provide nicer and more compact syntax (aha aha X-D)

These, among other things not listed here, triggered the nftables development which was originally presented to the Netfilter community in the 6th Netfilter Workshop in Paris (2008, France).” (src:

firewalls and: Debian11

juli 2019: “documentation is pretty poor” “does not work very well” (src)

“Back in July 2019, I (Arturo Borrero Gonzalez <arturo ÄT debian DOTTT org>) started an email thread in the debian-devel ÄT mailing lists looking for consensus on lowering the archive priority of the iptables package in Debian 11 Bullseye.

My proposal is to drop iptables from Priority: important and promote nftables instead.

In general, having such a priority level means the package is installed by default in every single Debian installation.

Given that we aim to deprecate iptables and that starting with Debian 10 Buster iptables is not even using the x_tables kernel subsystem but nf_tables, having such priority level seems pointless and inconsistent.

There was agreement, and I already made the changes to both packages.

This is another step in deprecating iptables and welcoming nftables.

But it does not mean that iptables won’t be available in Debian 11 Bullseye.

If you need it, you will need to use aptitude install iptables to download and install it from the package repository.

The second part of my proposal was to promote firewalld as the default ‘wrapper’ for firewaling in Debian.

I think this is in line with the direction other distros are moving.

It turns out firewalld integrates pretty well with the system, includes a DBus interface and many system daemons (like libvirt) already have native integration with firewalld.

Also, I believe the days of creating custom-made scripts and hacks to handle the local firewall may be long gone, and firewalld should be very helpful here too.”


yeah well… what this means, please provide very very very good examples on how to setup firewalld + nftables in a typical:

  • server setup
    • ssh/sftp server
    • webserver
  • corporate LAN workstation client

people that just got used to iptables and made elaborate scripts over the years should migrate to nftables (complicated) + firewalld (python = slooooow).

ok, but if Debian developers and the netfilter team, takes this task seriously, please: GET A SERVER! and test “in-the-wild”

applying iptables “concepts” (writing scripts that in a batch-way tell firewalld what to do and not to do) won’t work – because a single firewalld-command takes way more time than an iptables command and blocking 1000x individual IPs can not be done in reasonable fast amount of time (ok have to look into ipsets anyway).

open letter:

Dear Mr Arturo,

thanks for ur efforts and engagement in the Debian community.

imho there is still lack of good documentation for nftables / firewalld and thus users find it hard to migrate from iptables.

am not the only one that thinks so: juli 2019: „documentation is pretty poor“ „does not work very well“

why was the workshop not recorded and shared with the world via mp4 (as the ccc does with almost every presentation) or “youtube”?

after all you have proficiency in video editing

this way only a handful of people might be positively affected by your workshops. (thanks never the less)

while when it would have been recorded this knowledge would have been shared with the public and people might be thinking more positively about nftables.

right now it’s simply just a pain in the a….

unless you plan on making money with it (can do both, take ticket workshop fees while youtube it)

PS: with “in the wild” means:

  • do you run your own test-server?
    • that you tested with autobench, to see if your nftables rules fend off basic bruteforce and DDoS attacks? (which should any good firewall be capable of)

fed up with nftables?

watch your logs

with this command, you can watch all logs at the same time, which should work for small servers with 10-30x websites (with more it probably get’s a little too much output)


analyze the malicious traffic

you can use tcpdump or better tshark (comes with wireshark) to further analyze the traffic and from what IP it is caused.

about netfilter-team, iptables -> nftables.

“downgrade” to iptables

if iptables is not working well… nftables might be the reason, there are good reasons for nftables like performance when facing DDoS, but some tools are not compatible with it (yet).

if fail2ban fails to ban:

RedHat has developed nftables and it ships with the kernel since 3.13.

“funny” and confusing is, that there is still a iptables command for backward compatibility, but this RedHat backward compatibility “fake” iptables does not work well with fail2ban.

# stop, disable and prevent firewalld from starting
systemctl stop firewalld
systemctl disable firewalld
systemctl mask --now firewalld

# install, start iptables
yum install iptables-services

systemctl start iptables

# there does not seem to be such a thing as "iptables6" in CentOS7
# so this will fail
systemctl start iptables6
systemctl enable iptables

systemctl status iptables

# now you can run your first iptables command
iptables -nvL

# all rules you add now will be lost after reboot
# unless you save em now
service iptables save

example config script:

you can quickly scan your server for open / ports in use:

apt install nmap
yum install nmap
nmap localhost

you might scan this script before using it,

1. remove the ports you are not using

2. add the ports you need

you might want to run THE script line

# this is a list of ips, subnets you want to block
cat /scripts/firewall_blacklist.txt

# this is THE script
cat /scripts/ 
# iptables firewall script

echo "===== put all ips you want to backlist in: /scripts/firewall_blacklist.txt =====";


echo " currently blacklisted: "
cat /scripts/firewall_blacklist.txt

# echo "===== what ports are in use? ====="
# nmap localhost
# 22/tcp   open  ssh
# 25/tcp   open  smtp
# 80/tcp   open  http
# 143/tcp  open  imap
# 443/tcp  open  https
# 465/tcp  open  smtps
# 587/tcp  open  submission
# 993/tcp  open  imaps
# 2222/tcp open  EtherNet/IP-1
# 2525/tcp open  ms-v-worlds
# 9001/tcp open  tor-orport

echo "===== enabling ipv4 forwarding (makes server act as switch) ====="
echo 1 > /proc/sys/net/ipv4/ip_forward

echo " * flushing old rules"
${IPTABLES} --flush
${IPTABLES} --delete-chain
${IPTABLES} --table nat --flush
${IPTABLES} --table nat --delete-chain

echo " * setting default policies"

echo " * allowing loopback devices"

${IPTABLES} -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

#echo " * BLACKLIST"

echo " * allowing ssh on port 22"
${IPTABLES} -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

echo " * allowing ssh on port 2222"
${IPTABLES} -A INPUT -p tcp --dport 2222 -m state --state NEW -j ACCEPT

echo " * allowing vestacp on port 9093"
${IPTABLES} -A INPUT -p tcp --dport 9093 -m state --state NEW -j ACCEPT

# echo " * allowing dns on port 53 udp"
# ${IPTABLES} -A INPUT -p udp -m udp --dport 53 -j ACCEPT

# echo " * allowing dns on port 53 tcp"
# ${IPTABLES} -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT

# will not use these rules, will use the anti-DDoS rules further down
# echo " * allowing http on port 80"
# ${IPTABLES} -A INPUT -p tcp --dport 80  -m state --state NEW -j ACCEPT

# echo " * allowing https on port 443"
# ${IPTABLES} -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

echo " * allowing smtp on port 25"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT

echo " * allowing smtps 465"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT

echo " * allowing submission on port 587"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j ACCEPT

echo " * allowing imaps on port 993"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT

echo " * allowing smtps on port 2525"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 2525 -j ACCEPT

echo " * allowing tor port 9001"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 9001 -j ACCEPT

# echo " * allowing pop3s on port 995"
# ${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT

# echo " * allowing imap on port 143"
# ${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT

# echo " * allowing pop3 on port 110"
# ${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT

echo "===== basic DDoS protection of port 80/443 ====="
echo "===== loading module ipt_recent, Xtables: recently-seen host matching ====="
# ip_list_tot:number of IPs to remember per list (uint)
modprobe ipt_recent ip_list_tot=10000

echo "===== loading module xt_limit, Xtables: rate-limit match ====="
modprobe xt_limit

# ${IPTABLES} -A INPUT -p tcp -m multiport --dports 80,443 -m recent --update --seconds 3600 --name BANNED --rsource -j DROP
# ${IPTABLES} -A INPUT -p tcp -m multiport --dports 80,443 -m state --state NEW -j ATTK_CHECK

# ${IPTABLES} -A ATTACKED -m limit --limit 5/min -j LOG --log-prefix "IPTABLES (Rule ATTACKED): " --log-level 7
# ${IPTABLES} -A ATTACKED -m recent --set --name BANNED --rsource -j DROP
# ${IPTABLES} -A ATTK_CHECK -m recent --set --name ATTK –-rsource
# ${IPTABLES} -A ATTK_CHECK -m recent --update --seconds 600 --hitcount 150 --name ATTK --rsource -j ATTACKED
# ${IPTABLES} -A ATTK_CHECK -m recent --update --seconds 60 --hitcount 50 --name ATTK --rsource -j ATTACKED

${IPTABLES} -A INPUT -p tcp --dport 80 -m hashlimit --hashlimit-upto 50/min --hashlimit-burst 500 --hashlimit-mode srcip --hashlimit-name http -j ACCEPT
${IPTABLES} -A INPUT -p tcp --dport 80 -j DROP

${IPTABLES} -A INPUT -p tcp --dport 443 -m hashlimit --hashlimit-upto 50/min --hashlimit-burst 500 --hashlimit-mode srcip --hashlimit-name http -j ACCEPT
${IPTABLES} -A INPUT -p tcp --dport 443 -j DROP

echo " * allowing ping responses"
${IPTABLES} -A INPUT -p ICMP --icmp-type 8 -j ACCEPT

# echo " while Block ICMP attacks"
# ${IPTABLES} -p icmp -m u32 ! --u32 "4&0x3FFF=0"   -j DROP
# ${IPTABLES} -p icmp -m length --length 1492:65535 -j DROP

# DROP everything else and Log it

# Block abusing IPs 
# from ${BLACKLIST}
if [[ -f "${BLACKLIST}" ]] && [[ -s "${BLACKLIST}" ]]; then
    echo " * BLOCKING ABUSIVE IPs"
    while read IP; do
        ${IPTABLES} -I INPUT -s "${IP}" -j DROP
    done < <(cat "${BLACKLIST}") fi # iptables: Saving firewall rules to /etc/sysconfig/iptables iptables-save > /root/iptables.txt;service iptables save

Links and Books:

Why you will love nftables from linux

iptables: How to use the limits module