Don't forget also that, if you are using RHEL 7, you have the option of using firewalld and the firewall-cmd command to specify host-based firewall rules. It is a much simpler interface and well worth using instead of iptables commands if you aren't trying to do anything really complex. Cheers, Phil. -----Original Message----- From: Jason White via Blind-sysadmins Sent: 16 December 2018 21:17 To: 'Blind sysadmins list' Cc: Jason White Subject: [Blind-sysadmins] Re: any iptables experts? I've written Iptables rules, but not recently, and I wouldn't consider myself to be an expert. I recommend using the following tutorial as your reference: https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html Note also that iptables is being superseded by nftables, for which I haven't found much documentation. -----Original Message----- From: David Mehler Sent: Friday, December 14, 2018 1:27 PM To: blind-sysadmins Subject: [Blind-sysadmins] any iptables experts? Hello, If we have any iptables experts please contact me privately. I am not and I can not wrap my head around iptables, I am trying to do two adjustments to a raspberry pi firewall (without breaking anything), and wanting to add two features. Help appreciated. Thanks. Dave. _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org

Maybe so but, from a quick glance, hardly something that could be deployed in a fully-managed infrastructure supporting large scale IT platforms for major international customers which is the arena I work in. Regards, Phil. -----Original Message----- From: Can Kırca Sent: 17 December 2018 05:42 To: Blind sysadmins list Subject: [Blind-sysadmins] Re: any iptables experts? Acording to my experiences, CSF from Config Server better than only iptables and/or firewalld on HREL7. It has detailed documentation and compatible with iptables, command structure is so easy. https://www.configserver.com/cp/csf.html 2018-12-17 0:55 GMT+03:00, philrigby62@gmail.com :

Don't forget also that, if you are using RHEL 7, you have the option of using firewalld and the firewall-cmd command to specify host-based firewall rules. It is a much simpler interface and well worth using instead of iptables commands if you aren't trying to do anything really complex.

Cheers, Phil.

-----Original Message----- From: Jason White via Blind-sysadmins Sent: 16 December 2018 21:17 To: 'Blind sysadmins list' Cc: Jason White Subject: [Blind-sysadmins] Re: any iptables experts?

I've written Iptables rules, but not recently, and I wouldn't consider myself to be an expert. I recommend using the following tutorial as your reference: https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html

Note also that iptables is being superseded by nftables, for which I haven't found much documentation.

-----Original Message----- From: David Mehler Sent: Friday, December 14, 2018 1:27 PM To: blind-sysadmins Subject: [Blind-sysadmins] any iptables experts?

Hello,

If we have any iptables experts please contact me privately. I am not and I can not wrap my head around iptables, I am trying to do two adjustments to a raspberry pi firewall (without breaking anything), and wanting to add two features.

Help appreciated.

Thanks. Dave. _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org

-- Can Kırca _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org

My understanding is that this isn't a typical iptables problem, since devices on the same LAN will discover each other using Address Resolution Protocol in IPv4 and neighbor discovery in IPv6. See the answer at https://superuser.com/questions/1257317/how-to-isolate-device-on-a-router-to... You may have to set up filtering at the MAC address level, which Linux can do. I've never used it, but it is supported. -----Original Message----- From: David Mehler Sent: Thursday, December 20, 2018 8:41 PM To: Blind sysadmins list Subject: [Blind-sysadmins] Re: any iptables experts? Hello, I've got two guest networks both running on Raspberry Pis. I want to ap isolate any clients that connect to them, so they can only connect to the internet, they can not talk to any other device on that network. Second thing i'd like to do is band width throttle them. I do not have the iptables know-how and I have tried to learn, to pull this off, i'd appreciate any help. Thanks. Dave. On 12/17/18, philrigby62@gmail.com wrote:

Maybe so but, from a quick glance, hardly something that could be deployed in a fully-managed infrastructure supporting large scale IT platforms for major international customers which is the arena I work in.

Regards, Phil.

-----Original Message----- From: Can Kırca Sent: 17 December 2018 05:42 To: Blind sysadmins list Subject: [Blind-sysadmins] Re: any iptables experts?

Acording to my experiences, CSF from Config Server better than only iptables and/or firewalld on HREL7. It has detailed documentation and compatible with iptables, command structure is so easy. https://www.configserver.com/cp/csf.html

2018-12-17 0:55 GMT+03:00, philrigby62@gmail.com :

...

Don't forget also that, if you are using RHEL 7, you have the option of using firewalld and the firewall-cmd command to specify host-based firewall rules. It is a much simpler interface and well worth using instead of iptables commands if you aren't trying to do anything really complex.

Cheers, Phil.

-----Original Message----- From: Jason White via Blind-sysadmins Sent: 16 December 2018 21:17 To: 'Blind sysadmins list' Cc: Jason White Subject: [Blind-sysadmins] Re: any iptables experts?

I've written Iptables rules, but not recently, and I wouldn't consider myself to be an expert. I recommend using the following tutorial as your reference: https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html

Note also that iptables is being superseded by nftables, for which I haven't found much documentation.

-----Original Message----- From: David Mehler Sent: Friday, December 14, 2018 1:27 PM To: blind-sysadmins Subject: [Blind-sysadmins] any iptables experts?

Hello,

If we have any iptables experts please contact me privately. I am not and I can not wrap my head around iptables, I am trying to do two adjustments to a raspberry pi firewall (without breaking anything), and wanting to add two features.

Help appreciated.

Thanks. Dave. _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org

-- Can Kırca _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org

_______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org

For Quality of Service, perhaps you should try fq_codel: https://www.bufferbloat.net/projects/codel/wiki/ -----Original Message----- From: David Mehler Sent: Sunday, December 23, 2018 10:57 PM To: Blind sysadmins list Cc: Jason White Subject: Re: [Blind-sysadmins] Re: any iptables experts? Hello, Thanks. I'll check out that link. Question, can I get some help setting up iptables and quality of service? Thanks. Dave. On 12/21/18, Jason White via Blind-sysadmins wrote:

My understanding is that this isn't a typical iptables problem, since devices on the same LAN will discover each other using Address Resolution Protocol in IPv4 and neighbor discovery in IPv6. See the answer at https://superuser.com/questions/1257317/how-to-isolate-device-on-a-rou ter-to-internet-only

You may have to set up filtering at the MAC address level, which Linux can do. I've never used it, but it is supported.

-----Original Message----- From: David Mehler Sent: Thursday, December 20, 2018 8:41 PM To: Blind sysadmins list Subject: [Blind-sysadmins] Re: any iptables experts?

Hello,

I've got two guest networks both running on Raspberry Pis. I want to ap isolate any clients that connect to them, so they can only connect to the internet, they can not talk to any other device on that network. Second thing i'd like to do is band width throttle them. I do not have the iptables know-how and I have tried to learn, to pull this off, i'd appreciate any help.

Thanks. Dave.

On 12/17/18, philrigby62@gmail.com wrote:

...

Maybe so but, from a quick glance, hardly something that could be deployed in a fully-managed infrastructure supporting large scale IT platforms for major international customers which is the arena I work in.

Regards, Phil.

-----Original Message----- From: Can Kırca Sent: 17 December 2018 05:42 To: Blind sysadmins list Subject: [Blind-sysadmins] Re: any iptables experts?

Acording to my experiences, CSF from Config Server better than only iptables and/or firewalld on HREL7. It has detailed documentation and compatible with iptables, command structure is so easy. https://www.configserver.com/cp/csf.html

2018-12-17 0:55 GMT+03:00, philrigby62@gmail.com :

...

Don't forget also that, if you are using RHEL 7, you have the option of using firewalld and the firewall-cmd command to specify host-based firewall rules. It is a much simpler interface and well worth using instead of iptables commands if you aren't trying to do anything really complex.

Cheers, Phil.

-----Original Message----- From: Jason White via Blind-sysadmins Sent: 16 December 2018 21:17 To: 'Blind sysadmins list' Cc: Jason White Subject: [Blind-sysadmins] Re: any iptables experts?

I've written Iptables rules, but not recently, and I wouldn't consider myself to be an expert. I recommend using the following tutorial as your reference: https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html

Note also that iptables is being superseded by nftables, for which I haven't found much documentation.

-----Original Message----- From: David Mehler Sent: Friday, December 14, 2018 1:27 PM To: blind-sysadmins Subject: [Blind-sysadmins] any iptables experts?

Hello,

If we have any iptables experts please contact me privately. I am not and I can not wrap my head around iptables, I am trying to do two adjustments to a raspberry pi firewall (without breaking anything), and wanting to add two features.

Help appreciated.

Thanks. Dave. _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org

-- Can Kırca _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org

_______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org

Please do not to forget disable selinux if you are not using it and would like to change your SSh port. 2018-12-17 13:31 GMT+03:00, Chris Turner via Blind-sysadmins :

HI.

Well wouldn't say an expert but I do use iptables for my firewalls. Their are other things you can use. Some of which are an easier front end to iptables itself. UFW uncomplicated firewall for ubuntu. Shorewall is another where you define zones.

A lot of the documentation out there on the web about iptables is old or inaccurate. For example. I remember reading somewhere that the default policy in iptables input chain is drop. Not so as you can see with the command.

iptables -L INPUT

I prefer to use iptables as it's explicit what you're doing.

Anyway what specifically are you trying to do? My advice would be as for most tests, do it with vms first. And always add a rule allowing established connections and ssh from your own machine first.

Cheers

Chris Turner

On 14/12/18 18:27, David Mehler wrote:

...

Hello,

If we have any iptables experts please contact me privately. I am not and I can not wrap my head around iptables, I am trying to do two adjustments to a raspberry pi firewall (without breaking anything), and wanting to add two features.

Help appreciated.

Thanks. Dave. _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org

---

Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org

-- Can Kırca