any iptables experts?
Hello, If we have any iptables experts please contact me privately. I am not and I can not wrap my head around iptables, I am trying to do two adjustments to a raspberry pi firewall (without breaking anything), and wanting to add two features. Help appreciated. Thanks. Dave.
I've written Iptables rules, but not recently, and I wouldn't consider
myself to be an expert. I recommend using the following tutorial as your
reference:
https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html
Note also that iptables is being superseded by nftables, for which I haven't
found much documentation.
-----Original Message-----
From: David Mehler
Don't forget also that, if you are using RHEL 7, you have the option of
using firewalld and the firewall-cmd command to specify host-based firewall
rules. It is a much simpler interface and well worth using instead of
iptables commands if you aren't trying to do anything really complex.
Cheers,
Phil.
-----Original Message-----
From: Jason White via Blind-sysadmins
Acording to my experiences, CSF from Config Server better than only
iptables and/or firewalld on HREL7. It has detailed documentation and
compatible with iptables, command structure is so easy.
https://www.configserver.com/cp/csf.html
2018-12-17 0:55 GMT+03:00, philrigby62@gmail.com
Don't forget also that, if you are using RHEL 7, you have the option of using firewalld and the firewall-cmd command to specify host-based firewall rules. It is a much simpler interface and well worth using instead of iptables commands if you aren't trying to do anything really complex.
Cheers, Phil.
-----Original Message----- From: Jason White via Blind-sysadmins
Sent: 16 December 2018 21:17 To: 'Blind sysadmins list' Cc: Jason White Subject: [Blind-sysadmins] Re: any iptables experts? I've written Iptables rules, but not recently, and I wouldn't consider myself to be an expert. I recommend using the following tutorial as your reference: https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html
Note also that iptables is being superseded by nftables, for which I haven't found much documentation.
-----Original Message----- From: David Mehler
Sent: Friday, December 14, 2018 1:27 PM To: blind-sysadmins Subject: [Blind-sysadmins] any iptables experts? Hello,
If we have any iptables experts please contact me privately. I am not and I can not wrap my head around iptables, I am trying to do two adjustments to a raspberry pi firewall (without breaking anything), and wanting to add two features.
Help appreciated.
Thanks. Dave. _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
-- Can Kırca
Maybe so but, from a quick glance, hardly something that could be deployed in a fully-managed infrastructure supporting large scale IT platforms for major international customers which is the arena I work in.
Regards,
Phil.
-----Original Message-----
From: Can Kırca
Don't forget also that, if you are using RHEL 7, you have the option of using firewalld and the firewall-cmd command to specify host-based firewall rules. It is a much simpler interface and well worth using instead of iptables commands if you aren't trying to do anything really complex.
Cheers, Phil.
-----Original Message----- From: Jason White via Blind-sysadmins
Sent: 16 December 2018 21:17 To: 'Blind sysadmins list' Cc: Jason White Subject: [Blind-sysadmins] Re: any iptables experts? I've written Iptables rules, but not recently, and I wouldn't consider myself to be an expert. I recommend using the following tutorial as your reference: https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html
Note also that iptables is being superseded by nftables, for which I haven't found much documentation.
-----Original Message----- From: David Mehler
Sent: Friday, December 14, 2018 1:27 PM To: blind-sysadmins Subject: [Blind-sysadmins] any iptables experts? Hello,
If we have any iptables experts please contact me privately. I am not and I can not wrap my head around iptables, I am trying to do two adjustments to a raspberry pi firewall (without breaking anything), and wanting to add two features.
Help appreciated.
Thanks. Dave. _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
-- Can Kırca _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
Hello,
I've got two guest networks both running on Raspberry Pis. I want to
ap isolate any clients that connect to them, so they can only connect
to the internet, they can not talk to any other device on that
network. Second thing i'd like to do is band width throttle them. I do
not have the iptables know-how and I have tried to learn, to pull this
off, i'd appreciate any help.
Thanks.
Dave.
On 12/17/18, philrigby62@gmail.com
Maybe so but, from a quick glance, hardly something that could be deployed in a fully-managed infrastructure supporting large scale IT platforms for major international customers which is the arena I work in.
Regards, Phil.
-----Original Message----- From: Can Kırca
Sent: 17 December 2018 05:42 To: Blind sysadmins list Subject: [Blind-sysadmins] Re: any iptables experts? Acording to my experiences, CSF from Config Server better than only iptables and/or firewalld on HREL7. It has detailed documentation and compatible with iptables, command structure is so easy. https://www.configserver.com/cp/csf.html
2018-12-17 0:55 GMT+03:00, philrigby62@gmail.com
: Don't forget also that, if you are using RHEL 7, you have the option of using firewalld and the firewall-cmd command to specify host-based firewall rules. It is a much simpler interface and well worth using instead of iptables commands if you aren't trying to do anything really complex.
Cheers, Phil.
-----Original Message----- From: Jason White via Blind-sysadmins
Sent: 16 December 2018 21:17 To: 'Blind sysadmins list' Cc: Jason White Subject: [Blind-sysadmins] Re: any iptables experts? I've written Iptables rules, but not recently, and I wouldn't consider myself to be an expert. I recommend using the following tutorial as your reference: https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html
Note also that iptables is being superseded by nftables, for which I haven't found much documentation.
-----Original Message----- From: David Mehler
Sent: Friday, December 14, 2018 1:27 PM To: blind-sysadmins Subject: [Blind-sysadmins] any iptables experts? Hello,
If we have any iptables experts please contact me privately. I am not and I can not wrap my head around iptables, I am trying to do two adjustments to a raspberry pi firewall (without breaking anything), and wanting to add two features.
Help appreciated.
Thanks. Dave. _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
-- Can Kırca _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
My understanding is that this isn't a typical iptables problem, since devices on the same LAN will discover each other using Address Resolution Protocol in IPv4 and neighbor discovery in IPv6. See the answer at
https://superuser.com/questions/1257317/how-to-isolate-device-on-a-router-to...
You may have to set up filtering at the MAC address level, which Linux can do. I've never used it, but it is supported.
-----Original Message-----
From: David Mehler
Maybe so but, from a quick glance, hardly something that could be deployed in a fully-managed infrastructure supporting large scale IT platforms for major international customers which is the arena I work in.
Regards, Phil.
-----Original Message----- From: Can Kırca
Sent: 17 December 2018 05:42 To: Blind sysadmins list Subject: [Blind-sysadmins] Re: any iptables experts? Acording to my experiences, CSF from Config Server better than only iptables and/or firewalld on HREL7. It has detailed documentation and compatible with iptables, command structure is so easy. https://www.configserver.com/cp/csf.html
2018-12-17 0:55 GMT+03:00, philrigby62@gmail.com
: Don't forget also that, if you are using RHEL 7, you have the option of using firewalld and the firewall-cmd command to specify host-based firewall rules. It is a much simpler interface and well worth using instead of iptables commands if you aren't trying to do anything really complex.
Cheers, Phil.
-----Original Message----- From: Jason White via Blind-sysadmins
Sent: 16 December 2018 21:17 To: 'Blind sysadmins list' Cc: Jason White Subject: [Blind-sysadmins] Re: any iptables experts? I've written Iptables rules, but not recently, and I wouldn't consider myself to be an expert. I recommend using the following tutorial as your reference: https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html
Note also that iptables is being superseded by nftables, for which I haven't found much documentation.
-----Original Message----- From: David Mehler
Sent: Friday, December 14, 2018 1:27 PM To: blind-sysadmins Subject: [Blind-sysadmins] any iptables experts? Hello,
If we have any iptables experts please contact me privately. I am not and I can not wrap my head around iptables, I am trying to do two adjustments to a raspberry pi firewall (without breaking anything), and wanting to add two features.
Help appreciated.
Thanks. Dave. _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
-- Can Kırca _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
_______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
Hello,
Thanks. I'll check out that link.
Question, can I get some help setting up iptables and quality of service?
Thanks.
Dave.
On 12/21/18, Jason White via Blind-sysadmins
My understanding is that this isn't a typical iptables problem, since devices on the same LAN will discover each other using Address Resolution Protocol in IPv4 and neighbor discovery in IPv6. See the answer at https://superuser.com/questions/1257317/how-to-isolate-device-on-a-router-to...
You may have to set up filtering at the MAC address level, which Linux can do. I've never used it, but it is supported.
-----Original Message----- From: David Mehler
Sent: Thursday, December 20, 2018 8:41 PM To: Blind sysadmins list Subject: [Blind-sysadmins] Re: any iptables experts? Hello,
I've got two guest networks both running on Raspberry Pis. I want to ap isolate any clients that connect to them, so they can only connect to the internet, they can not talk to any other device on that network. Second thing i'd like to do is band width throttle them. I do not have the iptables know-how and I have tried to learn, to pull this off, i'd appreciate any help.
Thanks. Dave.
On 12/17/18, philrigby62@gmail.com
wrote: Maybe so but, from a quick glance, hardly something that could be deployed in a fully-managed infrastructure supporting large scale IT platforms for major international customers which is the arena I work in.
Regards, Phil.
-----Original Message----- From: Can Kırca
Sent: 17 December 2018 05:42 To: Blind sysadmins list Subject: [Blind-sysadmins] Re: any iptables experts? Acording to my experiences, CSF from Config Server better than only iptables and/or firewalld on HREL7. It has detailed documentation and compatible with iptables, command structure is so easy. https://www.configserver.com/cp/csf.html
2018-12-17 0:55 GMT+03:00, philrigby62@gmail.com
: Don't forget also that, if you are using RHEL 7, you have the option of using firewalld and the firewall-cmd command to specify host-based firewall rules. It is a much simpler interface and well worth using instead of iptables commands if you aren't trying to do anything really complex.
Cheers, Phil.
-----Original Message----- From: Jason White via Blind-sysadmins
Sent: 16 December 2018 21:17 To: 'Blind sysadmins list' Cc: Jason White Subject: [Blind-sysadmins] Re: any iptables experts? I've written Iptables rules, but not recently, and I wouldn't consider myself to be an expert. I recommend using the following tutorial as your reference: https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html
Note also that iptables is being superseded by nftables, for which I haven't found much documentation.
-----Original Message----- From: David Mehler
Sent: Friday, December 14, 2018 1:27 PM To: blind-sysadmins Subject: [Blind-sysadmins] any iptables experts? Hello,
If we have any iptables experts please contact me privately. I am not and I can not wrap my head around iptables, I am trying to do two adjustments to a raspberry pi firewall (without breaking anything), and wanting to add two features.
Help appreciated.
Thanks. Dave. _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
-- Can Kırca _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
_______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
For Quality of Service, perhaps you should try fq_codel:
https://www.bufferbloat.net/projects/codel/wiki/
-----Original Message-----
From: David Mehler
My understanding is that this isn't a typical iptables problem, since devices on the same LAN will discover each other using Address Resolution Protocol in IPv4 and neighbor discovery in IPv6. See the answer at https://superuser.com/questions/1257317/how-to-isolate-device-on-a-rou ter-to-internet-only
You may have to set up filtering at the MAC address level, which Linux can do. I've never used it, but it is supported.
-----Original Message----- From: David Mehler
Sent: Thursday, December 20, 2018 8:41 PM To: Blind sysadmins list Subject: [Blind-sysadmins] Re: any iptables experts? Hello,
I've got two guest networks both running on Raspberry Pis. I want to ap isolate any clients that connect to them, so they can only connect to the internet, they can not talk to any other device on that network. Second thing i'd like to do is band width throttle them. I do not have the iptables know-how and I have tried to learn, to pull this off, i'd appreciate any help.
Thanks. Dave.
On 12/17/18, philrigby62@gmail.com
wrote: Maybe so but, from a quick glance, hardly something that could be deployed in a fully-managed infrastructure supporting large scale IT platforms for major international customers which is the arena I work in.
Regards, Phil.
-----Original Message----- From: Can Kırca
Sent: 17 December 2018 05:42 To: Blind sysadmins list Subject: [Blind-sysadmins] Re: any iptables experts? Acording to my experiences, CSF from Config Server better than only iptables and/or firewalld on HREL7. It has detailed documentation and compatible with iptables, command structure is so easy. https://www.configserver.com/cp/csf.html
2018-12-17 0:55 GMT+03:00, philrigby62@gmail.com
: Don't forget also that, if you are using RHEL 7, you have the option of using firewalld and the firewall-cmd command to specify host-based firewall rules. It is a much simpler interface and well worth using instead of iptables commands if you aren't trying to do anything really complex.
Cheers, Phil.
-----Original Message----- From: Jason White via Blind-sysadmins
Sent: 16 December 2018 21:17 To: 'Blind sysadmins list' Cc: Jason White Subject: [Blind-sysadmins] Re: any iptables experts? I've written Iptables rules, but not recently, and I wouldn't consider myself to be an expert. I recommend using the following tutorial as your reference: https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html
Note also that iptables is being superseded by nftables, for which I haven't found much documentation.
-----Original Message----- From: David Mehler
Sent: Friday, December 14, 2018 1:27 PM To: blind-sysadmins Subject: [Blind-sysadmins] any iptables experts? Hello,
If we have any iptables experts please contact me privately. I am not and I can not wrap my head around iptables, I am trying to do two adjustments to a raspberry pi firewall (without breaking anything), and wanting to add two features.
Help appreciated.
Thanks. Dave. _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
-- Can Kırca _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
_______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
HI. Well wouldn't say an expert but I do use iptables for my firewalls. Their are other things you can use. Some of which are an easier front end to iptables itself. UFW uncomplicated firewall for ubuntu. Shorewall is another where you define zones. A lot of the documentation out there on the web about iptables is old or inaccurate. For example. I remember reading somewhere that the default policy in iptables input chain is drop. Not so as you can see with the command. iptables -L INPUT I prefer to use iptables as it's explicit what you're doing. Anyway what specifically are you trying to do? My advice would be as for most tests, do it with vms first. And always add a rule allowing established connections and ssh from your own machine first. Cheers Chris Turner On 14/12/18 18:27, David Mehler wrote:
Hello,
If we have any iptables experts please contact me privately. I am not and I can not wrap my head around iptables, I am trying to do two adjustments to a raspberry pi firewall (without breaking anything), and wanting to add two features.
Help appreciated.
Thanks. Dave. _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
Please do not to forget disable selinux if you are not using it and
would like to change your SSh port.
2018-12-17 13:31 GMT+03:00, Chris Turner via Blind-sysadmins
HI.
Well wouldn't say an expert but I do use iptables for my firewalls. Their are other things you can use. Some of which are an easier front end to iptables itself. UFW uncomplicated firewall for ubuntu. Shorewall is another where you define zones.
A lot of the documentation out there on the web about iptables is old or inaccurate. For example. I remember reading somewhere that the default policy in iptables input chain is drop. Not so as you can see with the command.
iptables -L INPUT
I prefer to use iptables as it's explicit what you're doing.
Anyway what specifically are you trying to do? My advice would be as for most tests, do it with vms first. And always add a rule allowing established connections and ssh from your own machine first.
Cheers
Chris Turner
On 14/12/18 18:27, David Mehler wrote:
Hello,
If we have any iptables experts please contact me privately. I am not and I can not wrap my head around iptables, I am trying to do two adjustments to a raspberry pi firewall (without breaking anything), and wanting to add two features.
Help appreciated.
Thanks. Dave. _______________________________________________ Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
Blind-sysadmins mailing list -- blind-sysadmins@lists.hodgsonfamily.org To unsubscribe send an email to blind-sysadmins-leave@lists.hodgsonfamily.org
-- Can Kırca
participants (5)
-
Can Kırca
-
Chris Turner
-
David Mehler
-
Jason White
-
philrigby62@gmail.com