iptables future-proof?

[Zorg]

I've been using GUI-driven firewalls on Fedora since the start. Some of them are now old and no longer maintained, so the chances of them working with F12 and future releases of Fedora (and Gnome, even Linux in general) are slim at best.

So - is it worth my while to learn iptables syntax/rules so I can set up and modify the firewall at shell level?

Will iptables continue to be used going forward? - Is it worth the investment/headache?

[kyryder]

It is definitely worth the effort. Knowledge is power. I use http://netfilter.org/ for info and have found it very useful.

[jpollard]

It is always worth it.

If for nothing else, you will gain an understanding of how IP tables works, as well
as what the GUI is doing, and recognize when it may be doing something wrong.

[Zorg]

@kyryder: Thanks

@jpollard: No worries, the whole idea would be too ditch gui firewalls completely and just use the shell.

So far so good, thanks for the help.

[William Haller]

By all means - have a go at iptables by hand. I did that for quite a long stretch. I must say I like fwbuilder though. The advantage of the GUIs are that they can give you ideas you might never think of doing just by trying to dredge through the man pages.

[diamond_ramsey]

Hello Everyone,

+1 for iptables for sure!

Got to love Google Books for ideas, too -

http://books.google.com/books?q=ipta...G=Search+Books

Quote:

Originally Posted by William Haller

By all means - have a go at iptables by hand. I did that for quite a long stretch. I must say I like fwbuilder though. The advantage of the GUIs are that they can give you ideas you might never think of doing just by trying to dredge through the man pages.

FirewallBuilder -

http://www.fwbuilder.org/

http://books.google.com/books?q=fwbu...G=Search+Books

http://blog.fwbuilder.org/2009/06/ne...lable-for.html

Hope this helps.

[sej7278]

yes most of the gui's for iptables (especially firestarter!) seem to add uneccessary tables/rules to the iptables config, its much better/easier i find to do it by hand.

some people even use shell scripts to configure their iptables rules, i'm not a fan of that either, just edit /etc/sysconfig/iptables

[jpollard]

If you do, don't reboot to apply the changes.

The system shutdown re-creates this file from the existing rules in the system, and
overwrites the file each time.

Any comments you may add to the file will be lost.

[kyryder]

Quote:

Originally Posted by jpollard

If you do, don't reboot to apply the changes.

The system shutdown re-creates this file from the existing rules in the system, and
overwrites the file each time.

Any comments you may add to the file will be lost.

You know I have heard other people say this, but I have always edited /etc/sysconfig/iptables and saved. I have never had that file revert back. Maybe because I don't allow ip6?

[jpollard]

No idea on that -

I do know if you reload the tables before reboot that things will be fine.

I believe the "save on reboot" is to capture any rules applied on the fly
that may not be in the file.

[kyryder]

Oh, if you access iptables from the firewall GUI I bet it would revert back to GUI settings. You can access the iptables file with a editor like gedit and just hit save and stay away from the GUI.

[sej7278]

yeah never seen the file get overwritten (on various platforms) then again i don't use rubbish like networkmanager, dhcp, zeroconf, avahi, ipv6 etc.

[stevea]

Well you could learn to use getsockopt/seetsockopt nad parse the route tables yourself. It's educational too.

Quote:

Originally Posted by sej7278

yeah never seen the file get overwritten (on various platforms) then again i don't use rubbish like networkmanager, dhcp, zeroconf, avahi, ipv6 etc.

You know sej' I generally like your posts, but this is about the most ignorant statement I've seen in a long time.

What do you use for a full featured network config service if you don't use dhcp ? dnsmassq will only take you so far.
What do you use on an ipv6 network aside from ipv6 ?
avahi is a pretty sweet little service advertisement schemes - it solves a real problem. What is your alternative ?

I might agree that NM is still a work in progress, but if you are lugging a laptop around the planet is not replaceable. Is there something better ?

I suppose "I don't use rubbish like ethernet" is next ?

[droidhacker]

Just to make things clear, regardless of whose interface you are using, the underlying firewall is, in all cases, iptables.

Quote:

Originally Posted by Zorg

I've been using GUI-driven firewalls on Fedora since the start. Some of them are now old and no longer maintained, so the chances of them working with F12 and future releases of Fedora (and Gnome, even Linux in general) are slim at best.

So - is it worth my while to learn iptables syntax/rules so I can set up and modify the firewall at shell level?

Will iptables continue to be used going forward? - Is it worth the investment/headache?

[sej7278]

Quote:

Originally Posted by stevea

You know sej' I generally like your posts, but this is about the most ignorant statement I've seen in a long time.

What do you use for a full featured network config service if you don't use dhcp ? dnsmassq will only take you so far.
What do you use on an ipv6 network aside from ipv6 ?
avahi is a pretty sweet little service advertisement schemes - it solves a real problem. What is your alternative ?

I might agree that NM is still a work in progress, but if you are lugging a laptop around the planet is not replaceable. Is there something better ?

I suppose "I don't use rubbish like ethernet" is next ?

lol, ignorant is a bit harsh, but i'm not going to get into it

not sure what you mean with the dhcp/dnsmasq thing, i just use static ips with a resolv.conf and hosts file. even on a large scale deployment i wouldn't use dhcp, i guess its ok for a windows-based office, but on unix servers there's better ways to do it.

ipv6 i just don't think we need enabled by default at this point in time, its only going to confuse matters and lead to more security issues. we may as well go the whole hog and enable sctp by default next.

avahi i don't understand the point of, i really don't want to connect to random networks that my computer might find over wifi or bluetooth or because something is broadcasting as a dhcp/samba/whatever server.

networkmanager i can really see the use of if you have a laptop, but it just doesn't work and probably shares #1 spot on these forums with selinux for causing problems; and is pointless on a desktop/server too. i'd prefer to go back to defaulting to the network service.