How to Set Up a Firewall Using Iptables | SSH Tarpit

Stopping by just to say thank you for this fantastic script. I just used it on a web server with a couple of modifications. Saved me a ton of work and time.

Thank you, Chris. I've saved this one.

To keep reaction times of the netfilter short, I usually put rules for reply packets as well as established or related connections quite early into the chains and only later on add rules to accept new incoming connections.
While it usually doesn't do much pain if a client has to wait a bit for netfilter to process the initial SYN packet, once the connection has been established, processing runs significantly quicker. Plus you'd also want to add rules to both the PREROUTING and the OUTPUT chains of the raw table that exempt traffic to the loopback device from being conntracked, thereby reducing the overhead. Since localhost traffic (127.0.0.1 or ::1 depending on which variant of IP you are using) isn't routed, there's no need to keep track of the packets.

Thanks for the tutorial Chris. I was always not clear with iptables. For me, ufw and gufw for gui are really simple to use.

Good video! I use UFW on my systems as I believe it uses iptables, behind the scenes. After watching your video, I went to my Linux Mint system and ran the "iptables -nL" command and saw the rules setup by UFW. If UFW, at least, uses iptables why advocate for manually writing your own firewall rules? Isn't using your script(s) akin to using a GUI firewall tool? I can certainly see writing firewall rules by hand to learn how iptables works and discovering the power of netfilter. I've done this before and while the learning experience can be painful, it's definitely useful.
Still, good video. I think it would be great to develop a tutorial on configuring an IPv6 firewall. While writing this post, I ran the "man iptables" command on my Mint system and discovered the "ip6tables" command. So, I think a tutorial discussing an IPv6 firewall would be of use. :) Thanks for posting!

Oh nice to see. I did the final setup of my own VPN which spans across all my devices, homenetwork and the endpoint is in a datacenter. All done with wireguard and iptables. Finally my devices have IPv6 adresses.

Great video Chris, I personally use netfilter for my home routing. Love IPtables

Just wonderful Chris :)

Quick and easy. Thanks.

Very informative, thanks.

Very useful. Thank you.

*finally something of use ..😊*

This make now 10 years that I work with linux server, but I never loved to work with iptable.
Shorewall is so much more easy for me... And intuitive, that the most important part...

very useful! thanks

This is gold!

I am Titu, nice to meet u. Titus for Titu & vice versa.

Thanks, much appreciated

What about ufw (uncomplicated firewall)? A tutorial for beginners to understand even further. Also great tutorial! This also helps for beginners to start doing something advanced.

Great Video!

Great video man, thanks! Finally someone who is also prefering iptables over all the utilities :D What about a video on tunneling traffic from machine a to machine b and accessing the private network of machine b? :)
greetings

This is much better than UFW because you can customize by building small programs and then add a crontab to it just for fun( you dont really need to do that). I remember a few years ago I got so obsessed with iptables that my Apache server was overwhelmed by all the scripts I created for it. I was a fun sandbox experience though.

Going to add this to my LM 19.2 box, as well as the hosts file entries I have and the pfSense FW it all sits behind...

thanks for sharing...

ur the man!!!

Thank you for sharing. Security is so important but, unfortunately, it's often overlooked.

Thank's a lot, you provide such a fantastic content !
very useful i leaned a lot
and by the way may i ask a question ? what are the rules we have to make in iptables so we can download usung torrent client ???

Nice simple little intro to iptables.
I only ever use public/private key access to my ssh server from the internet - password disabled - and I don't have a firewall other than the NAT setup on my router. I then set up a new key for each device I need to connect from; my phone, my laptop, my work machine via PuTTY. That way, if I need to kill access from one device, I just delete the public key from authorized_keys.
I only leave the one port publicly accessible on my router, which is 443 to make getting out of my work network simple, then that is mapped over to 22 on the ssh box.
I keep getting hammered by all and sundry but because it's a PKI only ssh on a non-standard port no-one has ever got past the first step and it's really easy for me to get in from out in the wild.

Thank you

Cool video.

Thanks for putting this on github. Can you please put the github link in the description?

thanks mr

Hello!!! Super good video, thank you. I activate the script on Debian/Xfce but by default It should block traffic from port 80, right? It shouldn't allow me to download files on the Internet, but it does. Or I'm wrong?

Is this only for people running servers? Like would even running mild game server with you as host, would this apply/be necessary? Is there any drawback/why isn't this enabled by default?

Can this be use for the ip6tables also?

Have you done a video on NFtabes for Debian? I need to set up a firewall for the kids in the house. They are not doing homework during the day when they are suppose to. If not, could you please...

Is it advisable to use -m conntrack and --ctstate rather than -m state and --state?

I hope there's an nftables tutorial incoming.

is there a firewall software like netlimiter4? i'm so tired of doing everything in console

Why not nftables? Better performance, syntax, combined rules and protocals, etc.

i use fail2ban rather than rate limiting, fail2ban watches the log files and bans (via iptables) a ip if 3 (configurable) failed logins occur for a (configurable) period of time. it also watches other things than ssh , such as ftp, apache(nginx etc) , and more.

Next vid, how to change and secure SSH Port😍

how can I disable libvirt's firewall rules that set up on boot?

I went a bit further with SSH services and other services such as VPN, CLOUD.
I restricted the acces of these service to only a few source IP adresses to narrow down the attack vector even more.
All other packets are just droped.
But Im wondering if those rules are optimal 🤔

The same video about firewall, please

I have no experience with Debian 10. I have recently installed it to use it as a lab. I looked up information on the Internet on how to DISABLE Debian firewall, but all I have found are articles on how to set a firewall on Debian. I have noticed that neithe ufw nor firewall-cmd are found. Does it mean that by default, Debian installations have no firewall set?

I added the firewall to my linux Arch install, but now my Synology NAS is locked out, can you let me know how I can allow it through, or worst case how I can permanently disable the firewall script from loading

I'd suggest adding rsource to the rate limiting rules.

Yay iptables

Did you "cd" at 9:40 because I try (systemctl enable iptables) and get this error "Failed to enable unit: Unit file iptables.service does not exist." ugh followed to a T! but this happens!

Thats why is better to setup ssh on some high random port and add ip filter to allow only from trusted location.. cheers

Ratelimit SSH - you said you thought it might be a problem for you to login if someone is spamming the server but it turned out not to b a problem, care to explain why its not a problem?

In Arch, does anyone know how to install the Module that lets you run limit? example: # iptables -A logdrop -m limit --limit 5/m --limit-burst 10 -j LOG - Chris, good stuff I enjoy watching your videos.

Noob question: How to enable ssh (port 22) only on our local network, and not the outside world ? :)

how to make an old router into firewall? can it be done

How about the same video but for nftables?

I would like to see nftables

I use FreeBSD. I am not interested in changing. However I wanted to see what the tables looked like, but you talked about other things too much. I waited and fast-forwarded. Maybe listing the minute at which you get to the rules? I just left without seeing the rules

Well, you proved that is not easy.

awww... no link to the GitHub in the description for us lazy folks? lol
Keep up the great work Chris :)
oh, and if you want the link:
github.com/ChrisTitusTech/firewallsetup

If you came here for SSH Tarpit : 6:00

Here: github.com/ChrisTitusTech/firewallsetup

Doesn't this Firewall have GUI?... 😓

Is it good for desktop too?

seems like Chris thinks UFW stands for Universal FireWall

It looks great, except that it doesn't work in a stock U19.04, as the whole iptables service infrastructure isn't there, so you can't start it, etc, or do anything else with it. Even loading it and trying failes for a plethora of other reasons. From that point on, nothing here works, so it fails the 30 second test. A Shame, it would have been good.

Chris how do you completely block CHINA, RUSSIA and INDIA by using Iptable for Arch Linux.

Do the world a favor, show the world how to secure linux desktops by removing port 80 for DDoS purposes and Windows 10 disabling port 80 in the windows 10 registry. Thanks.
Harwood CSA.

"universal firewall" what's that?

The easiest way to configure a firewall on linux that I've seen is with NixOS's configuration file. I think when I had NixOs installed was the only time I've had a configured firewall running :/

I like you, but sometimes your advice just doesn't work.
I have a Linux Mint computer, and the command systemctl enable iptables doesn't work. I did everything else, and I am glad it was on a VM running Linux Mint instead of my main computer running the same OS, since that seemed to yield unexpected results. A reboot seems to have reset everything back in order, but how can I be sure? This is the second time your advice on settings in Linux didn't work.

I'd point out that you can't trust the firewall above you. Our firewall server went down and everything was just passed on through until it was fixed and back up, the firewall on my web servers (the're really MY servers, the company just thinks they're theirs) had to take over and it instantly started throwing out attempts at pretty much whatever you can imagine as fast as it could. Ufw is a great interface to iptables, far easier to deal with in my opinion but it is an intermediary so if you can deal directly with iptables and not have the ufw service running that's one less link in your chain. You really didn't explain how to remove rules in iptables or add bad guys to the table or figuring out that bad guys are actually trying to do bad things, and that's more important than just setting one up and forgetting you have it, you have to be vigilant in watching those logs both manually DAILY and with something like jail2ban watching constantly and locking the bad guys out when they show up, and you have to know the good guys tried to get in and got locked out for some reason so you can let them back in. Whether you're using ufw or using iptables directly, watch those logs boys and girls, they're there for a reason. As far as ssh, I always set my own port for every server and a different port for every server. Keeps the attempts down and .ssh/config makes it easy.

marry me (meant in a non-creepy way)

I used to manage my iptables rules with a nice program named fwbuilder (which actually is discontiued, but still works) fwbuilder.sourceforge.net/

I think you should not install arch packages with -Sy (one of the arch support guys in the arch irc told me that). You should either install with -S or first do sudo pacman -Syu and then install with just -S. Reason is that by doing -Sy you are installing the latest package, when the rest of your system is built on older packages from the last time you ran sudo pacman -Syu. And you should never just run sudo pacman -Sy either. Obviously all the same applies if using if using an AUR helper like yay. Sorry my memory is not 100%, but I hope I'm not making a mistake with what I wrote.

Lately I've been looking into only allowing SSH over Wireguard. I think that would eliminate any need for tarpitting or anything like that. If sshd only listens for connections on the Wireguard interface, then sshd can't be attacked by anybody who's not already on my VPN. I don't really see any downside for personal use, except for the added CPU load of Wireguard encrypting everything.

Using a script instead of a program feels like six of one side, and half-a-dozen on the other.