Linux host firewall:

nftables - low-level way to manage the firewall on modern distros. It is a replacement for iptables

iptables- legacy firewall

East to use fronted - manage your nftables or iptables using GUI, CLI, or web fronted. Typical examples are ufw, gufw, Guarddog, FWBuilder, firewalld, firewall-config, etc. Both nftables & IPtables are part of Netfilter. For most users, choosing fronted, such as ufw command or firewalld is recommended.

OR

iptables? nah we're all on nftables now. yeah we changed all the syntax haha. it's okay though we have a nifty declarative script that's basically the config file. it's kinda like a JSON, except more unintelligible. yeah, because we changed the syntax. yeah it partially overrides iptables so now there's even more ambiguity about whether or not you've actually blocked that port

ufw? don't use that - adds too much complexity, you might have conflicts. what do you mean do I know what it stands for?

CISA warns of actively exploited Linux privilege elevation flaw

Source: https://www.bleepingcomputer.com/news/security/cisa-warns-of-actively-exploited-linux-privilege-elevation-flaw/

More info: https://pwning.tech/nftables/

#ばばさん通信ダイジェスト : NFTables mode for kube-proxy

賛否関わらず話題になった/���りそうなものを共有しています。

NFTables mode for kube-proxy

https://kubernetes.io/blog/2025/02/28/nftables-kube-proxy/

nftables、iptables、ufwの違いと使い分け：Linuxファイアウォールの選び方

はじめに Linuxシステムにおけるネットワークセキュリティの要となるファイアウォール。 代表的なツールとして、nftables、iptables、ufwが挙げられます。 それぞれの特徴や使い方を理��することで、自身の環境に最適な選択が可能になります。 本記事では、これら3つのファイアウォールツールを比較し、それぞれの利点やユースケース��詳しく解説します。 nftables、iptables、ufwの基本概要 nftables、iptables、ufwはすべてLinuxカーネルのネットワークフィルタリング機能であるNetfilterを利用したツールです。 ただし、それぞれ設計思想や用途が異なります。 以下では、それぞれの基本的な特徴を紹介します。 nftablesとは nftablesは、Linuxカーネル3.13で導入された比較的新しいファイアウォールフレームワークです。 IPv4とI…

Comprehensive Guide to Linux Firewalls: iptables, nftables, ufw, and firewalld

In the dynamic landscape of network security, firewalls play a pivotal role in fortifying systems against potential threats. Within the Linux ecosystem, where robust security measures are paramount, understanding and navigating tools like iptables vs ufw ,nftables and firewalld becomes crucial. This comprehensive guide aims to delve into the intricacies of each tool, shedding light on their core concepts, functionalities, and use cases.

iptables: Understanding the Core Concepts Overview of iptables: Iptables stands as a cornerstone tool for controlling firewalls on Linux systems. Operating directly with the Linux kernel for packet filtering, iptables provides a versatile but verbose interface.

Organizational Structure: The organizational structure of iptables involves tables, chains, rules, and targets. Three primary tables — filter, nat, and mangle — categorize rules. The filter table manages incoming and outgoing packets, nat facilitates Network Address Translation (NAT), and mangle is employed for advanced packet alteration.

Default Policies and Rule Creation: By default, iptables adds rules to the filter table, with default policies for INPUT, OUTPUT, and FORWARD chains set to ACCEPT. Security best practices recommend setting at least FORWARD and INPUT policies to DROP. Loopback interface access is usually allowed, and established or related connections are accepted.

Example Rules for Common Protocols: Allowing HTTP and HTTPS traffic: sudo iptables -A INPUT -p tcp — dport 80 -j ACCEPT sudo iptables -A INPUT -p tcp — dport 443 -j ACCEPT Allowing SSH traffic for remote access: sudo iptables -A INPUT -p tcp — dport 22 -j ACCEPT Common iptables Options: Iptables provides various options for rule management, including -A or –append, -I or –insert, -D or –delete, -P or –policy, -j or –jump, -s or –source, -d or –destination, -p or –protocol, -i or –in-interface, -o or –out-interface, –sport or –source-port, –dport or –destination-port, and -m or –match.

Advanced Features in iptables: Iptables offers advanced features such as NAT, interface bonding, TCP multipath, and more, making it a versatile tool for complex network configurations.

nftables: The Next Generation Firewall Overview of nftables: Nftables emerges as a user-friendly alternative to iptables, offering a more logical and streamlined structure. While positioned as a replacement for iptables, both tools coexist in modern systems.

Organizational Structure in nftables: Nftables adopts a logical structure comprising tables, chains, rules, and verdicts. It simplifies rule organization with various table types, including ip, arp, ip6, bridge, inet, and netdev.

Setting Default Policies and Example Rules: sudo nft add rule ip filter input drop sudo nft add rule ip filter forward drop sudo nft add rule ip filter input iifname “lo” accept sudo nft add rule ip filter input ct state established,related accept sudo nft add rule ip filter input tcp dport {80, 443} accept sudo nft add rule ip filter input tcp dport 22 accept Common nftables Options: Nftables options include add, insert, delete, chain, ip saddr, ip daddr, ip protocol, iifname, oifname, tcp sport, tcp dport, and ct state.

nftables vs iptables: While nftables provides a more streamlined approach, both tools coexist, allowing users to choose based on preferences and familiarity.

ufw: Simplifying Firewall Management Overview of ufw: Uncomplicated Firewall (ufw) serves as a frontend for iptables, offering a simplified interface for managing firewall configurations. It is designed to be user-friendly and automatically sets up iptables rules based on specified configurations.Ufw not only simplifies iptables but also integrates well with applications and services. Its simplicity makes it an ideal choice for those who want a quick setup without delving into intricate firewall configurations. Moreover, ufw supports application profiles, allowing users to define rules specific to applications.

Enabling ufw and Example Rules: sudo ufw enable sudo ufw allow 80/tcp sudo ufw allow 443/tcp sudo ufw allow 80,443/tcp Checking ufw Status: sudo ufw status firewalld: Dynamic Firewall Configuration Overview of firewalld: Firewalld streamlines dynamic firewall configuration, featuring zones to declare trust levels in interfaces and networks. It comes pre-installed in distributions like Red Hat Enterprise Linux, Fedora, CentOS, and can be installed on others.Firewalld excels in dynamic environments where network configurations change frequently. Its zone-based approach allows administrators to define different trust levels for various network interfaces.

Opening Ports with firewalld: sudo firewall-cmd — add-port=80/tcp — permanent sudo firewall-cmd — add-port=443/tcp — permanent sudo firewall-cmd — add-port=80/tcp — add-port=443/tcp — permanent sudo firewall-cmd — reload sudo firewall-cmd — list-ports Conclusion: Linux firewalls, comprising iptables vs ufw, nftables and firewalld, offer robust defense mechanisms for network security. While iptables and nftables cater to experienced users, ufw and firewalld provide simplified interfaces for ease of use. The choice of tools depends on user expertise and specific requirements, ensuring a secure and well-managed network environment. This extended guide provides additional insights into ufw and firewalld, enhancing your understanding of Linux firewall tools for configuring and securing systems effectively.

do i need a vpn if i have linux

🔒🌍✨ Get 3 Months FREE VPN - Secure & Private Internet Access Worldwide! Click Here ✨🌍🔒

do i need a vpn if i have linux

VPN benefits for Linux

Linux users can benefit greatly from using a Virtual Private Network (VPN) for enhanced online privacy, security, and access to geo-restricted content. VPNs create a secure connection between the user's device and the internet, encrypting all data transferred. This encryption helps in preventing unauthorized access to sensitive information, protecting users from cyber threats such as hacking and identity theft.

One of the main advantages of using a VPN on Linux is the ability to bypass geo-restrictions. By connecting to servers located in different countries, users can access region-locked content on streaming platforms or websites. This is particularly useful for Linux users who want to watch their favorite shows or access websites that are not available in their location.

Moreover, VPNs help in masking the user's IP address, making it difficult for third parties to track their online activities. This adds an extra layer of anonymity and privacy while browsing the internet. Linux users can also utilize VPNs to securely connect to public Wi-Fi networks, protecting their data from potential cyber attacks on unsecured networks.

In addition, VPNs can improve browsing speeds and reduce latency by directing traffic through optimized servers. This can be beneficial for Linux users who engage in online gaming or stream high-definition content. Overall, using a VPN on Linux offers a range of benefits that enhance the user's online experience while prioritizing security and privacy.

Security measures on Linux

Title: Strengthening Your Defense: Essential Security Measures on Linux

Linux, renowned for its robust security features, remains a preferred choice for users seeking a reliable and secure operating system. However, maintaining a secure Linux environment requires diligence and adherence to essential security measures.

First and foremost, regular updates are imperative. Keeping your Linux distribution up-to-date ensures that you receive the latest security patches and fixes for vulnerabilities. Most distributions offer automated update mechanisms, simplifying this crucial task.

Implementing strong authentication practices is equally vital. Utilize complex passwords and consider employing multi-factor authentication (MFA) for an added layer of security. Tools like SSH keys enhance security by replacing passwords with cryptographic keys for remote access.

Firewalls play a pivotal role in safeguarding Linux systems from unauthorized access. Configure firewalls, such as iptables or the more modern nftables, to regulate network traffic and block malicious connections. Additionally, consider employing intrusion detection and prevention systems (IDS/IPS) to proactively identify and thwart potential threats.

Regular system audits and monitoring are indispensable for detecting and addressing security breaches promptly. Utilize security auditing tools like AIDE or Lynis to assess system integrity and identify any deviations from the baseline.

Furthermore, encryption should be employed to protect sensitive data both at rest and in transit. Utilize tools like GNU Privacy Guard (GPG) for file encryption and protocols like TLS/SSL for securing network communications.

Limiting user privileges and employing access controls are crucial for minimizing the impact of potential security breaches. Utilize the principle of least privilege to restrict user access to only what is necessary for their tasks.

Lastly, maintaining comprehensive backups ensures the resilience of your Linux environment in the face of unforeseen events such as data corruption or ransomware attacks.

By adhering to these essential security measures, you can fortify your Linux system against potential threats and enjoy a secure computing experience.

VPN necessity for Linux users

For Linux users, employing a VPN (Virtual Private Network) is not just a luxury but a crucial necessity. While Linux is renowned for its robust security features, it's not immune to online threats, privacy breaches, and data surveillance. Here are compelling reasons why Linux users should prioritize using a VPN:

Enhanced Privacy: VPNs encrypt internet traffic, shielding it from prying eyes. Linux users often value privacy and freedom, and a VPN ensures their online activities remain confidential.

Bypassing Restrictions: Many websites and services impose geo-restrictions or censorship based on users' locations. By connecting to a VPN server in a different location, Linux users can bypass these restrictions and access content without limitations.

Securing Public Wi-Fi: Public Wi-Fi networks are notorious for their lack of security. Linux users can mitigate the risks of data interception and hacking by using a VPN to encrypt their connection, whether they're at a coffee shop, airport, or hotel.

Preventing ISP Tracking: Internet Service Providers (ISPs) often monitor users' online activities and may throttle bandwidth or sell browsing data to advertisers. With a VPN, Linux users can prevent ISPs from tracking their behavior and maintain anonymity online.

Protecting Against Cyber Threats: Linux systems are not immune to malware, phishing attacks, and other cyber threats. By encrypting internet traffic and masking their IP address, Linux users can reduce the risk of falling victim to such threats.

Secure Remote Access: Linux users who frequently access their systems remotely can benefit from VPNs, which provide a secure and encrypted connection to their home or office network from anywhere in the world.

In conclusion, VPNs offer Linux users a layer of security, privacy, and freedom that is essential in today's digital landscape. By utilizing a VPN, Linux enthusiasts can enjoy a safer and more private online experience.

Linux privacy protection

Linux is known for being a secure and privacy-conscious operating system, making it a top choice for users looking to protect their digital footprint. With its open-source nature and strong community support, Linux offers various tools and practices to enhance privacy protection.

One key aspect of ensuring privacy on Linux is utilizing encrypted communication protocols such as HTTPS and VPNs. These protocols encrypt data transmission, making it harder for potential attackers to intercept and decipher sensitive information. Additionally, Linux distributions often provide built-in tools like firewalls and intrusion detection systems that help safeguard against unauthorized access.

Users can also take advantage of privacy-focused web browsers like Firefox and Brave, which offer enhanced tracking protection and privacy settings. These browsers allow users to block cookies, prevent fingerprinting, and control access to location data, helping to maintain anonymity while browsing the web.

Furthermore, Linux users can benefit from utilizing secure password managers and enabling two-factor authentication for added account security. By regularly updating system software and implementing strong password policies, users can further protect their privacy and data integrity on Linux.

In conclusion, Linux offers a robust platform for privacy protection through its security features, open-source ecosystem, and community-driven development. By leveraging encryption protocols, privacy-focused browsers, and best security practices, users can enhance their privacy and security posture while using Linux as their operating system.

Understanding VPN usage on Linux

Understanding VPN Usage on Linux

Virtual Private Networks (VPNs) play a crucial role in safeguarding online privacy and security, especially on Linux systems. Linux users benefit from a wide range of VPN options, offering various features and functionalities to suit different needs.

One primary use of VPNs on Linux is to encrypt internet traffic, ensuring that data transmitted over networks remains secure and inaccessible to unauthorized parties. This encryption is particularly essential when connecting to public Wi-Fi networks, where data interception is a significant concern.

Moreover, VPNs enable users to bypass geographical restrictions and access content that may be restricted in their region. By connecting to VPN servers located in different countries, Linux users can enjoy unrestricted access to websites, streaming services, and online platforms that might otherwise be unavailable to them.

Setting up and using VPNs on Linux typically involves installing VPN client software or configuring network settings manually. Many VPN providers offer dedicated Linux apps, simplifying the setup process and providing an intuitive interface for managing VPN connections.

OpenVPN is a popular choice for VPN protocols on Linux due to its open-source nature and robust security features. Additionally, IKEv2/IPsec and WireGuard are gaining popularity for their efficiency and performance benefits.

While VPNs offer numerous benefits, it's essential to choose a reputable VPN provider that prioritizes user privacy and does not log sensitive information. Additionally, users should regularly update their VPN software to patch any security vulnerabilities and ensure optimal performance.

In conclusion, VPNs are invaluable tools for enhancing privacy, security, and online freedom on Linux systems. By understanding how VPNs work and selecting the right solution, Linux users can enjoy a safer and more unrestricted online experience.

Its fine. Just do it. Harden systemd and restrict namespace, also make sure apparmor is enforcing profiles, also configure nftables and add an application firewall as well to work in conjunction. Also enable pam. Also Auditd, also install paru it is better than yay. Also change from neofetch to fastfetch as neofetch is outdated. Also for security patches (the ones not immediately implemented in the mainline kernel) check here https://patchwork.archlinux.org/. Also bubblejail is good. Idk this is my two cents on arch for a newbie user.

And once you are comfortable, try out hyprland, trust me it shall be fine :333

chat was installing Arch as my second ever Linus distro a dumbass move? i really like it but now people have me panicking

Firewalld 2.1 Lanzado con Mejoras en la Seguridad de Redes

Firewalld, el daemon de servicio con interfaz D-Bus, lanzó la última versión menor 2.1, con mejoras y vamos a repasar brevemente los cambios que nos trae. Para aquellos que no estén familiarizados, Firewalld actúa como un módulo dinámico para los filtros de paquetes de su sistema (piense en nftables e iptables), lo que le permite ajustar las reglas del firewall sobre la marcha, sin la necesidad…

View On WordPress

I managed to solve my issues with the network as well now! no more dmesg spam and slow to start docker.

I was looking at the Armbian ISO and realized that one of the tips was that if you wanted to use Docker, you should change iptables from using the new nftables to the legacy iptables. I figured that might be the problem in my install, but it turns out the default iptables was already the legacy one. Just to try something I changed the default from legacy iptables to nftables by installing iptables-backend-nft, and everything just worked!

I really don't understand why Docker on Armbian required legacy while Docker on openSUSE requires nftables, but it works!

Custom OSs on the Orange Pi 5!

So the Orange Pi 5 only supports a handful of premade images for it, meaning that if you want to run another distro you are out of luck.

I wanted really hard to run openSUSE on the thing instead of Debian or Debian-derivates like every single image available for it.

At first I experimented with QEMU and actually got pretty good results. I popped in an NVMe SSD, gave it to the VM and got to work. Outside of losing about a GB of memory to the ARM gods (I actually have no idea why so much memory was lost, the host can only see 7.75GB and even though I handed 7424MB of memory to the guest, it only saw 7GB) everything worked perfectly.

I originally planned to also hand the network interface to the VM, but couldn't figure out how, so I just created a bridge and got the VM on my network. The host did get very high kernel CPU usage when there were lots of traffic so that was a bit annoying.

CPU performance was spotless, got virtually the same as the host, no complains there.

Storage was blazing fast compared to the host, that just had a 10MB/s SD card.

Now, I wasn't about to have 1/8th of my memory stolen from me, so I started looking up how to boot from a custom image and quickly realized that it would be quite a bit of work as I would have to setup the bootloader and kernel. So instead I though "what if I use the same bootloader and kernel as the default images and just load the openSUSE userspace?"

Turns out, its pretty easy. I already had openSUSE physically on the NVMe drive, so all I had to do was point the bootloader to the SSD and it booted first try.

Find out the UUID of the root partition of the new OS (sudo blkid)

2. Put the new UUID in the bootloader config (/boot/armbianEnv.txt) and if necessary change the rootfstype

It was very buggy though, and a bunch of programs failed to start like Tailscale and Docker.

I took a look and it turned out I had to copy the kernel modules. So I grabbed the kernel modules from the Armbian install and put them on the new one (/lib/modules/5.10.160-rk35xx), then restarted.

And I was done! everything worked!

There are still some rough edges. Network performance is worse than the VM with the bridge (before I could get something like 800Mbps, now I can only get around 400Mbps). Docker does work, but it takes forever to launch and apparently has a ton of trouble setting up iptables or something, it leaves thousands of error messages on the kernel log, but once it manages to launch it works fine.

Anti DDos - Bash Script

Anti DDos - Bash Script. Uno de los mayores quebraderos de cabeza de los sysadmin, son los ataques DDOS. Toda precaución es poca, y no hay nada seguro. Es prácticamente imposible detener un DDos a gran escala, aun así, como mínimo debes intentar protegerte de ataques menores. Hoy presentamos un excelente script Anti-DDOS creado por Ismail Tasleden. Escrito en bash y de código abierto, este script que hoy vemos es diferente a otros que ya tratamos en SoloLinux; como norma general estos ejecutables rastrean los registros buscando errores para bloquear las IP que los provocan. Este proyecto es diferente, lo que hace es habilitar las reglas preventivas que nos aporta el kernel linux y que suelen venir con normas excesivamente permisivas. También aplica reglas anti DDos en las iptables o nftables, y otras configuraciones necesarias como medidas alternativas de defensa. Este script bash es 100% compatible con todos los sistemas Linux. Recordemos que frente a un DDos no hay nada infalible, pero por lo menos tomamos medidas preventivas ante lamers.  

Anti DDos - Bash Script

Creamos el script. nano anti-ddos.sh Copia y pega lo siguiente. #!/bin/sh ######################################################### # ANTI-DDOS BASH SCRIPT # ######################################################### # For debugging use iptables -v. IPTABLES="/sbin/iptables" IP6TABLES="/sbin/ip6tables" MODPROBE="/sbin/modprobe" RMMOD="/sbin/rmmod" ARP="/usr/sbin/arp" # Logging options. #------------------------------------------------------------------------------ LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options" LOG="$LOG --log-ip-options" # Defaults for rate limiting #------------------------------------------------------------------------------ RLIMIT="-m limit --limit 3/s --limit-burst 8" # Unprivileged ports. #------------------------------------------------------------------------------ PHIGH="1024:65535" PSSH="1000:1023" # Load required kernel modules #------------------------------------------------------------------------------ $MODPROBE ip_conntrack_ftp $MODPROBE ip_conntrack_irc # Mitigate ARP spoofing/poisoning and similar attacks. #------------------------------------------------------------------------------ # Hardcode static ARP cache entries here # $ARP -s IP-ADDRESS MAC-ADDRESS # Kernel configuration. #------------------------------------------------------------------------------ # Disable IP forwarding. # On => Off = (reset) echo 1 > /proc/sys/net/ipv4/ip_forward echo 0 > /proc/sys/net/ipv4/ip_forward # Enable IP spoofing protection for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i; done # Protect against SYN flood attacks echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Ignore all incoming ICMP echo requests echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all # Ignore ICMP echo requests to broadcast echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Log packets with impossible addresses. for i in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $i; done # Don't log invalid responses to broadcast echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Don't accept or send ICMP redirects. for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i; done for i in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $i; done # Don't accept source routed packets. for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i; done # Disable multicast routing for i in /proc/sys/net/ipv4/conf/*/mc_forwarding; do echo 0 > $i; done # Disable proxy_arp. for i in /proc/sys/net/ipv4/conf/*/proxy_arp; do echo 0 > $i; done # Enable secure redirects, i.e. only accept ICMP redirects for gateways # Helps against MITM attacks. for i in /proc/sys/net/ipv4/conf/*/secure_redirects; do echo 1 > $i; done # Disable bootp_relay for i in /proc/sys/net/ipv4/conf/*/bootp_relay; do echo 0 > $i; done # Default policies. #------------------------------------------------------------------------------ # Drop everything by default. $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT DROP # Set the nat/mangle/raw tables' chains to ACCEPT $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t mangle -P PREROUTING ACCEPT $IPTABLES -t mangle -P INPUT ACCEPT $IPTABLES -t mangle -P FORWARD ACCEPT $IPTABLES -t mangle -P OUTPUT ACCEPT $IPTABLES -t mangle -P POSTROUTING ACCEPT # Cleanup. #------------------------------------------------------------------------------ # Delete all $IPTABLES -F $IPTABLES -t nat -F $IPTABLES -t mangle -F # Delete all $IPTABLES -X $IPTABLES -t nat -X $IPTABLES -t mangle -X # Zero all packets and counters. $IPTABLES -Z $IPTABLES -t nat -Z $IPTABLES -t mangle -Z # Completely disable IPv6. #------------------------------------------------------------------------------ # Block all IPv6 traffic # If the ip6tables command is available, try to block all IPv6 traffic. if test -x $IP6TABLES; then # Set the default policies # drop everything $IP6TABLES -P INPUT DROP 2>/dev/null $IP6TABLES -P FORWARD DROP 2>/dev/null $IP6TABLES -P OUTPUT DROP 2>/dev/null # The mangle table can pass everything $IP6TABLES -t mangle -P PREROUTING ACCEPT 2>/dev/null $IP6TABLES -t mangle -P INPUT ACCEPT 2>/dev/null $IP6TABLES -t mangle -P FORWARD ACCEPT 2>/dev/null $IP6TABLES -t mangle -P OUTPUT ACCEPT 2>/dev/null $IP6TABLES -t mangle -P POSTROUTING ACCEPT 2>/dev/null # Delete all rules. $IP6TABLES -F 2>/dev/null $IP6TABLES -t mangle -F 2>/dev/null # Delete all chains. $IP6TABLES -X 2>/dev/null $IP6TABLES -t mangle -X 2>/dev/null # Zero all packets and counters. $IP6TABLES -Z 2>/dev/null $IP6TABLES -t mangle -Z 2>/dev/null fi # Custom user-defined chains. #------------------------------------------------------------------------------ # LOG packets, then ACCEPT. $IPTABLES -N ACCEPTLOG $IPTABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "ACCEPT " $IPTABLES -A ACCEPTLOG -j ACCEPT # LOG packets, then DROP. $IPTABLES -N DROPLOG $IPTABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "DROP " $IPTABLES -A DROPLOG -j DROP # LOG packets, then REJECT. # TCP packets are rejected with a TCP reset. $IPTABLES -N REJECTLOG $IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "REJECT " $IPTABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset $IPTABLES -A REJECTLOG -j REJECT # Only allows RELATED ICMP types # (destination-unreachable, time-exceeded, and parameter-problem). # TODO: Rate-limit this traffic? # TODO: Allow fragmentation-needed? # TODO: Test. $IPTABLES -N RELATED_ICMP $IPTABLES -A RELATED_ICMP -p icmp --icmp-type destination-unreachable -j ACCEPT $IPTABLES -A RELATED_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT $IPTABLES -A RELATED_ICMP -p icmp --icmp-type parameter-problem -j ACCEPT $IPTABLES -A RELATED_ICMP -j DROPLOG # Make It Even Harder To Multi-PING $IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j ACCEPT $IPTABLES -A INPUT -p icmp -m limit --limit 1/s --limit-burst 2 -j LOG --log-prefix PING-DROP: $IPTABLES -A INPUT -p icmp -j DROP $IPTABLES -A OUTPUT -p icmp -j ACCEPT # Only allow the minimally required/recommended parts of ICMP. Block the rest. #------------------------------------------------------------------------------ # TODO: This section needs a lot of testing! # First, drop all fragmented ICMP packets (almost always malicious). $IPTABLES -A INPUT -p icmp --fragment -j DROPLOG $IPTABLES -A OUTPUT -p icmp --fragment -j DROPLOG $IPTABLES -A FORWARD -p icmp --fragment -j DROPLOG # Allow all ESTABLISHED ICMP traffic. $IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT $IPTABLES -A OUTPUT -p icmp -m state --state ESTABLISHED -j ACCEPT $RLIMIT # Allow some parts of the RELATED ICMP traffic, block the rest. $IPTABLES -A INPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT $IPTABLES -A OUTPUT -p icmp -m state --state RELATED -j RELATED_ICMP $RLIMIT # Allow incoming ICMP echo requests (ping), but only rate-limited. $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT # Allow outgoing ICMP echo requests (ping), but only rate-limited. $IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT $RLIMIT # Drop any other ICMP traffic. $IPTABLES -A INPUT -p icmp -j DROPLOG $IPTABLES -A OUTPUT -p icmp -j DROPLOG $IPTABLES -A FORWARD -p icmp -j DROPLOG # Selectively allow certain special types of traffic. #------------------------------------------------------------------------------ # Allow loopback interface to do anything. $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT # Allow incoming connections related to existing allowed connections. $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow outgoing connections EXCEPT invalid $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Miscellaneous. #------------------------------------------------------------------------------ # We don't care about Milkosoft, Drop SMB/CIFS/etc.. $IPTABLES -A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP $IPTABLES -A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP # Explicitly drop invalid incoming traffic $IPTABLES -A INPUT -m state --state INVALID -j DROP # Drop invalid outgoing traffic, too. $IPTABLES -A OUTPUT -m state --state INVALID -j DROP # If we would use NAT, INVALID packets would pass - BLOCK them anyways $IPTABLES -A FORWARD -m state --state INVALID -j DROP # PORT Scanners (stealth also) $IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP $IPTABLES -A INPUT -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP # TODO: Some more anti-spoofing rules? For example: # $IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP # $IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP # $IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP $IPTABLES -N SYN_FLOOD $IPTABLES -A INPUT -p tcp --syn -j SYN_FLOOD $IPTABLES -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN $IPTABLES -A SYN_FLOOD -j DROP # TODO: Block known-bad IPs (see http://www.dshield.org/top10.php). # $IPTABLES -A INPUT -s INSERT-BAD-IP-HERE -j DROPLOG # Drop any traffic from IANA-reserved IPs. #------------------------------------------------------------------------------ $IPTABLES -A INPUT -s 0.0.0.0/7 -j DROP $IPTABLES -A INPUT -s 2.0.0.0/8 -j DROP $IPTABLES -A INPUT -s 5.0.0.0/8 -j DROP $IPTABLES -A INPUT -s 7.0.0.0/8 -j DROP $IPTABLES -A INPUT -s 10.0.0.0/8 -j DROP $IPTABLES -A INPUT -s 23.0.0.0/8 -j DROP $IPTABLES -A INPUT -s 27.0.0.0/8 -j DROP $IPTABLES -A INPUT -s 31.0.0.0/8 -j DROP $IPTABLES -A INPUT -s 36.0.0.0/7 -j DROP $IPTABLES -A INPUT -s 39.0.0.0/8 -j DROP $IPTABLES -A INPUT -s 42.0.0.0/8 -j DROP $IPTABLES -A INPUT -s 49.0.0.0/8 -j DROP $IPTABLES -A INPUT -s 50.0.0.0/8 -j DROP $IPTABLES -A INPUT -s 77.0.0.0/8 -j DROP $IPTABLES -A INPUT -s 78.0.0.0/7 -j DROP $IPTABLES -A INPUT -s 92.0.0.0/6 -j DROP $IPTABLES -A INPUT -s 96.0.0.0/4 -j DROP $IPTABLES -A INPUT -s 112.0.0.0/5 -j DROP $IPTABLES -A INPUT -s 120.0.0.0/8 -j DROP $IPTABLES -A INPUT -s 169.254.0.0/16 -j DROP $IPTABLES -A INPUT -s 172.16.0.0/12 -j DROP $IPTABLES -A INPUT -s 173.0.0.0/8 -j DROP $IPTABLES -A INPUT -s 174.0.0.0/7 -j DROP $IPTABLES -A INPUT -s 176.0.0.0/5 -j DROP $IPTABLES -A INPUT -s 184.0.0.0/6 -j DROP $IPTABLES -A INPUT -s 192.0.2.0/24 -j DROP $IPTABLES -A INPUT -s 197.0.0.0/8 -j DROP $IPTABLES -A INPUT -s 198.18.0.0/15 -j DROP $IPTABLES -A INPUT -s 223.0.0.0/8 -j DROP $IPTABLES -A INPUT -s 224.0.0.0/3 -j DROP # Selectively allow certain outbound connections, block the rest. #------------------------------------------------------------------------------ # Allow outgoing DNS requests. Few things will work without this. $IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 53 -j ACCEPT $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT # Allow outgoing HTTP requests. Unencrypted, use with care. $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT # Allow outgoing HTTPS requests. $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT # Allow outgoing SMTPS requests. Do NOT allow unencrypted SMTP! # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 465 -j ACCEPT # Allow outgoing "submission" (RFC 2476) requests. $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 587 -j ACCEPT # Allow outgoing POP3S requests. $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT # Allow outgoing SSH requests. $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT # Allow outgoing FTP requests. Unencrypted, use with care. $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT # Allow outgoing NNTP requests. Unencrypted, use with care. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 119 -j ACCEPT # Allow outgoing NTP requests. Unencrypted, use with care. # $IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 123 -j ACCEPT # Allow outgoing IRC requests. Unencrypted, use with care. # Note: This usually needs the ip_conntrack_irc kernel module. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 6667 -j ACCEPT # Allow outgoing requests to various proxies. Unencrypted, use with care. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 8080 -j ACCEPT # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 8090 -j ACCEPT # Allow outgoing DHCP requests. Unencrypted, use with care. # TODO: This is completely untested, I have no idea whether it works! # TODO: I think this can be tightened a bit more. $IPTABLES -A OUTPUT -m state --state NEW -p udp --sport 67:68 --dport 67:68 -j ACCEPT # Allow outgoing CVS requests. Unencrypted, use with care. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 2401 -j ACCEPT # Allow outgoing MySQL requests. Unencrypted, use with care. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 3306 -j ACCEPT # Allow outgoing SVN requests. Unencrypted, use with care. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 3690 -j ACCEPT # Allow outgoing PLESK requests. Unencrypted, use with care. # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 8443 -j ACCEPT # Allow outgoing Tor (http://tor.eff.org) requests. # Note: Do _not_ use unencrypted protocols over Tor (sniffing is possible)! # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9001 -j ACCEPT # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9002 -j ACCEPT # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9030 -j ACCEPT # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9031 -j ACCEPT # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9090 -j ACCEPT # $IPTABLES -A OUTPUT -m state --state NEW -p tcp --dport 9091 -j ACCEPT # Allow outgoing OpenVPN requests. $IPTABLES -A OUTPUT -m state --state NEW -p udp --dport 1194 -j ACCEPT # TODO: ICQ, MSN, GTalk, Skype, Yahoo, etc... # Selectively allow certain inbound connections, block the rest. #------------------------------------------------------------------------------ # Allow incoming DNS requests. $IPTABLES -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT # Allow incoming HTTP requests. $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT # Allow incoming HTTPS requests. $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT # Allow incoming POP3 requests. $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT # Allow incoming IMAP4 requests. $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT # Allow incoming POP3S requests. $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 995 -j ACCEPT # Allow incoming SMTP requests. $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT # Allow incoming SSH requests. $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT # Allow incoming FTP requests. $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT # Allow incoming NNTP requests. # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 119 -j ACCEPT # Allow incoming MySQL requests. # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 3306 -j ACCEPT # Allow incoming PLESK requests. # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 8843 -j ACCEPT # Allow incoming BitTorrent requests. # TODO: Are these already handled by ACCEPTing established/related traffic? # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 6881 -j ACCEPT # $IPTABLES -A INPUT -m state --state NEW -p udp --dport 6881 -j ACCEPT # Allow incoming nc requests. # $IPTABLES -A INPUT -m state --state NEW -p tcp --dport 2030 -j ACCEPT # $IPTABLES -A INPUT -m state --state NEW -p udp --dport 2030 -j ACCEPT # Explicitly log and reject everything else. #------------------------------------------------------------------------------ # Use REJECT instead of REJECTLOG if you don't need/want logging. $IPTABLES -A INPUT -j REJECTLOG $IPTABLES -A OUTPUT -j REJECTLOG $IPTABLES -A FORWARD -j REJECTLOG #------------------------------------------------------------------------------ # Testing the firewall. #------------------------------------------------------------------------------ # You should check/test that the firewall really works, using # iptables -vnL, nmap, ping, telnet, ... # Appending rules : Let’s add some more IPv6 rules to our firewall. sudo ip6tables -A INPUT -p tcp --dport ssh -s HOST_IPV6_IP -j ACCEPT sudo ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT sudo ip6tables -A INPUT -p tcp --dport 21 -j ACCEPT sudo ip6tables -A INPUT -p tcp --dport 25 -j ACCEPT # To see the IPv6 rules with line numbers, type the following command: sudo ip6tables -L -n --line-numbers # Deleting rules sudo ip6tables -D INPUT -p tcp --dport 21 -j ACCEPT # Exit gracefully. #------------------------------------------------------------------------------ exit 0 Puedes modificar las reglas que sean necesarias, una vez editado, guarda el archivo y cierra el editor. Este script esta creado para servidores y vps, por tanto para crearlo debes ser root o usuario con permisos necesarios. En este caso no es necesario conceder permisos al script, ya los tenemos, tan solo ejecuta el script... bash anti-ddos.sh   Canales de Telegram: Canal SoloLinux – Canal SoloWordpress Espero que este articulo te sea de utilidad, puedes ayudarnos a mantener el servidor con una donación (paypal), o también colaborar con el simple gesto de compartir nuestros artículos en tu sitio web, blog, foro o redes sociales.   Read the full article

bad news: just realized i've forgotten everything i knew about nftables syntax

good news: didn't know that much to begin with

Firezone WireGuard-based #VPN server and #firewall. A self-managed WireGuard-based VPN server...

Firezone WireGuard-based #VPN server and #firewall. A self-managed WireGuard-based VPN server and Linux firewall designed for simplicity and security. Features: 1. Fast: Uses WireGuard to be 3-4 times faster than OpenVPN. 2. No dependencies: All dependencies are bundled thanks to Chef Omnibus. 3. Simple: Takes minutes to set up. Manage via a simple CLI. 4. Secure: Runs unprivileged. HTTPS enforced. Encrypted cookies. 5. Firewall included: Uses Linux nftables to block unwanted egress traffic. https://github.com/firezone/firezone

GitHub - firezone/firezone: WireGuard-based VPN server and firewall - GitHub WireGuard-based VPN server and firewall. Contribute to firezone/firezone development by creating an account on GitHub.

PLAN 2021

# COMPILERS

- Learn about C compiler

-- Makefile

-- Makefiles

- Compiling from source 

# VIRTUALIZATION 

- Libvirtd (linux vms) 

- Docker (containers)

# AAA Authentication 

- LDAP or alternative

# PROGRAMMING LANGUAGES

- Python (wtb django)

- PHP (Most dinousaur code bases use this fucking language so why not)

# DISTROS

- CENTOS: Should i continue with CENTOS now with the rolling release model rolling out?

- FEDORA

# NETWORKING

- DHCP

- PROXIES

- VPNs

- NFTables (firewall) 

- IPV4 subnettning

- IPV4 vlans 

- IPV6 

- Routing 

- wlan configurations 

# DEVOPS

- configuration management 

- Compilation, see #compilers 

- #networking 

- #virtualization

- git ( https://git.wiki.kernel.org/index.php/Main_Page )

idk most of devops feels like a meme to automate things that are done manually, like compiling from source can basically be done with jenkins or whatever. Ansible is just a ssh wrapper (lmao?). 

# BACKUPS

- database management 

- files

- nfs

- raid (https://raid.wiki.kernel.org/index.php/HowTo)

Programming Languages

- Python 

In CentOS 8 nftables replaces iptables as the default Linux network packet filtering framework. This page shows how to set up a firewall for your CentOS 8 and manage with the help of firewall-cmd (firewalld frontend) admin tool to secure your server

can someone help me with nftables?