In this video, I go over how to set up a firewall on Linux using the built-in iptables that is in every Linux distribution. SSH Tarpit is something many people miss.

💻 Recommendations 💻
– My Windows Anti-Virus ➜
– My VPN Service ➜
– Website Recommendations ➜

🕹 Live Streams Monday & Friday 🕹
– Twitch ➜
– YouTube Archive ➜

🖥 Contact me 🖥
– Patreon ➜
– Official Site ➜
– Twitter ➜

🚑 Need Help!? Ask our community! 🚑
– Discord ➜
– Reddit ➜

💰 My Amazon Store (YouTube Gear, PC Hardware, and Books I recommend) 💰

DISCLAIMER: This video and description contain affiliate links, which means that if you click on one of the product links, I’ll receive a small commission. This helps supports the channel and allows us to continue to make videos like this. Thank you for your support!

Nguồn: https://codeigniterbrasil.com

Xem thêm bài viết khác: https://codeigniterbrasil.com/lap-trinh-linux/

43 Comments

Frank

April 15, 2020

thanks for sharing…

Reply

My Bean

April 15, 2020

This is much better than UFW because you can customize by building small programs and then add a crontab to it just for fun( you dont really need to do that). I remember a few years ago I got so obsessed with iptables that my Apache server was overwhelmed by all the scripts I created for it. I was a fun sandbox experience though.

Reply

Albert Salgiriev

April 15, 2020

With all the rules applied, could we make some ping which works before and doesn't after?
8:25 to make them executable we run chmod. How can text file become a executable? Wiki says about chmod: is the command and system call which is used to change the access permissions.

Reply

Emmrich

April 15, 2020

marry me (meant in a non-creepy way)

Reply

wojtekja het

April 15, 2020

Thats why is better to setup ssh on some high random port and add ip filter to allow only from trusted location.. cheers

Reply

jhon watson

April 15, 2020

Is it time to switch to NFtables ?

Reply

Dan Henry

April 15, 2020

If you came here for SSH Tarpit : 6:00

Reply

Dzintars Klavins

April 15, 2020

I would like to see nftables

Reply

_R_

April 15, 2020

In Arch, does anyone know how to install the Module that lets you run limit? example: # iptables -A logdrop -m limit –limit 5/m –limit-burst 10 -j LOG – Chris, good stuff I enjoy watching your videos.

Reply

Giovanni Kraushaar

April 15, 2020

This is gold!

Reply

Namfrey Fullson

April 15, 2020

I also prefer iptables over anything like ufw. too bad there's no GUI for iptables and no easy monitoring tool to see which app is connected and what not. comming from windows where I can easily do it with Comodo Firewall I cannot live without knowing which applications is doing what on my network under linux and easily block it (on per-app basis) if I want to.

btw. ufw 0.36-0ubuntu0.18.04.1 has a serious "game breaking" bug. on my fresh install of Peppermint-10-20190514 x64 (5.0.0-36-generic) I setup samba, run "sudo ufw allow samba" and I still cannot access any shares. I cannot even browse shares on other computers unless I disable ufw.

Reply

Eugenio Smith

April 15, 2020

Is it good for desktop too?

Reply

S B

April 15, 2020

Cool video.

Reply

Tyrell McCurbin

April 15, 2020

Thank you for sharing. Security is so important but, unfortunately, it's often overlooked.

Reply

Carlos Sanchez

April 15, 2020

how can I disable libvirt's firewall rules that set up on boot?

Reply

Krafting

April 15, 2020

Noob question: How to enable ssh (port 22) only on our local network, and not the outside world ? 🙂

Reply

Alloy

April 15, 2020

Very informative, thanks.

Reply

Chris O'Neill

April 15, 2020

It looks great, except that it doesn't work in a stock U19.04, as the whole iptables service infrastructure isn't there, so you can't start it, etc, or do anything else with it. Even loading it and trying failes for a plethora of other reasons. From that point on, nothing here works, so it fails the 30 second test. A Shame, it would have been good.

Reply

TheFrantic5

April 15, 2020

Using a script instead of a program feels like six of one side, and half-a-dozen on the other.

Reply

stronzo5000

April 15, 2020

Is it advisable to use -m conntrack and –ctstate rather than -m state and –state?

Reply

neddy laddy

April 15, 2020

Well, you proved that is not easy.

Reply

lemn8

April 15, 2020

Use: "iptables-apply" to avoid locking yourself out…

Reply

first last

April 15, 2020

Is this only for people running servers? Like would even running mild game server with you as host, would this apply/be necessary? Is there any drawback/why isn't this enabled by default?

Reply

s s

April 15, 2020

Ratelimit SSH – you said you thought it might be a problem for you to login if someone is spamming the server but it turned out not to b a problem, care to explain why its not a problem?

Reply

s s

April 15, 2020

seems like Chris thinks UFW stands for Universal FireWall

Reply

Robidu1973

April 15, 2020

To keep reaction times of the netfilter short, I usually put rules for reply packets as well as established or related connections quite early into the chains and only later on add rules to accept new incoming connections.
While it usually doesn't do much pain if a client has to wait a bit for netfilter to process the initial SYN packet, once the connection has been established, processing runs significantly quicker. Plus you'd also want to add rules to both the PREROUTING and the OUTPUT chains of the raw table that exempt traffic to the loopback device from being conntracked, thereby reducing the overhead. Since localhost traffic (127.0.0.1 or ::1 depending on which variant of IP you are using) isn't routed, there's no need to keep track of the packets.

Reply

Uumas8

April 15, 2020

Note that debian uses nftables instead of iptables now: https://wiki.debian.org/iptables

Reply

Mr. Tech Guy

April 15, 2020

Doesn't this Firewall have GUI?… 😓

Reply

Dingo Kidneys

April 15, 2020

Nice simple little intro to iptables.
I only ever use public/private key access to my ssh server from the internet – password disabled – and I don't have a firewall other than the NAT setup on my router. I then set up a new key for each device I need to connect from; my phone, my laptop, my work machine via PuTTY. That way, if I need to kill access from one device, I just delete the public key from authorized_keys.
I only leave the one port publicly accessible on my router, which is 443 to make getting out of my work network simple, then that is mapped over to 22 on the ssh box.
I keep getting hammered by all and sundry but because it's a PKI only ssh on a non-standard port no-one has ever got past the first step and it's really easy for me to get in from out in the wild.

Reply

Roguishly Handsome

April 15, 2020

I am familiar with iptables, but I generally use ufw, which is ready to use on ubuntu distros such as Mint. One question: why do you need this line:
/sbin/iptables -A INPUT -j DROP
if the default policies are set to DROP?

Reply

J.L. Castaneda

April 15, 2020

Stopping by just to say thank you for this fantastic script. I just used it on a web server with a couple of modifications. Saved me a ton of work and time.

Reply

RegeditX

April 15, 2020

is there a firewall software like netlimiter4? i'm so tired of doing everything in console

Reply

BeginnerLockPickingDiaries

April 15, 2020

Excellent tutorial… Thanks!

I'll be saving this video to my important playlist to implement on my Linux desktop later.

Reply

John Kunai

April 15, 2020

Hi, I was wondering if you could look into and do a video about an operating system called Qubes OS and whether or not it is a good operating system to look at and consider using? That would be awesome if you could. Have a good one!

Reply

Jurgen Blick

April 15, 2020

Thank you

Reply

mini fang

April 15, 2020

i use fail2ban rather than rate limiting, fail2ban watches the log files and bans (via iptables) a ip if 3 (configurable) failed logins occur for a (configurable) period of time. it also watches other things than ssh , such as ftp, apache(nginx etc) , and more.

Reply

Karman

April 15, 2020

very useful! thanks

Reply

Dave McKewan

April 15, 2020

Going to add this to my LM 19.2 box, as well as the hosts file entries I have and the pfSense FW it all sits behind…

Reply

M. Angel Esteban

April 15, 2020

I used to manage my iptables rules with a nice program named fwbuilder (which actually is discontiued, but still works) http://fwbuilder.sourceforge.net/

Reply

Niels van Aert

April 15, 2020

I'd suggest adding rsource to the rate limiting rules.

Reply

P.J

April 15, 2020

Good video!
It's worth nothing that iptables is a frontend for netfilter that is built in the linux kernel. An alternative to iptables that is also a frontend for netfilter is firewalld which is a little more advance and let you not drop your connexion when you do changes – which my be very important for continuous connectivity of services.

Reply

John

April 15, 2020

awww… no link to the GitHub in the description for us lazy folks? lol
Keep up the great work Chris 🙂
oh, and if you want the link:
https://github.com/ChrisTitusTech/firewallsetup

Reply

Nightmare Nova

April 15, 2020

Next vid, how to change and secure SSH Port😍

Reply

Leave a Reply