iptables


iptables has been around for a while, and it has matured to the point where it’s just plain silly to spend fortunes on proprietary Firewall software (and bear in mind that I used to sell CheckPoint solutions – I still have a certification on those somewhere…)

Although I still find ipfw a bit cleaner for some purposes, there’s no denying that you can do just about anything you want to IP packets with iptables, and I’ve gotten used to relying on it.

Resources:

Date Link Notes
2012
Aug 3 Silent Bob A revival of one of my favorite curses-based front-ends.
2008
Jan 16 Traffic accounting scripts
FireHOL
countertrace a way to simulate network latency via iptables
How to simulate a slow network using tc queueing disciplines and iproute2
ebtables for those instances where you really want to get down and dirty at the link level

Notes:

Outbound traffic redirection to localhost proxy, copied from Colin Charles’ post:

iptables -t nat -A PREROUTING -p tcp -d my.pop.server –dport 110 -j DNAT –to-destination 127.0.0.1:1235
iptables -t nat -A OUTPUT -p tcp -d my.pop.server –dport 110 -j DNAT –to-destination 127.0.0.1:1235

Inbound traffic filtering and redirection to another localhost port (in /etc/sysconfig/iptables format for RedHat systems):

*nat
:PREROUTING ACCEPT [754:47332]
:POSTROUTING ACCEPT [306:20928]
:OUTPUT ACCEPT [306:20928]
# HOWTO ban a specific nuisance
# -A PREROUTING -s FOE_IP_ADDRESS -j DROP
# remap port access from a single IP address
-A PREROUTING -s FRIEND_IP_ADDRESS -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 
COMMIT