Rui Carmoiptables has been around for a while, and it has matured to the point where it’s just plain silly to spend fortunes on proprietary Firewall software (and bear in mind that I used to sell CheckPoint solutions – I still have a certification on those somewhere…)
Although I still find ipfw a bit cleaner for some purposes, there’s no denying that you can do just about anything you want to IP packets with iptables, and I’ve gotten used to relying on it.
Resources:
| Date | Link | Notes |
|---|---|---|
| 2012 | ||
| Aug 3 | Silent Bob | A revival of one of my favorite curses-based front-ends. |
| 2008 | ||
| Jan 16 | Traffic accounting scripts | |
| FireHOL | ||
| countertrace | a way to simulate network latency via iptables | |
| How to simulate a slow network | using tc queueing disciplines and iproute2 |
|
| ebtables | for those instances where you really want to get down and dirty at the link level | |
Notes:
Outbound traffic redirection to localhost proxy, copied from Colin Charles’ post:
iptables -t nat -A PREROUTING -p tcp -d my.pop.server –dport 110 -j DNAT –to-destination 127.0.0.1:1235 iptables -t nat -A OUTPUT -p tcp -d my.pop.server –dport 110 -j DNAT –to-destination 127.0.0.1:1235
Inbound traffic filtering and redirection to another localhost port (in /etc/sysconfig/iptables format for RedHat systems):
*nat :PREROUTING ACCEPT [754:47332] :POSTROUTING ACCEPT [306:20928] :OUTPUT ACCEPT [306:20928] # HOWTO ban a specific nuisance # -A PREROUTING -s FOE_IP_ADDRESS -j DROP # remap port access from a single IP address -A PREROUTING -s FRIEND_IP_ADDRESS -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 COMMIT