Iptables-tutorial explained

August 29, 2008 by
Filed under: Frozentux.net, Iptables, Linux, Netfilter 

So, time to explain whats happened to the iptables-tutorial, it’s been rather dead for a long time now. This is kind of meant as an explanation on what and why things has gone downhill with it, but also kind of a try to define for myself what went wrong back then.

By now, it’s almost 8 years since I started writing on it. It all started as a short term project, a real tutorial if you wish. Due to the demand, I was rather amused at keeping it up, writing more material and so forth, but with time it took more and more effort to keep up to date and to add all the material I wanted in it. While the tutorial was at it’s high, I had 25 000 unique visitors per month on the main iptables-tutorial site alone, and all that traffic generated questions, and lots of them. At times, I received 70+ e-mails with questions per week, which required hours of attention. Also, Apress contacted me at this time asking me to write a book on iptables for them.

Having that burden on top of a project that was originally intended to have fun, learn and to get more experience makes a project much less appealing. Also, at the same time, me and my then girlfriend broke up, leaving me in devastation. In a sense, I lost my muse at the same time as I was the least interested in writing. I spent several weeks trying to get somewhere, but didn’t manage to get 2 pages out of me. This is where I dropped the tutorial the first time. I pretty much went MIA.

Either way, after a while (a bit over 2 years to be precise), I decided to give it another try. I had for a long time wanted to start writing again, and got around to it as I had the time and will. To make a long story short, I got too much to do with school and work and life in general for a while, but managed to get version 1.2.0 out before this happened. Another year later, I managed to get 1.2.1 out, and finally 1.2.2 which was the first printed version at lulu.com. Due to several minor problems, which turned out to become pretty large problems imho, I later decided to pull down the print version while getting my life together again so that I could focus on what needed doing again.

This is where the iptables tutorial is at this time and date. I’m not really sure what I’m hoping to accomplish with this post really, more than generally give people an idea what’s been going on around the iptables-tutorial and try to explain why it’s been … well, not keeping up with developments in iptables and netfilter.

I’m not exactly certain what will happen in the close future with the iptables tutorial. I’m currently working on a few other projects which are better defined and that should hopefully be possible to “finish” properly.. Ie, once I’ve done them, they should stay done. Once those projects are done, I might get back to the whole iptables-tutorial.


8 Comments on Iptables-tutorial explained

  1. Anonymous on Thu, 19th Nov 2009 07:35
  2. Have you considered making it a wiki-like page and allowing people to contribute to it?

    Just a thought.

  3. Oskar Andreasson on Thu, 19th Nov 2009 08:59
  4. I have considered this in the past, but decided against it for several reasons. It’s a simple question, but unfortunately not so simple a response. One of my main reasons is that I don’t trust everyone to freely contribute/destroy what’s there.

    This may be a bad argument, but let’s just consider spam. How many project wiki’s have you seen that has been swats of pages with spam and no one is taking care of it? Sites such as wikipedia has the necessary people and interest to actually manage these problems, but I definitely don’t. As a correlation, I’m currently receiving 10 comment spams per day on this site as it is, what if this had been in a wiki?

    Secondly the above is just the stuff that’s posted with malice in mind, what about people who simply post incorrect information without knowing any better?

    Maybe all my problems with a wiki could be addressed, but it’s not in my interest at this time. If people have ideas and suggestions or would like to contribute, they are more than welcome to contact me and we’ll see what can be done.

  5. Gina on Sun, 15th Jul 2012 09:11
  6. thank you for the very clear, readable, well organized tutorial on ip-tables. I am very new to writing firewall scripts and after trying for several days to find example rule-sets that I could copy and paste (changing the necessary variables) always without success because my network configuration was always slightly different than the example, I found your tutorial.

    Within three days I was able to go from barely knowing what an ip-table is to writing a simple firewall script that actually works! I have a webserver behind a linux firewall box with two nics which is behind a netgear router and was always confused by the fact that dhcp is done by the netgear, not inside the linux firewall, and couldn’t find any tutorial that would show me how to configure iptables in this case. Your documentation is so thorough that I can look up almost any desired result there, and am able to understand other iptables examples I find on the internet now. I am having fun adding new rules daily and experimenting.

    I’m sure it could use updating, but it is still the best learning tool for setting up a firewall that I have found on the internet and I searched for a long time! Have you written anything about configuring iptables to work with Suricata?

  7. Oskar Andreasson on Sun, 29th Jul 2012 20:56
  8. Hi Gina,

    I haven’t I’m afraid. It shouldn’t be that hard I think, at least if you get to know iptables and suricata?

  9. Benton on Mon, 7th Oct 2013 05:49
  10. Thanks, This tutorial really helped me several times. I read it first on linuxtopia but never found the source, until today.
    The zipped html is 9M. This is amazing, I can’t imagine writing a zipped plain formatted document of 9M big. Thanks so much for the hard work. I guess updating it after so many year would require immense amount of work.
    For people who have gone through the tutorial, could you suggest some reading material for them to keep up with the major changes(if any), and new goodies in current iptables ?

  11. Oskar Andreasson on Sat, 19th Oct 2013 22:12
  12. Hi Benton,

    Yes, you are quite correct, updating it is a lot of work and one of the reasons I simply failed at maintaining it. I’ve asked a few times over for either co-maintainers to sign up and/or someone willing to take over the task, but … well, let’s be quite honest, documentation isn’t very sexy ;). Of course, there’s the other side of the coin, this tutorial has had in excess of 15million hits, which I count fairly successful and giving a lot of publicity…

    I’d mainly suggest readers to check any data first and foremost against the iptables man page, and the online documentation at netfilter.org.

  13. John on Sun, 22nd Dec 2013 21:07
  14. As a Linux newbie, I’m finding this the most exacting, elucidating and comprehensive tutorial (i.e. “So that’s how they’re sliding packets through my firewalls!”). If I had known about this earlier, I would never have purchased a Cisco router and taught myself IOS. (Cisco openly publishes their own flaws and then charges an additional maintenance fee to be rid of the shortcomings of IOS they just published to all the hackers.)

    Still I’m vexed on the IPTables -m limit match, specifically how to use this, in various combinations and in conjunction with other parts of a rule, to limit that specific rule.

    Is Limit-match.txt still available in English and is it available on your site? This would likely answer my questions about -m limit. Links to that file (http://iptables-tutorial.frozentux.net/scripts/limit-match.txt) are just tossing me back to the main page at http://iptables-tutorial.frozentux.net/scripts/limit-match.txt


  15. Oskar Andreasson on Fri, 27th Dec 2013 21:36
  16. Hi John,

    Some links where simply wrong, I forgot to update them at some point I’m afraid. I’ve just updated them all and they should work from the iptables-tutorial again.

    As for the limit match, it’s not really that hard. It’s a token bucket. Every time a packet matches this rule, a token is removed from the bucket, and the bucket is refilled with X tokens until the burst limit is reached (ie, the bucket is full).

    I hope this helps somewhat, sorry for the late response and thank you for the report on the error!

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

You must be logged in to post a comment.