Summary page of the Netfilter related resources

Readme.md

Summary page of the Netfilter related resources

• iptables 101 and FAQ to get started quickly
• iptables tutorial from frozentux
• flowgraph of the packets in netfilter as png or svg
• Managing large lists of IPs,subnets, protocols or ports in iptables using ipset
• Dynamically updating ipsets from DNS records
• Periodically updating a blocklist from an IP using Python and ipset
• words of wisdom regarding iptables
• sample iptables rule sets for IPv4 and IPv6
• Things You Should Know About Netfilter
• about asking questions the smart way
• What have you tried?
• Why automatic conntrack helper assignment is dangerous
• IProute2 cheat sheet
• nftables wiki

No, nftables is not production ready.

Best Practices.md

Best Practices:

1. Don't use iptables to apply your rules one at a time, use iptables-restore to apply a whole ruleset in one action.
2. Set your INPUT and FORWARD policy to DROP.
3. Don't set your OUTPUT policy to DROP unless you really know what you're doing.
4. If you're going to implement a blacklist or whitelist, you should look at using ipsets if that list is going to be more than two or three addresses, and if it might be dynamic.
5. Allow all traffic on lo.
6. You should ALLOW traffic in ctstates of RELATED and ESTABLISHED near the beginning of your rules
7. Don't use iptables -L
8. DON'T USE IPTABLES -L
9. Use iptables-save instead of iptables -L.
10. Don't use ifconfig or any of the net-tools.
11. Use iproute2 (ip address, ip link, ip route, ip rule, ...)
12. Always read the man pages that are installed on the system you're trying to use the corresponding software on.

nftables missing

Missing critical features from nftables:
1. XFRM policy lookup
2. ???