Confused about firewall in latest 6.25.3 version

maximumwarp · 27 August 2019 10:30

Hello,
yesterday I installed the latest 6.25.3 version on DietPi on my various Pis (2B, 3B and newest 4B).
I Installed Pi-hole, PiVPN, fail2ban and ProFTP on the Pi 3B and LAMP stack, fail2ban and ProFTP on the Pi 4B.
Now on the 3B I have (and configured) iptables firewall instead iptables is not installed on the Pi 4B, why?

In the latest Raspbian (based on Debian 10 Buster) I know nftables replaced iptables, what’s the situation on DietPi 6.25.3?

MichaIng · 28 August 2019 15:54

We configure fail2ban to use blackhole routing as blocking method. This is more lightweight and does not require any additional software install. iptables is much more flexible, but fail2ban does not make use of this anyway. So if you need more complex firewall rules, then install iptables and you might want to switch fail2ban to use the iptables-based blocking actions. But AFAIK there are no real benefits.

nftables is not yet available on all SBCs we offer, due to outdated kernel versions provided by the manufacturers. Currently the benefit is marginal, so we stay with iptables for e.g. VPN rules and such, to keep it simple. However RPi just integrated nftables support, I think with the 4.19 kernel or shortly afterwards, so one can install and configure it there.

Before offering to choose between iptables and nftables within DietPi-Software, or do the choice based on kernel support, I rather wait for bpfilter. This has MUCH more benefit over the other two. However will take some time until it is integrated into the majority of ARM kernels.

maximumwarp · 28 August 2019 21:08

Thank you for reply, I’ll install iptables on the 4B manually.

I don’t understand why on the Pi 3B iptables is already installed and not on 4B. If fail2ban not using iptables, which is the software package I installed on Pi 3B that required and installed iptables?

MichaIng · 25 September 2019 17:17

maximumwarp
No idea what might have installed iptables. If the Pi3 system is running for some years, it might be left from our old install script, which used iptables as well for fail2ban blocking. This was changed a bunch of versions ago, not sure when exactly.

Jappe · 13 August 2023 20:23

3 posts were split to a new topic: Fail2ban jail for vaultwarden without iptables