Page 1 of 1

Confused about firewall in latest 6.25.3 version

Posted: Tue Aug 27, 2019 12:30 pm
by maximumwarp
Hello,
yesterday I installed the latest 6.25.3 version on DietPi on my various Pis (2B, 3B and newest 4B).
I Installed Pi-hole, PiVPN, fail2ban and ProFTP on the Pi 3B and LAMP stack, fail2ban and ProFTP on the Pi 4B.
Now on the 3B I have (and configured) iptables firewall instead iptables is not installed on the Pi 4B, why?

In the latest Raspbian (based on Debian 10 Buster) I know nftables replaced iptables, what's the situation on DietPi 6.25.3?

Re: Confused about firewall in latest 6.25.3 version

Posted: Wed Aug 28, 2019 5:54 pm
by MichaIng
We configure fail2ban to use blackhole routing as blocking method. This is more lightweight and does not require any additional software install. iptables is much more flexible, but fail2ban does not make use of this anyway. So if you need more complex firewall rules, then install iptables and you might want to switch fail2ban to use the iptables-based blocking actions. But AFAIK there are no real benefits.

nftables is not yet available on all SBCs we offer, due to outdated kernel versions provided by the manufacturers. Currently the benefit is marginal, so we stay with iptables for e.g. VPN rules and such, to keep it simple. However RPi just integrated nftables support, I think with the 4.19 kernel or shortly afterwards, so one can install and configure it there.

Before offering to choose between iptables and nftables within DietPi-Software, or do the choice based on kernel support, I rather wait for bpfilter. This has MUCH more benefit over the other two. However will take some time until it is integrated into the majority of ARM kernels.

Re: Confused about firewall in latest 6.25.3 version

Posted: Wed Aug 28, 2019 11:08 pm
by maximumwarp
Thank you for reply, I'll install iptables on the 4B manually.

I don't understand why on the Pi 3B iptables is already installed and not on 4B. If fail2ban not using iptables, which is the software package I installed on Pi 3B that required and installed iptables?

Re: Confused about firewall in latest 6.25.3 version

Posted: Wed Sep 25, 2019 7:17 pm
by MichaIng
@maximumwarp
No idea what might have installed iptables. If the Pi3 system is running for some years, it might be left from our old install script, which used iptables as well for fail2ban blocking. This was changed a bunch of versions ago, not sure when exactly.