Flux is a lightweight, single-file Python web panel for managing a Linux server’s iptables firewall — plus a full suite of admin tools — without hand-typing rules over SSH. Runs as root on the server it protects.
🖥️ INFO — Live Dashboard
Real-time CPU, memory, storage, and load (1m) tiles; per-core utilization; memory breakdown; disk table (mount, device, filesystem, usage, read/write speed); network interface throughput; top processes by CPU and by RAM with live name filtering.
📊 Traffic
Per-process bandwidth via nethogs; per-IP traffic history via conntrack; built-in scheduled speed testing (Ookla / Cloudflare / fast.com) with a configurable “noisy neighbor” alert threshold.
🔓 Open Ports
Whitelist TCP/UDP ports; bind a rule to a specific network interface; restrict by source IP/CIDR or by country (GeoIP via ipset); built-in port scanner; live Probe mode that detects connection attempts hitting blocked ports in real time via conntrack SYN sniffing; save rule sets as named, reusable “plans.”
↔️ Port Forwards
DNAT forwarding rules (external port → internal IP:port) with per-interface in/out binding; automatic MASQUERADE for return traffic through tunnels like WireGuard; named, reusable plans.
⛔ Block
Outbound denylist — block by host/IP, by process name, or by port, backed by ipset for instant updates without a full firewall rebuild.
👻 SSH Ghost
Provision temporary, auto-expiring SSH accounts for contractors or one-off access, from saved profiles. Accounts self-destruct when their window ends. Live session view shows time remaining and connected IP.
📁 HTTPD
A built-in lightweight file-sharing HTTP server — create shares, get download links, and restrict access by IP whitelist/blacklist across local or public interfaces.
🤖 Telegram Bot
Full remote control from Telegram: firewall status, lock/unlock, apply plans, manage Ghost SSH sessions, per-port source-IP/interface rules, HTTPS toggle, and 2FA management (/otp on|off) — a built-in recovery path if you ever get locked out.
⚙️ Settings — now tabbed (Authentication / Network / Security)
- Authentication: change username/password
- Network: WAN interface, listen port, autorun-on-boot (systemd)
- Security: one-click HTTPS (auto-generated self-signed cert), login lockout (attempts + duration + Telegram alert), session lifetime, CAPTCHA whitelist for trusted IPs, Telegram OTP 2FA (6-digit code, 60-second window), and Trusted Devices — skip login entirely on chosen browsers, for a duration you pick (1 hour → forever), individually revocable
🛡️ Security Hardening
Brute-force lockout with Telegram alerts, distorted SVG CAPTCHA on login, CSRF protection, bcrypt password hashing, and the WireGuard tunnel is trusted as a management path by default (no more disabling the firewall just to connect).
🔧 Backup & Maintenance
Export/import full config as JSON; update the running script straight from the web UI with automatic backup; fix file ownership; dependency auto-installer; floating debug panel capturing client + server activity; reboot/terminate the host from the panel.

