Re: loop back iptables

2013-10-09 Thread Tom H 
On Tue, Oct 8, 2013 at 6:04 PM, james gray kmz...@gmail.com wrote:

 working with Debian 7.0

 working with the examples at

 https://wiki.debian.org/iptables

 when i write a example for a lo0 table as shown

 -A INPUT -i lo -j ACCEPT

 and follow procedure of

 iptables-restore  file-name

 i do receive a message line failed for that line as shown above.

Was your file

-A INPUT -i lo -j ACCEPT

?

Or was it

*filter
-A INPUT -i lo -j ACCEPT
COMMIT

?


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/CAOdo=Sy_XOu_3GszZUL6vL+P66M8FAb2Q1+dWjm9=mf7qac...@mail.gmail.com

Re: loop back iptables

2013-10-09 Thread shawn wilson 
On Tue, Oct 8, 2013 at 8:12 PM, Dan Ritter d...@randomstring.org wrote:
 On Tue, Oct 08, 2013 at 03:04:14PM -0700, james gray wrote:

 working with the examples at

 https://wiki.debian.org/iptables


 -A INPUT -i lo -j ACCEPT

This will do nothing unless you have a default DROP policy

 and follow procedure of

 iptables-restore  file-name


 i do receive a message line failed for that line as shown above.


 Next, you'll need to copy the entirety of the grey area example
 to a file, and use that file name in the iptables-restore. It's
 a very specific format.


Very specific - I wrote a script to generate an iptables save file and
saw that line failed message lots. Basically the format is:

*chain
:table [counter]
-A rule
COMMIT

Any deviation from this format is an error (you can also have #
comments btw). I assume you can use -I or -D or -R but I don't see
much point (maybe you go into different 'zones' and then that might be
cool to do). Generally, what you want to do is:
iptables -F; iptables -X; iptables-restore  file

 If you want to test individual rules, you could do this at the
 command line:

 iptables -A INPUT -i lo -j ACCEPT

Depending on where that line was put in the save file, that might not
be acurate (though since this rule doesn't do anything, one could
argue about the 'effect' it has at any point). However, assuming the
rule needs to be placed somewhere in the middle, you want:
iptables -nL --line-numbers

And then:
iptables -I INPUT number rule


 and then

 iptables -L

 to see if it took.

 There is nothing Debian-specific going on here.

Nope - this is linux.
A few notes:
*I've seen some people (Ubuntu) naming their tables with all UPPERCASE
letters - don't do this. You can clobber namespace (and maybe other
issues?) and the only way to distinguish between internal jumps and
tables is the case (LOG and MARK being a prime example and mangle has
some cool jumps you can use and the ones you know of: ACCEPT, REJECT,
DROP, DENY - and it's 0400 so I can't think of others right now).
*iptables-restore makes one kernel call so is much better (read
faster) than calling iptables tons of times.
*these commands are actually links to xtables-multi:
# xtables-multi
ERROR: No valid subcommand given.
Valid subcommands:
 * iptables
 * main4
 * iptables-save
 * save4
 * iptables-restore
 * restore4
 * iptables-xml
 * xml
 * ip6tables
 * main6
 * ip6tables-save
 * save6
 * ip6tables-restore
 * restore6
(no idea why anyone would want to take a good thing and mess it with
xml but it's there - though, if there's an xslt parser as a part of
that there could be some real fun to be had there)

And this stuff is fun, good luck in learning.


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/cah_obidd7pbxesm7bptmdnrfgde2w_e_gtrk3m24tdljbyt...@mail.gmail.com

Re: loop back iptables

2013-10-09 Thread Jonathan Dowland 
On Wed, Oct 09, 2013 at 04:24:18AM -0400, shawn wilson wrote:
 This will do nothing unless you have a default DROP policy

…which generally speaking I would advise against. If you have a default
ACCEPT policy and your last rule is a DROP, you are resilient against
accidentally issuing iptables -F (or having something else
accidentally do that). With a default DROP policy and no rules, you're
locked out. (on your default interface e.g. eth0, em0, en0, at least)


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20131009132420.GC20003@debian

Re: loop back iptables

2013-10-08 Thread Dan Ritter 
On Tue, Oct 08, 2013 at 03:04:14PM -0700, james gray wrote:
 working with Debian 7.0
 
 
 working with the examples at
 
 https://wiki.debian.org/iptables
 
 
 when i write a example for a lo0 table as shown
 
 -A INPUT -i lo -j ACCEPT
 
 
 and follow procedure of
 
 iptables-restore  file-name
 
 
 i do receive a message line failed for that line as shown above.
 
 
 Question: do i need to config a file.
 
 
 staying in the environment of the istalled Debian 7.0 and doing apropos
 loopback shows alsoloop.
 
 doing internet searching shows a lot of info as if a bomb droped from the
 sky - but who knows if it is or could be debian 7.0 specific.

First, you should probably avoid doing anything to a loopback
interface...

Next, you'll need to copy the entirety of the grey area example
to a file, and use that file name in the iptables-restore. It's
a very specific format.

If you want to test individual rules, you could do this at the
command line:

iptables -A INPUT -i lo -j ACCEPT

and then

iptables -L

to see if it took.

There is nothing Debian-specific going on here.

-dsr-


-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20131009001237.ga4...@randomstring.org