Re: [gentoo-user] Re: IPTables question... simple as possible for starters
On Mon, Dec 30, 2013 at 1:04 PM, James wrote: > shawn wilson gmail.com> writes: > > >> Also see nftables: http://netfilter.org/projects/nftables/ > > Interesting read. > > http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg > > http://upload.wikimedia.org/wikipedia/commons/d/dd/Netfilter-components.svg > > Where is the diagram for nftables, in some detail? > > > How secure is nftables, currently? I could not find any results of > published penetration testing against nftables vs ip,eb,x(tables)?. Any > published results against an array of penetration testing? > First, I don't know what they mean by xtables vs iptables: # whereis iptables iptables: /sbin/iptables /usr/include/iptables /usr/include/iptables.h /usr/share/man/man8/iptables.8.bz2 # readlink /sbin/iptables xtables-multi # whereis xtables-multi xtables-multi: /sbin/xtables-multi Right? So, that's just being neadlessly verbose. Per testing. As long as they didn't do anything stupid (I seriously doubt that): http://www.cvedetails.com/product/1656/Netfilter-Core-Team-Iptables.html?vendor_id=959 Would I convert a prime time server to using nftables right now? Hell no. Is it safe, probably. > Also, libmnl, seems to be a library looking for developers to use? > It seems very early stage to me, and not ready for prime-time, at > first glance? What did I miss? > No idea.
[gentoo-user] Re: IPTables question... simple as possible for starters
shawn wilson gmail.com> writes: > Also see nftables: http://netfilter.org/projects/nftables/ Interesting read. http://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg http://upload.wikimedia.org/wikipedia/commons/d/dd/Netfilter-components.svg Where is the diagram for nftables, in some detail? How secure is nftables, currently? I could not find any results of published penetration testing against nftables vs ip,eb,x(tables)?. Any published results against an array of penetration testing? Also, libmnl, seems to be a library looking for developers to use? It seems very early stage to me, and not ready for prime-time, at first glance? What did I miss? curiously, James
[gentoo-user] Re: iptables question
Hiren Dave gmail.com> writes: > ALSO IS THERE ANY BOOKS OR ONLINE DOCUMENTS FOR PRACTICALLY LEARNING OF IPTABLES? The only current book I could find, that is centric around the 2.6 linux kernel, and contains relevant, current examples is: "Linux Firewalls" Third Edition authors: Steve Suehring and Rober Ziegler hth, James -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Re: iptables question
On Friday 20 January 2006 13:41, James wrote: > #for unlimited traffic on the loopback interface > iptables -A INPUT -i lo -j ACCEPT > iptables -A OUTPUT -o lo -j ACCEPT since I've done my "flushing" all my rules are nice and permissive ;) dimon2 ~ # iptables -t filter -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination dimon2 ~ # iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination So I doubt I need specific rules for "lo" or any other device except for NAT rules to redirect my traffic. -- Dmitry Makovey Web Systems Administrator Athabasca University (780) 675-6245 pgp6S1gU0k90a.pgp Description: PGP signature
[gentoo-user] Re: iptables question
Dmitry S. Makovey athabascau.ca> writes: > somewhat offtopic, but since I need any help I can get: > how do I redirect trafic from outward facing interface > (192.168.1.114:80) to loopback device (127.0.0.1:80) ? > my most obvious trick: > iptables -t nat -A PREROUTING -p tcp -d 192.168.1.114 --dport 80 \ > -j DNAT --to 127.0.0.1:80 > and > echo 1 > /proc/sys/net/ipv4/ip_forward > didn't help. Machine which is opening connection is hanging there > indefinitely... > what did I miss? Well, let me start off by saying that I'm still learning the details of iptables. An excellent book has been recommended and I can confirm it is wonderful: "Linux Firewalls Third Edition" 2005. by Steve Suehring and Robert L. Ziegler. Novell press. There are many examples covering forwarding, port redirection, dmz's and proxies. It's hard to tell exactly what you are doing, or what you want to do. >From the book: Enabling the loopback Interface page 111 " Local services rely on the loop back network interface. After the system boots, the systems's default policy is to accept all packets. Flushing any pre existing chains has no effect. However, if the firewall is being reinitialized and had previously used a deny-by-default policy, the drop policy would still be in effect. Without any acceptance firewall rules, the loopback interface would still be inaccessible. Because the loopback interface is a local, internal interface, the firewall can allow loopback traffic immediately: #for unlimited traffic on the loopback interface iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT " Granted this is related to an example in the book, but hopefully it helps. If you get frustrated, send me private email, maybe I can help. I will try. Some folks on the list do not believe that direct control of iptables is wise. I desent. Knowledge of iptables is of extreme value, but difficult to master. I'd like to see many example of iptable for 2.6 kernels published. Updated material on iptables + 2.6 kernels, is scarcely available on the net. hth, James -- gentoo-user@gentoo.org mailing list