[gentoo-user] iptables

2009-07-15 Thread Dave 
Hello,
I'm looking for a guide for iptables specifically for gentoo 2.6.
I was also wondering if anyone was using apf "Advanced Policy
Firewall" on a gentoo 2008.0 2.6 machine?
Thanks.
Dave.

[gentoo-user] iptables

2005-05-11 Thread pepe antartico 
I have a very strange and annoying problem, please
need help. 
I added iptables support and recompiled my kernel (is
2.6.11.7), then when rebooting, the startup sequence
stops after 10 or 15 seconds and freezes in a blank
screen. I tried recompiling the kernel with iptables
as modules and got the same result. When booting from
my old kernel everything is normal. I even tried
several combinations compiling some options as modules
an others within the kernel but when booting got stuck
again.
I really need help on this, any sugestions will be
appreciated.
gaco 

_
Do You Yahoo!?
Información de Estados Unidos y América Latina, en Yahoo! Noticias.
Visítanos en http://noticias.espanol.yahoo.com
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] IPTABLES

2015-12-22 Thread siefke_lis...@web.de 
Hello,

i try to run iptables, block bad ips and close the system. 

I want run firewall which block all INPUT, only ALLOW services i defined.
Ipset want to use to block spam ips, make it sure awesome as ever set rules 
manuell.

Im not so sure is okay, i has try and read but at end often i kick me out
from rootserver. So better ask what say profis of Gentoo. 

The Firewall Script > http://pastebin.com/b3305i41


Thank you for help & Nice Day

Silvio Siefke


pgpny1UxlIRK_.pgp
Description: PGP signature

[gentoo-user] iptables

2005-08-25 Thread John Dangler 
I'm reading through the wiki doc on setting up iptables.  There is a section
there that sets up a file called firewall.sh
i've emerged iptables, but I don't have a file by that name on the system,
and it seems that running "/etc/init.d/iptables save" writes this file as
/var/lib/iptables/rules-save.  Is there a specific directory where this file
should be written so that running "/etc/init.d/iptables save" can see it?
Or can the rules-save file be edited and re-written? (It seems as though
running "/etc/init.d/iptables save" would just over-write rules-save).

Thanks for the input.

John D




-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] iptables

2005-08-29 Thread John Dangler 
I emerged firestarter (during which I got iptables), and forgot that I
didn't have iptables emerged prior.  I went into the kernel and selected (as
the doc I found suggests) all of the options as modules under iptables. (The
doc also says that if they are compiled as modules, I didn't need to
reboot).
I did add iptables to /etc/modules.autoload.d/kernel-2.6 (for subsequent
rebooting).

modprobe ip_tables results in:
FATAL: Error inserting ip_tables
(/lib/modules/2.6.12-gentoo-r9/kernel/net/ipv4/netfilter/ip_tables.ko):
Unknown symbol in module, or unknown parameter.

dmesg produces - 
ip_tables: disagrees about version of symbol skb_copy_files
ip_tables: Unknow symbol skb_copy_bits
ip_tables: Unknown symbol nf_register_sockopt
ip_tables: ip_tables: Unknown symbol nf_unregister_sockopt
ip_tables: Unknown symbol nf_unregister_sockopt

(I just found another doc that says to ONLY modprobe IF you haven't built
this as a module)
DOH!

I went back into the kernel config and removed all but the essential options
for iptables... (just iptables module) and rebuilt the kernel

A reboot (aside from losing my wireless), produced an error on boot loading
iptables.
no other text in dmesg points to the problem.

John D




-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Iptables

2007-01-18 Thread Fabrício L. Ribeiro 

How can I install and run iptables (with conntrack and all other
modules) in a Gentoo 2006.1 box with kernel generated by genkernel?

I tried "emerge iptables", but when I type "iptables -F" I get
something like this:

FATAL: Module ip_tables not found.
iptables v1.3.5: can't initialize iptables table `filter': iptables
who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

Thanks!

--
FABRÍCIO L. RIBEIRO

--
gentoo-user@gentoo.org mailing list

[gentoo-user] iptables question...

2011-12-16 Thread Tanstaafl 

Hi all,

I was reading up on some iptables rules in the gentoo security handbook:

http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=12&style=printable

It mentions DROPing packets with an INVALID state.

It sounded/sounds like a good idea, so I added the following rule:

-A INPUT -i eth0 -m state --state INVALID -j LOG

As suggested, I addd this rule just ABOVE this one:

-A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

I also changed the DROP action to LOG so I could see what it did if 
anything.


Right after adding this rule, I started seeing lines like this in the log:

Dec 16 10:15:31 myhost kernel: IN=eth0 OUT= 
MAC=00:e0:81:54:9c:8a:00:90:7f:86:a8:c0:08:00 SRC=208.87.137.233 
DST=192.168.1.252 LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP 
SPT=50113 DPT=25 WINDOW=0 RES=0x00 RST URGP=0


What I don't understand is why it isn't using my LOG prefix that is used 
for everything else:


-A INPUT -j LOG --log-prefix "(>fw-drop): " --log-level 7

Anyone?

Re: [gentoo-user] iptables

2009-07-16 Thread Marco 
Hi Dave,

this one is rather informative:

http://www.novell.com/coolsolutions/feature/18139.html

Also, this one from gentoo (although for 2.4) is worth reading:

http://www.gentoo.org/doc/en/articles/linux-24-stateful-fw-design.xml

HTH!

--
Regards,
 Marco



On Thu, Jul 16, 2009 at 5:32 AM, Dave wrote:
> Hello,
>        I'm looking for a guide for iptables specifically for gentoo 2.6.
>        I was also wondering if anyone was using apf "Advanced Policy
> Firewall" on a gentoo 2008.0 2.6 machine?
> Thanks.
> Dave.
>
>
>

Re: [gentoo-user] iptables

2009-07-16 Thread Marco 
Maybe this thread could be helpful as well:

http://marc.info/?l=gentoo-user&m=124058693215810&w=2

--
Regards,
 Marco


On Thu, Jul 16, 2009 at 10:41 AM, Marco wrote:
> Hi Dave,
>
> this one is rather informative:
>
> http://www.novell.com/coolsolutions/feature/18139.html
>
> Also, this one from gentoo (although for 2.4) is worth reading:
>
> http://www.gentoo.org/doc/en/articles/linux-24-stateful-fw-design.xml
>
> HTH!
>
> --
> Regards,
>  Marco
>
>
>
> On Thu, Jul 16, 2009 at 5:32 AM, Dave wrote:
>> Hello,
>>        I'm looking for a guide for iptables specifically for gentoo 2.6.
>>        I was also wondering if anyone was using apf "Advanced Policy
>> Firewall" on a gentoo 2008.0 2.6 machine?
>> Thanks.
>> Dave.
>>
>>
>>
>

Re: [gentoo-user] iptables

2009-07-16 Thread Alejandro 
2009/7/16 Marco 

> Maybe this thread could be helpful as well:
>
> http://marc.info/?l=gentoo-user&m=124058693215810&w=2
>
> --
> Regards,
>  Marco
>
>
> On Thu, Jul 16, 2009 at 10:41 AM, Marco wrote:
> > Hi Dave,
> >
> > this one is rather informative:
> >
> > http://www.novell.com/coolsolutions/feature/18139.html
> >
> > Also, this one from gentoo (although for 2.4) is worth reading:
> >
> > http://www.gentoo.org/doc/en/articles/linux-24-stateful-fw-design.xml
> >
> > HTH!
> >
> > --
> > Regards,
> >  Marco
> >
> >
> >
> > On Thu, Jul 16, 2009 at 5:32 AM, Dave wrote:
> >> Hello,
> >>I'm looking for a guide for iptables specifically for gentoo 2.6.
> >>I was also wondering if anyone was using apf "Advanced Policy
> >> Firewall" on a gentoo 2008.0 2.6 machine?
> >> Thanks.
> >> Dave.
> >>
> >>
> >>
> >
>
>   I use APF, for all my desktop/servers with debian and gentoo, is quite
easy and works great. In 10' you have iptables running.

Re: [gentoo-user] iptables

2009-07-16 Thread Nevynxxx 
Alejandro wrote:
>
> > On Thu, Jul 16, 2009 at 5:32 AM, Dave > wrote:
> >> Hello,
> >>I'm looking for a guide for iptables specifically for
> gentoo 2.6.
> >>I was also wondering if anyone was using apf "Advanced
> Policy
> >> Firewall" on a gentoo 2008.0 2.6 machine?
> >> Thanks.
> >> Dave.
> >>
> >>
> >>
> >
>
>   I use APF, for all my desktop/servers with debian and gentoo, is
> quite easy and works great. In 10' you have iptables running.

I tend to just use webmin. Emerge iptables, emerge webmin, and get a
nice easy to follow GUI that sets up the iptables.



signature.asc
Description: OpenPGP digital signature

Re: [gentoo-user] iptables

2005-05-12 Thread A. Khattri 
On Wed, 11 May 2005, pepe antartico wrote:

> I have a very strange and annoying problem, please
> need help.
> I added iptables support and recompiled my kernel (is
> 2.6.11.7), then when rebooting, the startup sequence
> stops after 10 or 15 seconds and freezes in a blank
> screen. I tried recompiling the kernel with iptables
> as modules and got the same result. When booting from
> my old kernel everything is normal. I even tried
> several combinations compiling some options as modules
> an others within the kernel but when booting got stuck
> again.
> I really need help on this, any sugestions will be
> appreciated.

iptables probably has nothing to do with this problem.

Perhaps you have enabled the console framebuffer but it is the wrong
chipset. My advice would be to disable all framebuffers until you get
everything else working. You can always go back and fix that later.


-- 

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables

2005-05-12 Thread pepe antartico 
thank's, I know it is rare, but I forgot to write that
it's not the first time I recompile the kernel, I
should've do it at least 8 or 9 times, and it only
failed when iptables where added.
After the crash I booted from the old kernel and
compile it again whitout iptables,boot from the new
bzImage, and everything was fine.
...very strange thing

--- "A. Khattri" <[EMAIL PROTECTED]> escribió:
> On Wed, 11 May 2005, pepe antartico wrote:
> 
> > I have a very strange and annoying problem, please
> > need help.
> > I added iptables support and recompiled my kernel
> (is
> > 2.6.11.7), then when rebooting, the startup
> sequence
> > stops after 10 or 15 seconds and freezes in a
> blank
> > screen. I tried recompiling the kernel with
> iptables
> > as modules and got the same result. When booting
> from
> > my old kernel everything is normal. I even tried
> > several combinations compiling some options as
> modules
> > an others within the kernel but when booting got
> stuck
> > again.
> > I really need help on this, any sugestions will be
> > appreciated.
> 
> iptables probably has nothing to do with this
> problem.
> 
> Perhaps you have enabled the console framebuffer but
> it is the wrong
> chipset. My advice would be to disable all
> framebuffers until you get
> everything else working. You can always go back and
> fix that later.
> 
> 
> -- 
> 
> -- 
> gentoo-user@gentoo.org mailing list
> 
> 

_
Do You Yahoo!?
Información de Estados Unidos y América Latina, en Yahoo! Noticias.
Visítanos en http://noticias.espanol.yahoo.com
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables

2005-05-12 Thread pepe antartico 
by the way, the "console framebuffer support" was not
enabled.
rgds
--- pepe antartico <[EMAIL PROTECTED]> escribió:
> thank's, I know it is rare, but I forgot to write
> that
> it's not the first time I recompile the kernel, I
> should've do it at least 8 or 9 times, and it only
> failed when iptables where added.
> After the crash I booted from the old kernel and
> compile it again whitout iptables,boot from the new
> bzImage, and everything was fine.
> ...very strange thing
> 
> --- "A. Khattri" <[EMAIL PROTECTED]> escribió:
> > On Wed, 11 May 2005, pepe antartico wrote:
> > 
> > > I have a very strange and annoying problem,
> please
> > > need help.
> > > I added iptables support and recompiled my
> kernel
> > (is
> > > 2.6.11.7), then when rebooting, the startup
> > sequence
> > > stops after 10 or 15 seconds and freezes in a
> > blank
> > > screen. I tried recompiling the kernel with
> > iptables
> > > as modules and got the same result. When booting
> > from
> > > my old kernel everything is normal. I even tried
> > > several combinations compiling some options as
> > modules
> > > an others within the kernel but when booting got
> > stuck
> > > again.
> > > I really need help on this, any sugestions will
> be
> > > appreciated.
> > 
> > iptables probably has nothing to do with this
> > problem.
> > 
> > Perhaps you have enabled the console framebuffer
> but
> > it is the wrong
> > chipset. My advice would be to disable all
> > framebuffers until you get
> > everything else working. You can always go back
> and
> > fix that later.
> > 
> > 
> > -- 
> > 
> > -- 
> > gentoo-user@gentoo.org mailing list
> > 
> > 
> 
>
_
> Do You Yahoo!?
> Información de Estados Unidos y América Latina, en
> Yahoo! Noticias.
> Visítanos en http://noticias.espanol.yahoo.com
> -- 
> gentoo-user@gentoo.org mailing list
> 
> 

_
Do You Yahoo!?
Información de Estados Unidos y América Latina, en Yahoo! Noticias.
Visítanos en http://noticias.espanol.yahoo.com
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables

2005-05-12 Thread rob3 
pepe antartico wrote:

>thank's, I know it is rare, but I forgot to write that
>it's not the first time I recompile the kernel, I
>should've do it at least 8 or 9 times, and it only
>failed when iptables where added.
>After the crash I booted from the old kernel and
>compile it again whitout iptables,boot from the new
>bzImage, and everything was fine.
>...very strange thing
>
>--- "A. Khattri" <[EMAIL PROTECTED]> escribió:
>  
>
>>On Wed, 11 May 2005, pepe antartico wrote:
>>
>>
>>
>>>I have a very strange and annoying problem, please
>>>need help.
>>>I added iptables support and recompiled my kernel
>>>  
>>>
>>(is
>>
>>
>>>2.6.11.7), then when rebooting, the startup
>>>  
>>>
>>sequence
>>
>>
>>>stops after 10 or 15 seconds and freezes in a
>>>  
>>>
>>blank
>>
>>
>>>screen. I tried recompiling the kernel with
>>>  
>>>
>>iptables
>>
>>
>>>as modules and got the same result. When booting
>>>  
>>>
>>from
>>
>>
>>>my old kernel everything is normal. I even tried
>>>several combinations compiling some options as
>>>  
>>>
>>modules
>>
>>
>>>an others within the kernel but when booting got
>>>  
>>>
>>stuck
>>
>>
>>>again.
>>>I really need help on this, any sugestions will be
>>>appreciated.
>>>  
>>>
>>iptables probably has nothing to do with this
>>problem.
>>
>>Perhaps you have enabled the console framebuffer but
>>it is the wrong
>>chipset. My advice would be to disable all
>>framebuffers until you get
>>everything else working. You can always go back and
>>fix that later.
>>
>>
>>-- 
>>
>>-- 
>>gentoo-user@gentoo.org mailing list
>>
>>
>>
>>
>
>_
>Do You Yahoo!?
>Información de Estados Unidos y América Latina, en Yahoo! Noticias.
>Visítanos en http://noticias.espanol.yahoo.com
>  
>
Hi all,

I have generated a reasonable general purpose iptables executable.  You
would only need to change eth0 if your internet comes through something
different.  It opens up ports 1024 and higher to in/out so that its not
a pain to run p2p applications, etc.  But it is a default block in/out file.

Rob.
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables

2005-05-12 Thread pepe antartico 
Sure I'd like to try your iptables executable,
how can I get it?

rgds
gaco

--- rob3 <[EMAIL PROTECTED]> escribió:
> pepe antartico wrote:
> 
> >thank's, I know it is rare, but I forgot to write
> that
> >it's not the first time I recompile the kernel, I
> >should've do it at least 8 or 9 times, and it only
> >failed when iptables where added.
> >After the crash I booted from the old kernel and
> >compile it again whitout iptables,boot from the new
> >bzImage, and everything was fine.
> >...very strange thing
> >
> >--- "A. Khattri" <[EMAIL PROTECTED]> escribió:
> >  
> >
> >>On Wed, 11 May 2005, pepe antartico wrote:
> >>
> >>
> >>
> >>>I have a very strange and annoying problem,
> please
> >>>need help.
> >>>I added iptables support and recompiled my kernel
> >>>  
> >>>
> >>(is
> >>
> >>
> >>>2.6.11.7), then when rebooting, the startup
> >>>  
> >>>
> >>sequence
> >>
> >>
> >>>stops after 10 or 15 seconds and freezes in a
> >>>  
> >>>
> >>blank
> >>
> >>
> >>>screen. I tried recompiling the kernel with
> >>>  
> >>>
> >>iptables
> >>
> >>
> >>>as modules and got the same result. When booting
> >>>  
> >>>
> >>from
> >>
> >>
> >>>my old kernel everything is normal. I even tried
> >>>several combinations compiling some options as
> >>>  
> >>>
> >>modules
> >>
> >>
> >>>an others within the kernel but when booting got
> >>>  
> >>>
> >>stuck
> >>
> >>
> >>>again.
> >>>I really need help on this, any sugestions will
> be
> >>>appreciated.
> >>>  
> >>>
> >>iptables probably has nothing to do with this
> >>problem.
> >>
> >>Perhaps you have enabled the console framebuffer
> but
> >>it is the wrong
> >>chipset. My advice would be to disable all
> >>framebuffers until you get
> >>everything else working. You can always go back
> and
> >>fix that later.
> >>
> >>
> >>-- 
> >>
> >>-- 
> >>gentoo-user@gentoo.org mailing list
> >>
> >>
> >>
> >>
> >
>
>_
> >Do You Yahoo!?
> >Información de Estados Unidos y América Latina, en
> Yahoo! Noticias.
> >Visítanos en http://noticias.espanol.yahoo.com
> >  
> >
> Hi all,
> 
> I have generated a reasonable general purpose
> iptables executable.  You
> would only need to change eth0 if your internet
> comes through something
> different.  It opens up ports 1024 and higher to
> in/out so that its not
> a pain to run p2p applications, etc.  But it is a
> default block in/out file.
> 
> Rob.
> -- 
> gentoo-user@gentoo.org mailing list
> 
> 

_
Do You Yahoo!?
Información de Estados Unidos y América Latina, en Yahoo! Noticias.
Visítanos en http://noticias.espanol.yahoo.com
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] IPTABLES

2015-12-24 Thread Andrew Savchenko 
Hi,

On Tue, 22 Dec 2015 22:45:12 +0100 siefke_lis...@web.de wrote:
> i try to run iptables, block bad ips and close the system. 
> 
> I want run firewall which block all INPUT, only ALLOW services i defined.
> Ipset want to use to block spam ips, make it sure awesome as ever set rules 
> manuell.
> 
> Im not so sure is okay, i has try and read but at end often i kick me out
> from rootserver. So better ask what say profis of Gentoo. 
> 
> The Firewall Script > http://pastebin.com/b3305i41

I recommend you to read a good tutorial first, e.g. this one:
https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html

It is a bit old and isn't an ultimate description of all
iptables features (you have manuals for that), but will give you a
good understanding of how packet flow works and how they should be
processed.

I see three main problems with your current rules:

1. ESTABLISHED,RELATED packets are not accepted in the INPUT. You
will have legitimate traffic blocked because of that.

2. Rules are vulnerable to SYN/ACK attack (see manual above on how
to fix this). FORWARDed traffic is not protected at all (are tun+
interfaces completely trusted?).

3. Rules are far from being optimal, e.g. instead of having many
enrtries for each accepted port, you can write just two rules
using multiport target: one for tcp and another one for udp. These
way your rules will be much faster. Also you should consider proper
ordering of rules: those with higher hit rate should go first if
this doesn't impact security scheme.

There are minor issues of course, like blacklist check late on the
rules (it should come one of the first, otherwise blacklisted hosts
will be allowed to connect your open services).

For remote debugging I recommend a small script like:
./iptables-current; sleep 1m; iptables-good

where iptables-current is the script with your current rules you
want to test and iptables-good are tested rules which work for you.
This way if you'll screw up with current rules and remote control
well be lost, in a minute good old rules will be applied. Of
course, you should terminate this command with ^C if new rules are
good, so that old ones will not be fired in a minute.

Best regards,
Andrew Savchenko


pgpZWFGV4tF5F.pgp
Description: PGP signature

Re: [gentoo-user] IPTABLES

2015-12-24 Thread siefke_lis...@web.de 
Hello,

On Thu, 24 Dec 2015 15:11:55 +0300 Andrew Savchenko
 wrote:

> ...
> It is a bit old and isn't an ultimate description of all
> iptables features (you have manuals for that), but will give you a
> good understanding of how packet flow works and how they should be
> processed.
> ...

thank you for your information, now i know more where i am. 


Silvio

Silvio Siefke


pgpiggtf558BS.pgp
Description: PGP signature

Re: [gentoo-user] IPTABLES

2015-12-29 Thread lee 
"siefke_lis...@web.de"  writes:

> Hello,
>
> i try to run iptables, block bad ips and close the system. 
>
> I want run firewall which block all INPUT, only ALLOW services i defined.
> Ipset want to use to block spam ips, make it sure awesome as ever set rules 
> manuell.

After reading a good iptables tutorial, you may want to take a look at
shorewall and it's documentation.

If you're referring to IP addresses from which you receive emails that
are spam, I'd recommend getting familiar with exim and perhaps
spamassassin.  For extreme cases, you might want to use something like
fail2ban.

[gentoo-user] iptables broken

2022-02-11 Thread flzdjhmtax 


Something recent (perhaps this update to libnftnl) broke iptables.
Re-emerging it fixed the problem.

Fri Feb 11 07:45:54
2022 >>> net-libs/libnftnl-1.2.1

iptables started giving errors such as this:

/sbin/iptables -A BASE_INPUT_CHAIN -m conntrack --ctstate ESTABLISHED -j ACCEPT
ERROR (2): iptables v1.8.7 (legacy): Couldn't load match `conntrack':No such 
file or directory

Don't reboot (or restart the firewall on) any servers, in particular
remote ones, before ensuring that your install of iptables is working.


-- 
Alan J. Wylie  https://www.wylie.me.uk/

Dance like no-one's watching. / Encrypt like everyone is.
Security is inversely proportional to convenience

Re: [gentoo-user] iptables

2005-08-25 Thread Eric Crossman 
Once you run the rules once and run save, they will then be reloaded
from that location (/var/lib/iptables/rules-save)
by /etc/init.d/iptables start. The init.d script uses iptables-restore
and iptables-save underneath.

Eric C

On Thu, 2005-08-25 at 23:17 -0400, John Dangler wrote:
> I'm reading through the wiki doc on setting up iptables.  There is a section
> there that sets up a file called firewall.sh
> i've emerged iptables, but I don't have a file by that name on the system,
> and it seems that running "/etc/init.d/iptables save" writes this file as
> /var/lib/iptables/rules-save.  Is there a specific directory where this file
> should be written so that running "/etc/init.d/iptables save" can see it?
> Or can the rules-save file be edited and re-written? (It seems as though
> running "/etc/init.d/iptables save" would just over-write rules-save).
> 
> Thanks for the input.
> 
> John D
> 
> 
> 
> 

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables

2005-08-25 Thread A. Khattri 
On Thu, 25 Aug 2005, John Dangler wrote:

> I'm reading through the wiki doc on setting up iptables.  There is a section
> there that sets up a file called firewall.sh
> i've emerged iptables, but I don't have a file by that name on the system,

Probably a script the wiki author created perhaps...

> and it seems that running "/etc/init.d/iptables save" writes this file as
> /var/lib/iptables/rules-save.

That's right.

> Is there a specific directory where this file
> should be written so that running "/etc/init.d/iptables save" can see it?
> Or can the rules-save file be edited and re-written? (It seems as though
> running "/etc/init.d/iptables save" would just over-write rules-save).

That's right it does.

There's nothing stop you editing /var/lib/iptables/rules-save but be aware
that the init scripts might overwrite those changes if iptables has been
started. (The init script also support a "reload" option which looks like
it flushs all the rules without saving them first and then loads them
again from /var/lib/iptables/rules-save - this might be useful for you).


-- 

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables

2005-08-26 Thread Fernando Meira 
On 8/26/05, John Dangler <[EMAIL PROTECTED]> wrote:
I'm reading through the wiki doc on setting up iptables.  There is a sectionthere that sets up a file called firewall.shi've emerged iptables, but I don't have a file by that name on the system,and it seems that running "/etc/init.d/iptables save" writes this file as
/var/lib/iptables/rules-save.  Is there a specific directory where this fileshould be written so that running "/etc/init.d/iptables save" can see it?Or can the rules-save file be edited and re-written? (It seems as though
running "/etc/init.d/iptables save" would just over-write rules-save).Thanks for the input.John D
You first run the firewall.sh script. Then you do "/etc/init.d/iptables save" to save what you have just configured!

HTH,
Fernando

Re: [gentoo-user] iptables

2005-08-29 Thread Holly Bostick 
John Dangler schreef:
> I emerged firestarter (during which I got iptables), and forgot that I
> didn't have iptables emerged prior.  I went into the kernel and selected (as
> the doc I found suggests) 


Oh, John, to hell with "the doc you found" (which look to be from the
Wiki). No offense to the wiki (or to you), but you're really
overcomplicating this. You're probably better off with the Firestarter
docs found here

http://www.fs-security.com/docs/kernel.php

which are complete, and clear, and designed to work with the Firestarter
front end you know, "official docs"...? :)


Holly
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables

2005-08-29 Thread W.Kenworthy 
iptables has an "extensions" use flag which you may or may not need
depending on what the firestarter scripts do.

After installing modules, you need to run modules-update to get the
modules database sorted out.  This may fix the symbol error.  In some
cases, you need to reboot into the new kernel as the symbols in the
running kernel and new modules may be out of sync.

BillK




On Mon, 2005-08-29 at 19:44 -0400, John Dangler wrote:
> I emerged firestarter (during which I got iptables), and forgot that I
> didn't have iptables emerged prior.  I went into the kernel and selected (as
> the doc I found suggests) all of the options as modules under iptables. (The
> doc also says that if they are compiled as modules, I didn't need to
> reboot).
> I did add iptables to /etc/modules.autoload.d/kernel-2.6 (for subsequent
> rebooting).
> 
> modprobe ip_tables results in:
> FATAL: Error inserting ip_tables
> (/lib/modules/2.6.12-gentoo-r9/kernel/net/ipv4/netfilter/ip_tables.ko):
> Unknown symbol in module, or unknown parameter.
> 
> dmesg produces - 
> ip_tables: disagrees about version of symbol skb_copy_files
> ip_tables: Unknow symbol skb_copy_bits
> ip_tables: Unknown symbol nf_register_sockopt
> ip_tables: ip_tables: Unknown symbol nf_unregister_sockopt
> ip_tables: Unknown symbol nf_unregister_sockopt
> 
> (I just found another doc that says to ONLY modprobe IF you haven't built
> this as a module)
> DOH!
> 
> I went back into the kernel config and removed all but the essential options
> for iptables... (just iptables module) and rebuilt the kernel
> 
> A reboot (aside from losing my wireless), produced an error on boot loading
> iptables.
> no other text in dmesg points to the problem.
> 
> John D
> 
> 
> 
> 
-- 
gentoo-user@gentoo.org mailing list

RE: [gentoo-user] iptables

2005-08-29 Thread John Dangler 
Holly~
The Firestarter kernel requirements doc says - 

*Device drivers 
*Networking support [y]
*Networking support 
*Networking options 
*Network packet filtering [y]
*Network packet filtering 
IP: Netfilter Configuration
(*)

"We recommend you enable _everything_ except ipchains support and ipfwadm
support as modules under this menu"

In case I did something out to bork this myself, I'm going to unmerge
firestarter and iptables, rebuild the kernel into the state it was before
this started (genkernel --kernel-config=my.old.config all), emerge iptables
(instead of letting firestarter emerge do it), make sure that iptables loads
up ok, then emerge firestarter and configure it.  That way, I can be sure
that it's not me just getting in a hurry to install a package...


John Dangler
GenoFit
800-505-4078 (Corporate)
386-767-3730 (Direct)
866-273-0408 (Fax)
www.genofit.com
[EMAIL PROTECTED]
 

-Original Message-
From: Holly Bostick [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 29, 2005 9:32 PM
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] iptables

John Dangler schreef:
> I emerged firestarter (during which I got iptables), and forgot that I
> didn't have iptables emerged prior.  I went into the kernel and selected
(as
> the doc I found suggests) 


Oh, John, to hell with "the doc you found" (which look to be from the
Wiki). No offense to the wiki (or to you), but you're really
overcomplicating this. You're probably better off with the Firestarter
docs found here

http://www.fs-security.com/docs/kernel.php

which are complete, and clear, and designed to work with the Firestarter
front end you know, "official docs"...? :)


Holly
-- 
gentoo-user@gentoo.org mailing list





-- 
gentoo-user@gentoo.org mailing list

RE: [gentoo-user] iptables

2005-08-29 Thread John Dangler 
ok.  I got a clean kernel and removed iptables and firestarter. I then went
into the kernel config and _only_ turned on iptable support as a module, and
ran modules-update.  all looks ok.  Rebooting the kernel, however, I get
this in dmesg - 
ipw2100: disagrees about version of symbol per_cpu__softnet_data
ipw2100: no version for "ieee80211_get_crypto_ops" found: kernel tainted.
(a whole lot of these messages listing what appears to be every symbol in
the ipw2100 module)...
then -
ieee80211: disagrees about version of symbol per_cpu__softnet_data
ieee80211: Unknown symbol per_cpu__softnet_data.
(a whole lot of these messages listing what appears to be every symbol in
the ieee80211 module)...
then -
ieee80211_crypt_wep: disagrees about version of symbol ___pskb_trim
ieee80211_crypt_wep: Unknown symbol ___pskb_trim.
(a whole lot of these messages listing what appears to be every symbol in
the ieee80211_crypt_wep module)...

It appears that the version of ipw2100 and/or ieee80211 in portage (stable)
clashes with the version of iptables in portage (stable).

So, either I can have wireless or security...

John D


-Original Message-
From: John Dangler [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 29, 2005 10:36 PM
To: gentoo-user@lists.gentoo.org
Subject: RE: [gentoo-user] iptables

Holly~
The Firestarter kernel requirements doc says - 

*Device drivers 
*Networking support [y]
*Networking support 
*Networking options 
*Network packet filtering [y]
*Network packet filtering 
IP: Netfilter Configuration
(*)

"We recommend you enable _everything_ except ipchains support and ipfwadm
support as modules under this menu"

In case I did something out to bork this myself, I'm going to unmerge
firestarter and iptables, rebuild the kernel into the state it was before
this started (genkernel --kernel-config=my.old.config all), emerge iptables
(instead of letting firestarter emerge do it), make sure that iptables loads
up ok, then emerge firestarter and configure it.  That way, I can be sure
that it's not me just getting in a hurry to install a package...


John Dangler
GenoFit
800-505-4078 (Corporate)
386-767-3730 (Direct)
866-273-0408 (Fax)
www.genofit.com
[EMAIL PROTECTED]
 

-Original Message-
From: Holly Bostick [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 29, 2005 9:32 PM
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] iptables

John Dangler schreef:
> I emerged firestarter (during which I got iptables), and forgot that I
> didn't have iptables emerged prior.  I went into the kernel and selected
(as
> the doc I found suggests) 


Oh, John, to hell with "the doc you found" (which look to be from the
Wiki). No offense to the wiki (or to you), but you're really
overcomplicating this. You're probably better off with the Firestarter
docs found here

http://www.fs-security.com/docs/kernel.php

which are complete, and clear, and designed to work with the Firestarter
front end you know, "official docs"...? :)


Holly
-- 
gentoo-user@gentoo.org mailing list





-- 
gentoo-user@gentoo.org mailing list





-- 
gentoo-user@gentoo.org mailing list

RE: [gentoo-user] iptables

2005-08-29 Thread John Dangler 
yep. it's a bug.  As soon as I remove iptables from the kernel config,
ipw2100,ieee80211_crypt_tkip, ieee80211_crypt_ccmp, ieee80211_crypt_wep,
ieee80211 all show up fine in lsmod.  no dmesg errors, and eth1 (wireless)
shows up fine.  Off to bugz to log this.

John D
 

-Original Message-
From: John Dangler [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 29, 2005 11:36 PM
To: gentoo-user@lists.gentoo.org
Subject: RE: [gentoo-user] iptables

ok.  I got a clean kernel and removed iptables and firestarter. I then went
into the kernel config and _only_ turned on iptable support as a module, and
ran modules-update.  all looks ok.  Rebooting the kernel, however, I get
this in dmesg - 
ipw2100: disagrees about version of symbol per_cpu__softnet_data
ipw2100: no version for "ieee80211_get_crypto_ops" found: kernel tainted.
(a whole lot of these messages listing what appears to be every symbol in
the ipw2100 module)...
then -
ieee80211: disagrees about version of symbol per_cpu__softnet_data
ieee80211: Unknown symbol per_cpu__softnet_data.
(a whole lot of these messages listing what appears to be every symbol in
the ieee80211 module)...
then -
ieee80211_crypt_wep: disagrees about version of symbol ___pskb_trim
ieee80211_crypt_wep: Unknown symbol ___pskb_trim.
(a whole lot of these messages listing what appears to be every symbol in
the ieee80211_crypt_wep module)...

It appears that the version of ipw2100 and/or ieee80211 in portage (stable)
clashes with the version of iptables in portage (stable).

So, either I can have wireless or security...

John D


-Original Message-
From: John Dangler [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 29, 2005 10:36 PM
To: gentoo-user@lists.gentoo.org
Subject: RE: [gentoo-user] iptables

Holly~
The Firestarter kernel requirements doc says - 

*Device drivers 
*Networking support [y]
*Networking support 
*Networking options 
*Network packet filtering [y]
*Network packet filtering 
IP: Netfilter Configuration
(*)

"We recommend you enable _everything_ except ipchains support and ipfwadm
support as modules under this menu"

In case I did something out to bork this myself, I'm going to unmerge
firestarter and iptables, rebuild the kernel into the state it was before
this started (genkernel --kernel-config=my.old.config all), emerge iptables
(instead of letting firestarter emerge do it), make sure that iptables loads
up ok, then emerge firestarter and configure it.  That way, I can be sure
that it's not me just getting in a hurry to install a package...


John Dangler
GenoFit
800-505-4078 (Corporate)
386-767-3730 (Direct)
866-273-0408 (Fax)
www.genofit.com
[EMAIL PROTECTED]
 

-Original Message-
From: Holly Bostick [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 29, 2005 9:32 PM
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] iptables

John Dangler schreef:
> I emerged firestarter (during which I got iptables), and forgot that I
> didn't have iptables emerged prior.  I went into the kernel and selected
(as
> the doc I found suggests) 


Oh, John, to hell with "the doc you found" (which look to be from the
Wiki). No offense to the wiki (or to you), but you're really
overcomplicating this. You're probably better off with the Firestarter
docs found here

http://www.fs-security.com/docs/kernel.php

which are complete, and clear, and designed to work with the Firestarter
front end you know, "official docs"...? :)


Holly
-- 
gentoo-user@gentoo.org mailing list





-- 
gentoo-user@gentoo.org mailing list





-- 
gentoo-user@gentoo.org mailing list





-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables

2005-08-30 Thread Hans-Werner Hilse 
Hi,

On Tue, 30 Aug 2005 00:54:47 -0400
"John Dangler" <[EMAIL PROTECTED]> wrote:

> yep. it's a bug.  As soon as I remove iptables from the kernel config,
> ipw2100,ieee80211_crypt_tkip, ieee80211_crypt_ccmp, ieee80211_crypt_wep,
> ieee80211 all show up fine in lsmod.  no dmesg errors, and eth1 (wireless)
> shows up fine.  Off to bugz to log this.

Nah, it isn't a bug. That incorporation of netfilter into the kernel
changes some internal structs, i guess. So you need to recompile your
other modules (ipw2100 and fellows - at least the network-dependent)
for the new kernel. That's all pretty normal.

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables

2005-08-30 Thread Neil Bothwick 
On Tue, 30 Aug 2005 11:43:26 +0200, Holly Bostick wrote:

> > "We recommend you enable _everything_ except ipchains support and
> > ipfwadm support as modules under this menu"
> 
> I never read this as meaning that everything should be selected, but
> rather that everything that you select under this menu, other than
> ipchains support and ipfwadm, should be selected as a module rather than
> static.

That interpretation would also mean that you should enable ipchains as
static, something you wouldn't want. But it is a highly ambiguous
statement.


-- 
Neil Bothwick

The best antiques are old friends.


pgpoTgdJd0a6c.pgp
Description: PGP signature

RE: [gentoo-user] iptables

2005-08-30 Thread John Dangler 
Nick~
Would your consensus also agree with Hans-Werner's on this?
The problem was (posted earlier) that having ipw2100/ieee80211 compiled in
and then adding iptables to the kernel caused the wireless to go south on a
reboot.
>> That incorporation of netfilter into the kernel changes some internal 
>> structs, i guess. So you need to recompile your other modules (ipw2100
>> and fellows - at least the network-dependent) for the new kernel.

I'd like to get this running, so I can setup firestarter on my laptop.

Thanks for your input.

John D 

-Original Message-
From: Neil Bothwick [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, August 30, 2005 5:56 AM
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] iptables

On Tue, 30 Aug 2005 11:43:26 +0200, Holly Bostick wrote:

> > "We recommend you enable _everything_ except ipchains support and
> > ipfwadm support as modules under this menu"
> 
> I never read this as meaning that everything should be selected, but
> rather that everything that you select under this menu, other than
> ipchains support and ipfwadm, should be selected as a module rather than
> static.

That interpretation would also mean that you should enable ipchains as
static, something you wouldn't want. But it is a highly ambiguous
statement.


-- 
Neil Bothwick

The best antiques are old friends.


-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables

2005-08-30 Thread Holly Bostick 
John Dangler schreef:
> Holly~ The Firestarter kernel requirements doc says -
> 
> *Device drivers *Networking support [y] *Networking support 
> *Networking options *Network packet filtering [y] *Network packet
> filtering IP: Netfilter Configuration (*)
> 
> "We recommend you enable _everything_ except ipchains support and
> ipfwadm support as modules under this menu"

I never read this as meaning that everything should be selected, but
rather that everything that you select under this menu, other than
ipchains support and ipfwadm, should be selected as a module rather than
static. But even then, they further explain that this is mostly to save
size and memory in the kernel, rather than some actual necessity.

And of course, the docs further say
> At the very least, the Connection tracking, IP tables, Connection
> state match support, Connection tracking match support, Packet
> filtering, Full NAT and the LOG target support


My config looks like this:

CONFIG_IP_NF_CONNTRACK=y
# CONFIG_IP_NF_CT_ACCT is not set
# CONFIG_IP_NF_CONNTRACK_MARK is not set
# CONFIG_IP_NF_CT_PROTO_SCTP is not set
# CONFIG_IP_NF_FTP is not set
# CONFIG_IP_NF_IRC is not set
# CONFIG_IP_NF_TFTP is not set
# CONFIG_IP_NF_AMANDA is not set
CONFIG_IP_NF_QUEUE=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_LIMIT=y
CONFIG_IP_NF_MATCH_IPRANGE=y
CONFIG_IP_NF_MATCH_MAC=y
CONFIG_IP_NF_MATCH_PKTTYPE=y
CONFIG_IP_NF_MATCH_MARK=y
CONFIG_IP_NF_MATCH_MULTIPORT=y
CONFIG_IP_NF_MATCH_TOS=y
CONFIG_IP_NF_MATCH_RECENT=y
CONFIG_IP_NF_MATCH_ECN=y
CONFIG_IP_NF_MATCH_DSCP=y
CONFIG_IP_NF_MATCH_AH_ESP=y
CONFIG_IP_NF_MATCH_LENGTH=y
CONFIG_IP_NF_MATCH_TTL=y
CONFIG_IP_NF_MATCH_TCPMSS=y
CONFIG_IP_NF_MATCH_HELPER=y
CONFIG_IP_NF_MATCH_STATE=y
CONFIG_IP_NF_MATCH_CONNTRACK=y
CONFIG_IP_NF_MATCH_OWNER=y
# CONFIG_IP_NF_MATCH_ADDRTYPE is not set
# CONFIG_IP_NF_MATCH_REALM is not set
# CONFIG_IP_NF_MATCH_SCTP is not set
# CONFIG_IP_NF_MATCH_COMMENT is not set
# CONFIG_IP_NF_MATCH_HASHLIMIT is not set
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_ULOG=y
CONFIG_IP_NF_TARGET_TCPMSS=y
CONFIG_IP_NF_NAT=y
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=y
CONFIG_IP_NF_TARGET_REDIRECT=y
CONFIG_IP_NF_TARGET_NETMAP=y
CONFIG_IP_NF_TARGET_SAME=y
# CONFIG_IP_NF_NAT_SNMP_BASIC is not set
CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_TARGET_TOS=y
CONFIG_IP_NF_TARGET_ECN=y
CONFIG_IP_NF_TARGET_DSCP=y
CONFIG_IP_NF_TARGET_MARK=y
CONFIG_IP_NF_TARGET_CLASSIFY=y
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_TARGET_NOTRACK=m
CONFIG_IP_NF_ARPTABLES=y
CONFIG_IP_NF_ARPFILTER=y
CONFIG_IP_NF_ARP_MANGLE=y

As you see, I haven't even followed the instructions properly (all this
stuff is static), but, as the docs also say it will, Firestarter seems
to work fine (because all the 'required elements' are enabled.

Maybe I'll go back through make menuconfig and clean that all up, just
so I know what I'm doing in future. But afaik, I just left the kernel
defaults in place (as about all I know about these settings is that 1)
I'm not using ipv6, and 2) anything that is needed for a router I don't
need, because I'm not a router :) ).

It rather sounds like Hans-Werner is onto something; often, when you
change your kernel configuration, you have to rebuild any external
modules against the new base, which you don't seem to have done.
Otherwise the external module thinks that functions are available that
it has to modprobe (because the functionality has changed from static to
module), and vice versa (if the functionality has changed from module to
static).

If I reconfigure my kernel to modify a sound module, then no, I don't
have to re-emerge the ati-drivers (because the kernel change is
irrelevant to the external module), but the same wouldn't be true if I
changed /dev/agpgart from static to a module.

In this case, you certainly are changing kernel options relevant to the
external modules, so those would have to be re-emerged against the new
kernel congiguration.

HTH,
Holly



-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] iptables / ipp2p

2005-12-16 Thread Uwe Thiem 
Hi folks,

uwix ~ # iptables -m ipp2p -help
iptables v1.3.4: Couldn't load match `ipp2p':/lib/iptables/libipt_ipp2p.so: 
cannot open shared object file: No such file or directory


uwix ~ # emerge --pretend --verbose iptables

These are the packages that I would merge, in order:

Calculating dependencies ...done!
[ebuild   R   ] net-firewall/iptables-1.3.4  -extensions +ipv6 -static 0 kB

How can I make it build libipt_ipp2p.so as well? Is it that "-extensions" 
flag?

Uwe

-- 
Unix is sexy:
who | grep -i blonde | date
cd ~; unzip; touch; strip; finger
mount; gasp; yes; uptime; umount
sleep
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] iptables question

2006-01-20 Thread Dmitry S. Makovey 

somewhat offtopic, but since I need any help I can get:

how do I redirect trafic from outward facing interface 
(192.168.1.114:80) to loopback device (127.0.0.1:80) ?

my most obvious trick:
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.114 --dport 80 \
-j DNAT --to 127.0.0.1:80
and 
echo 1 > /proc/sys/net/ipv4/ip_forward
didn't help. Machine which is opening connection is hanging there 
indefinitely...

what did I miss?

-- 
Dmitry Makovey
Web Systems Administrator
Athabasca University
(780) 675-6245


pgpGUeQ4bFleF.pgp
Description: PGP signature

[gentoo-user] Iptables Tarpit

2006-03-06 Thread Erik Westenbroek 
hello
I am attempting create a tarpit to protect against SSH Brute force
attempts.  I tried this:

iptables -N SSH_Brute_Force
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_Brute_Force
iptables -A SSH_Brute_Force -s 192.168.1.254 -j RETURN
iptables -A SSH_Brute_Force -m recent --name SSH --set --rsource
iptables -A SSH_Brute_Force -m recent ! --rcheck --seconds 60
--hitcount 3 --name SSH --rsource -j RETURN
iptables -A SSH_Brute_Force -j LOG --log-prefix "SSH Brute Force Attempt:  "
iptables -A SSH_Brute_Force -p tcp -j TARPIT
After I type the last command typed I got this error message:
iptables: No chain/target/match by that name

What am I doing wrong?
Here is the website I used as a reference for the tarpit:
http://lists.netfilter.org/pipermail/netfilter/2005-June/060914.html

-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] iptables question

2006-03-28 Thread Hiren Dave 
Hi,
I want to configure firewall such that network 192.168.1.0/24 canonly access http server from server1(192.168.0.2/24) andnetwork 
192.168.0.0/24 can not access http server. So I tried this:
#service iptables stop#iptables -P INPUT DROP#iptables -t filter -A INPUT -s 192.168.1.0/24 --dport 80 -j ACCEPT
But this command sends error that "Unknown arg: --dport"
HOW CAN I ACHIEVE THIS?
 
ALSO IS THERE ANY BOOKS OR ONLINE DOCUMENTS FOR PRACTICALLY LEARNING OF IPTABLES?
TnRHiren

Re: [gentoo-user] Iptables

2007-01-18 Thread Daniel Pielmeier 

How can I install and run iptables (with conntrack and all other
modules) in a Gentoo 2006.1 box with kernel generated by genkernel?

I tried "emerge iptables", but when I type "iptables -F" I get
something like this:

FATAL: Module ip_tables not found.
iptables v1.3.5: can't initialize iptables table `filter': iptables
who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.


Hm, did you start the iptables init-script, i think it loads the
necessary modules!
--
gentoo-user@gentoo.org mailing list

RE: [gentoo-user] Iptables

2007-01-18 Thread 
>-Original Message-
>From: Fabrício L. Ribeiro [mailto:[EMAIL PROTECTED]
>Sent: 18 January 2007 15:59
>To: gentoo-user@lists.gentoo.org
>Subject: [gentoo-user] Iptables
>
>
>How can I install and run iptables (with conntrack and all other
>modules) in a Gentoo 2006.1 box with kernel generated by genkernel?
>
>I tried "emerge iptables", but when I type "iptables -F" I get
>something like this:
>
>FATAL: Module ip_tables not found.
>iptables v1.3.5: can't initialize iptables table `filter': iptables
>who? (do you need to insmod?)
>Perhaps iptables or your kernel needs to be upgraded.
>
>Thanks!

http://gentoo-wiki.com/HOWTO_Iptables_for_newbies

That is the *first* result if you google for 'Gentoo Iptables'.
http://www.google.co.uk/search?q=gentoo+iptables&ie=utf-8&oe=utf-8&rls=org.mozilla:en-GB:official&client=firefox-a

djn

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Iptables

2007-01-19 Thread Alan McKinnon 
On Thursday 18 January 2007 17:58, Fabrício L. Ribeiro wrote:
> How can I install and run iptables (with conntrack and all other
> modules) in a Gentoo 2006.1 box with kernel generated by genkernel?
>
> I tried "emerge iptables", but when I type "iptables -F" I get
> something like this:
>
> FATAL: Module ip_tables not found.
> iptables v1.3.5: can't initialize iptables table `filter': iptables
> who? (do you need to insmod?)
> Perhaps iptables or your kernel needs to be upgraded.

genkernel uses a standard .config the first time you use it on a kernel 
version. In the kernel sources, all the netfilter options are disabled 
by default, and you MUST enable them via menuconfig.

Did you perhaps omit this step?

alan


-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Iptables

2007-01-19 Thread Pete Pardoe 

Alan

IPTables support must be compiled into the kernel.  I am not in front of my
gentoo system so cannot help you find the location in "make menuconfig"  but
if you poke around you should be able to locate it.

Pete

On 1/19/07, Alan McKinnon <[EMAIL PROTECTED]> wrote:


On Thursday 18 January 2007 17:58, Fabrício L. Ribeiro wrote:
> How can I install and run iptables (with conntrack and all other
> modules) in a Gentoo 2006.1 box with kernel generated by genkernel?
>
> I tried "emerge iptables", but when I type "iptables -F" I get
> something like this:
>
> FATAL: Module ip_tables not found.
> iptables v1.3.5: can't initialize iptables table `filter': iptables
> who? (do you need to insmod?)
> Perhaps iptables or your kernel needs to be upgraded.

genkernel uses a standard .config the first time you use it on a kernel
version. In the kernel sources, all the netfilter options are disabled
by default, and you MUST enable them via menuconfig.

Did you perhaps omit this step?

alan


--
gentoo-user@gentoo.org mailing list





--
Pete Pardoe

Re: [gentoo-user] Iptables

2007-01-19 Thread Fabrício L. Ribeiro 

People,

The response is in Nelson's mail.

Thanks Nelson and thanks to all.

On 1/19/07, Pete Pardoe <[EMAIL PROTECTED]> wrote:

Alan

IPTables support must be compiled into the kernel.  I am not in front of my
gentoo system so cannot help you find the location in "make menuconfig"  but
if you poke around you should be able to locate it.

Pete


On 1/19/07, Alan McKinnon <[EMAIL PROTECTED]> wrote:
> On Thursday 18 January 2007 17:58, Fabrício L. Ribeiro wrote:
> > How can I install and run iptables (with conntrack and all other
> > modules) in a Gentoo 2006.1 box with kernel generated by genkernel?
> >
> > I tried "emerge iptables", but when I type "iptables -F" I get
> > something like this:
> >
> > FATAL: Module ip_tables not found.
> > iptables v1.3.5: can't initialize iptables table `filter': iptables
> > who? (do you need to insmod?)
> > Perhaps iptables or your kernel needs to be upgraded.
>
> genkernel uses a standard .config the first time you use it on a kernel
> version. In the kernel sources, all the netfilter options are disabled
> by default, and you MUST enable them via menuconfig.
>
> Did you perhaps omit this step?
>
> alan
>
>
> --
> gentoo-user@gentoo.org mailing list
>
>



--
Pete Pardoe



--
FABRÍCIO L. RIBEIRO
===
[icq: 66770900]
[e-mail, gtalk e msn: [EMAIL PROTECTED]
[blog: http://opalavrorio.blogspot.com]

--
gentoo-user@gentoo.org mailing list

[gentoo-user] IPtables question

2007-01-31 Thread James Colby 

List members -

I have a small home server that I have connected to the internet
through a linksys router and cable modem.  The linksys router is
currently forwarding all ssh traffic to my gentoo box.  What I would
like to do is set up iptables to only allow ssh logins from a small
number of internet hosts, and to reject and log all other ssh
attempts.  Can someone please help me out with this.  All of the
tutorials and documentation that I have found are setting up a fully
functioning firewall / NAT / proxy, and I think that is a little
overkill for my needs.

Thanks for any help that you may be able to provide,
James
--
gentoo-user@gentoo.org mailing list

[gentoo-user] iptables error

2006-11-08 Thread Arnau Bria 
Hi,

I've done a kernel upgrade, from 2.6.16 to 17-r8 and my iptables stop
working.

I get this error:

# iptables-restore < /etc/iptables.noviembre
getsockopt failed strangely: No such file or directory

I have those modules loaded:

# lsmod
Module  Size  Used by
iptable_filter  3968  0
ip_tables  14436  1 iptable_filter
x_tables   14980  1 ip_tables

is there anything missing? It worked fine with old kernel...

cheers!
-- 
Arnau Bria
http://blog.emergetux.net
Wiggum: Dispara a las ruedas Lou.
Lou: eee, es un tanque jefe.
Wiggum: Me tienes hartito con todas tus excusas.
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] iptables wiki

2006-07-04 Thread james 

Hello,

I'm attempting to follow this wiki to build a test firewall running iptables:
http://gentoo-wiki.com/HOWTO_Iptables_for_newbies#QuickStart

Kernel is 'hardened' with netfilter et al activated.

It looks reasonable and is suppose to be up to date.

My nics are set up in /etc/conf.d/net
iface_eth0="192.168.2.20 broadcast 192.168.2.255 netmask 255.255.255.0"
iface_eth1="192.168.3.11 broadcast 192.168.3.255 netmask 255.255.255.0"
iface_eth2="  broadcast  netmask 255.255.255.252"
routes_eth2=( "default gw " )

All work fine.

port forwarding is enabled:

Rulesets get saved to /var/lib/iptables/rules-save
As specificed in /etc/conf.d/iptables
and 
/etc/init.d/iptables is the script that launces iptables
plus  rc-update add iptables default

I think all of this is correct(correct me if I'm wrong).

When I go to /etc/init to write my rules into firewall.sh
as specified in the aforementioned wiki I automatically get
this shoved into the script:

#!/sbin/runscript
# Copyright 1999-2006 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: $
depend() {
}
start() {
}
stop() {
}
restart() {
}



curiously none of the example talk about this.

Is this the correct place to put my script(/etc/init.d/, 
which is somewhat similar to the one suggested in the
wiki?


None of the examples I found googling discuss the details of where to put
the script, how to launch it and other such details. Any suggestion
are welcome. I have found lots of  example scripts similar to my 3 nic
net/lan/dmz setup though.

Any suggestions are very welcome.

James




-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] iptables (not) started?

2013-03-29 Thread Jarry 

Hi Gentoo-users,

I noticed one thing on my server: during boot-up no message
about firewall being started is printed on console. I always
have to check manually if iptables-rules have been loaded.
Strange thing, when doing shutdown, I see messages I expect:

* Saving iptables state ...  [ ok ]
* Stopping firewall ...  [ ok ]

I checked also /etc/init.d/iptables and I think it should
show some messages at start:

start() {
checkconfig || return 1
ebegin "Loading ${iptables_name} state and starting firewall"
${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
eend $?
}

Can someone explain to me why this message is not printed?

Jarry
--
___
This mailbox accepts e-mails only from selected mailing-lists!
Everything else is considered to be spam and therefore deleted.

[gentoo-user] IPTables - Going Stateless

2013-05-21 Thread Nick Khamis 
Hello Everyone,

We recently moved our stateful firewall inside, and would like to
strip down the firewall at our router connected to the outside world.
The problem I am experiencing is getting things to work properly
without connection tracking. I hope I am not in breach of mailing list
rules however, a stripped down configuration is as follows:

#!/bin/bash
IPTABLES='/sbin/iptables'

#Set interface values
INTIF1='eth0'

#flush rules and delete chains
$IPTABLES -F
$IPTABLES -X

#echo -e "   - Accepting input lo traffic"
$IPTABLES -A INPUT -i lo -j ACCEPT

#echo -e "   - Accepting output lo traffic"
$IPTABLES -A OUTPUT -o lo -j ACCEPT

#echo -e "   - Defined Chains"
$IPTABLES -N TCP
$IPTABLES -N UDP

#echo -e "   - Accepting SSH Traffic"
$IPTABLES -A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5
--dport 22 -j ACCEPT
$IPTABLES -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP

#echo -e "   - Accepting input TCP and UDP traffic to open ports"
$IPTABLES -A INPUT -i $INTIF1 -p tcp --syn -j TCP
$IPTABLES -A INPUT -i $INTIF1 -p udp -j UDP

#echo -e "   - Accepting output TCP and UDP traffic to open ports"
$IPTABLES -A OUTPUT -o $INTIF1 -p tcp --syn -j TCP
$IPTABLES -A OUTPUT -o $INTIF1 -p udp -j UDP

#echo -e "   - Dropping input TCP and UDP traffic to closed ports"
# $IPTABLES -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
# $IPTABLES -A INPUT -i $INTIF1 -p udp -j REJECT --reject-with
icmp-port-unreachable

#echo -e "   - Dropping output TCP and UDP traffic to closed ports"
# $IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
# $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j REJECT --reject-with
icmp-port-unreachable

#echo -e "   - Dropping input traffic to remaining protocols sent
to closed ports"
# $IPTABLES -A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable

#echo -e "   - Dropping output traffic to remaining protocols sent
to closed ports"
# $IPTABLES -A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable


Everything works fine with the REJECT rules commented out, but when
included SSH access is blocked out. Not sure why, isn't the sequence
correct (i.e., the ACCPET entries before the DROP and REJECT)?

Also, any pointers or heads up when going stateless would be greatly
appreciated.

Kind Regards,

Nick

Re: [gentoo-user] iptables question...

2011-12-17 Thread Hari Purnama 
On 12/16/11 22:17, Tanstaafl wrote:
> Hi all,
>
> I was reading up on some iptables rules in the gentoo security handbook:
>
> http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=12&style=printable
>
>
> It mentions DROPing packets with an INVALID state.
>
> It sounded/sounds like a good idea, so I added the following rule:
>
> -A INPUT -i eth0 -m state --state INVALID -j LOG
>
> As suggested, I addd this rule just ABOVE this one:
>
> -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> I also changed the DROP action to LOG so I could see what it did if
> anything.
>
> Right after adding this rule, I started seeing lines like this in the
> log:
>
> Dec 16 10:15:31 myhost kernel: IN=eth0 OUT=
> MAC=00:e0:81:54:9c:8a:00:90:7f:86:a8:c0:08:00 SRC=208.87.137.233
> DST=192.168.1.252 LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP
> SPT=50113 DPT=25 WINDOW=0 RES=0x00 RST URGP=0
>
> What I don't understand is why it isn't using my LOG prefix that is
> used for everything else:
>
> -A INPUT -j LOG --log-prefix "(>fw-drop): " --log-level 7
>
> Anyone?
>
Did you put the log-prefix rule before or after the LOG rule?
Or why didn't you put it in a 1liner, say:

-A INPUT -i eth0 -m state --state INVALID -j LOG --log-level 7
--log-prefix "(>fw-drop): " --log-ip-options --log-tcp-options


-- 
Regards,

Re: [gentoo-user] iptables question...

2011-12-17 Thread Tanstaafl 

On 2011-12-17 11:34 AM, Hari Purnama  wrote:

Did you put the log-prefix rule before or after the LOG rule?


After - the log prefix rule is last...


Or why didn't you put it in a 1liner, say:

-A INPUT -i eth0 -m state --state INVALID -j LOG --log-level 7
--log-prefix "(>fw-drop): " --log-ip-options --log-tcp-options


Well, because I thought the log prefix rule applied to everything that 
comes before it...?

[gentoo-user] IPTABLES syntax change?

2012-12-26 Thread Walter Dnes 
  Many years ago, I understood IPCHAINS, and the first versions of
IPTABLES.  However, IPTABLES has followed the example of Larry Wall's
Practical Extraction and Reporting Language
and turned into a pseudo-OS that I barely comprehend.  Some rules
that I added many years ago were designed to reject unsolicited
connection attempts (after whitelisting my small LAN)...

-A ICMP_IN -p icmp -m state -j UNSOLICITED
-A TCP_IN -p tcp -m state -m tcp -j UNSOLICITED
-A UDP_IN -p udp -m state -j UNSOLICITED

  Now these all give me the error message...

WARNING: The state match is obsolete. Use conntrack instead.
iptables-restore v1.4.16.3: state: option "--state" must be specified

  "man iptables" suggested "man iptables-extensions".  As near as I can
tell, the "new and improved" way is...

-A ICMP_IN -p icmp -m conntrack --ctstate INVALID -j UNSOLICITED
-A TCP_IN -p tcp -m conntrack --ctstate INVALID -m tcp -j UNSOLICITED
-A UDP_IN -p udp -m conntrack --ctstate INVALID -j UNSOLICITED

  This appears to work, i.e. it doesn't cause iptables to fail.  Does
this do what I think it does (reject unsolicited connections)?  The
reason that I'm asking is because I'm simply not sure.

-- 
Walter Dnes 
I don't run "desktop environments"; I run useful applications

[gentoo-user] iptables + dansguardian + squid

2009-04-09 Thread Joseph 

I was following this guide to set it up home filter: iptables, DansGuardian, 
and Squid.
http://www.linux.com/articles/113733
in the past it worked but when I try it now eg:

iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
iptables: No chain/target/match by that name

Apparently filtering in the nat table is no longer supported. But I'm not good 
in iptables so I need some help here.
Anybody has a good link showing basics how to do it?

--
Joseph

[gentoo-user] iptables firewall script

2009-07-17 Thread Dave 
Hello,
Can anyone good with iptables give this script a once over? It is
working, but in a very inconsistent manner, sometimes it lets traffic in,
other times not. Two things it does not have are dhcp rules as this box gets
it's address via dhcp and cifs rules, this machine mounts cifs shares, if
anyone has those i'd appreciate them. This is a single nic box, not a router
just an internal client i'd like to protect.
Adapted from:

http://www.novell.com/coolsolutions/feature/18139.html

Thanks.
Dave.

#!/bin/bash
#
# Script for iptables firewall

# define variables
IF_PUB=eth0
IP_PUB=192.168.0.106
NET_PRV=192.168.0.0/24
ANYWHERE=0.0.0.0/0

# set up default policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# remove any existing rules
iptables -F -t nat
iptables -F -t mangle
iptables -F -t filter
# Removes any user-defined chains
iptables -X

# If the machine is a router enable the next line
#echo 1 > /proc/sys/net/ipv4/ip_forward

# forward from the public interface
#iptables -A FORWARD -i $IF_PUB -m state --state ESTABLISHED,RELATED -j
ACCEPT

# allow everything to and from the loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# allow communications on the local network
# This allows unrestricted communications
#iptables -A INPUT -i $IF_PUB -s $NET_PRV -j ACCEPT
# This allows only established or forwarded connections
iptables -A INPUT -i $IF_PUB -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $IF_PUB -d $NET_PRV -j ACCEPT

# If your doing nat
#iptables -t nat -A POSTROUTING -s $NET_PRV -o $IP_PUB -j SNAT --to $IP_PUB

# allow various types of ICMP
# 8 for echo request, echo response, destination unreachable, and time
exceeded
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT

# allow ssh
iptables -A INPUT -i $IF_PUB -p tcp -d $IP_PUB -m limit --limit 1/minute
--limit-burst 1 -j ACCEPT

# mail and web server on a different host
#iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport smtp -j
DNAT --to 192.168.1.254
#iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport http -j
DNAT --to 192.168.1.253
#iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p
tcp --dport http -j ACCEPT

# send a tcp reject
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset

# block irc
#iptables -A INPUT -p tcp --dport irc -j DROP
#iptables -A INPUT -p udp --dport irc -j DROP
#iptables -A INPUT -p tcp --dport irc-serv -j DROP
#iptables -A INPUT -p udp --dport irc-serv -j DROP
#iptables -A INPUT -p tcp --dport ircs -j DROP
#iptables -A INPUT -p udp --dport ircs -j DROPThese discard TCP and UDP IRC,
IRC server and Secure IRC traffic.

# block a specific host
#iptables -A INPUT -i $IF_PUB -s 10.220.231.236 -j REJECT --reject-with
icmp-host-prohibited

# traffic from one port to another
#iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport 444 -j
DNAT --to 192.168.1.254:443
#iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -o $IF_PRV -p
tcp --dport 443 -j ACCEPT

[gentoo-user] iptables blocks ssh

2005-06-08 Thread Antonio Coralles 
I've recently turned my workstation into a router for my laptop, using
the great gentoo home router guide. Everthing is ok so far, with one
exception: I can't connect to my ssh server anymore from outside the
LAN, becuase iptables seems to prevent this, allthough i
# iptables -A INPUT -p TCP --dport ssh -i eth1 -j ACCEPT .

Any ideas ?


-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] iptables and servername

2005-06-09 Thread Patrick 
Hi,

I'm having trouble with iptables and http.
Before i have activated iptables i could access my server with a name in my 
local /etc/hosts, after activating iptables i can only connect with the 
ipaddress or his FQDN.
This local name is different or does not exists in the host file on the server.

For ssh or ping i can use the server name.
My rule:
ACCEPT tcp  --  anywhere rivendell.arda.org  tcp 
spts:1024:65535 dpt:http-alt state NEW
ACCEPT tcp  --  192.168.123.0/24 rivendell.arda.org  tcp 
spts:1024:65535 dpt:ssh state NEW


TIA
Patrick
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] iptables on gentoo

2005-10-27 Thread James 
Hello,

Well, after much reading and studying of iptables, I have written different
rules for different workstations and firewalls. It's time to begin testing.

Question 1:
I'm planning on using nmap and nessus  to test from the outside(internet)
inward). On the inside I plan on using snort, an monitoring the various
log files. Any further suggestions on testing?

Although I have read quite a lot, including the most excellent, just
published book, "Linux Firewalls" third edition, I'm still not quite
clear about some iptables details on Gentoo:
Question 2:
/etc/init.d/iptables is the startup script. Take Care not to change this 
script unless absolutely necessary.

/etc/conf.d/iptables is the configuration file for default file names and
options. Make my modifications here, if I want something different other than
the default
gentoo iptables setup.

/etc/init.d/firewall  is the default file where where you put your rules you 
have written or grabbed elsewhere and modified to meet your specific needs.

/var/lib/iptables/rules-save is the file that will save out from kernel memory
the actual rulesets being used. This file is also reloaded as necessary. Avoid
direct modifications to this. 

Is this explanation correct? Did I miss something or get something confused.
I could not really find any documentation on this, so much was inference
from various linux sites, some very old, and a few gentoo specific sites.

Assuming this is correct, I have seen many command line options and 
differing recommendations on how to modify the rules and when to save
them out and to what file. Any details one can provide, that are gentoo
specific, are most welcome.

James

James

-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] iptables init script

2005-12-02 Thread Allan Spagnol Comar 
Hi gentoo list !!!

I am using iptables 1.2.11-r3 and iptables init.d script doesn´t do
it´s work; had run '/etc/init.d/iptables save' and 'rc-update add
iptables default' but, when the system boots it does not restore the
iptables rules  some one could help me with that !!!

thanks, Allan

--
An application asked:
"Requeires Windows 9x, NT4 or better",
so I´ve installed Linux

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables / ipp2p

2005-12-16 Thread ddup1 
Try this :

emerge -s ipp2p 

emerge show you your ipp2p module.

in fact iptables is just command line utility to set rules, modules are
not part of iptables itself, modules for iptables are extra module or kernel 
inside module.


On Fri, Dec 16, 2005 at 12:09:58PM +0200, Uwe Thiem wrote:
> Hi folks,
> 
> uwix ~ # iptables -m ipp2p -help
> iptables v1.3.4: Couldn't load match `ipp2p':/lib/iptables/libipt_ipp2p.so: 
> cannot open shared object file: No such file or directory
> 
> 
> uwix ~ # emerge --pretend --verbose iptables
> 
> These are the packages that I would merge, in order:
> 
> Calculating dependencies ...done!
> [ebuild   R   ] net-firewall/iptables-1.3.4  -extensions +ipv6 -static 0 kB
> 
> How can I make it build libipt_ipp2p.so as well? Is it that "-extensions" 
> flag?
> 
> Uwe
> 
> -- 
> Unix is sexy:
> who | grep -i blonde | date
> cd ~; unzip; touch; strip; finger
> mount; gasp; yes; uptime; umount
> sleep
> -- 
> gentoo-user@gentoo.org mailing list
> 
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables question

2006-01-20 Thread Trenton Adams 
Under the *nat rule,

-A PREROUTING -i eth0 -p tcp -m tcp --dport 58443 -j DNAT --to 192.168.7.1:443

Under the *filter rules.

-A ADAMS-FW-INPUT -i eth0 -m state --state NEW -m tcp -p tcp --dport
443 -j ACCEPT


On 1/20/06, Dmitry S. Makovey <[EMAIL PROTECTED]> wrote:
>
> somewhat offtopic, but since I need any help I can get:
>
> how do I redirect trafic from outward facing interface
> (192.168.1.114:80) to loopback device (127.0.0.1:80) ?
>
> my most obvious trick:
> iptables -t nat -A PREROUTING -p tcp -d 192.168.1.114 --dport 80 \
> -j DNAT --to 127.0.0.1:80
> and
> echo 1 > /proc/sys/net/ipv4/ip_forward
> didn't help. Machine which is opening connection is hanging there
> indefinitely...
>
> what did I miss?
>
> --
> Dmitry Makovey
> Web Systems Administrator
> Athabasca University
> (780) 675-6245
>
>
>

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables question

2006-01-20 Thread Dmitry S. Makovey 
On Friday 20 January 2006 13:49, Trenton Adams wrote:
> Under the *nat rule,
>
> -A PREROUTING -i eth0 -p tcp -m tcp --dport 58443 -j DNAT --to
> 192.168.7.1:443
>
> Under the *filter rules.
>
> -A ADAMS-FW-INPUT -i eth0 -m state --state NEW -m tcp -p tcp
> --dport 443 -j ACCEPT

I tried similar combination as well to no avail. :(

-- 
Dmitry Makovey
Web Systems Administrator
Athabasca University
(780) 675-6245


pgpplhtQFKxWJ.pgp
Description: PGP signature

[gentoo-user] iptables: --state/--syn

2006-02-21 Thread Jarry 
Hi,

I'm trying to configure some basic iptables rules, and came across
to "state" module. Could someone please explain me, what is the main
difference between using "--state ESTABLISHED" and "!--syn" options
in iptables?


I thought I will define rules for incomming ssh-connections as:

iptables -A INPUT  --sport 1024:65535 -d $MY_IP --dport 22 -p tcp -j ACCEPT
iptables -A OUTPUT -s $MY_IP --sport 22 --dport 1024:65535 -p tcp !--syn -j 
ACCEPT

If I substitute the second rule with:

iptables -A OUTPUT -s $MY_IP --sport 22 --dport 1024:65535 -p tcp -m state
--state ESTABLISHED -j ACCEPT

would it be the same? Or should I combine --state ESTABLISHED with !--syn ?

Jarry
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Iptables Tarpit

2006-03-06 Thread Ryan Tandy 

Erik Westenbroek wrote:

iptables: No chain/target/match by that name
I don't see a chain or other target named TARPIT - it's not defined 
anywhere on the page you referenced as far as I see, so you may have to 
dig it up elsewhere.

--
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Iptables Tarpit

2006-03-07 Thread Erik Westenbroek 
I guess TARPIT is not in the default installation of iptables, Ill
just use labrea.

On 3/6/06, Ryan Tandy <[EMAIL PROTECTED]> wrote:
> Erik Westenbroek wrote:
> > iptables: No chain/target/match by that name
> I don't see a chain or other target named TARPIT - it's not defined
> anywhere on the page you referenced as far as I see, so you may have to
> dig it up elsewhere.
> --
> gentoo-user@gentoo.org mailing list
>
>


--
Erik
http://erikstotle.homelinux.org/

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Iptables Tarpit

2006-03-07 Thread Dave Jones 
Erik Westenbroek wrote on 03/07/06 04:18:
> I am attempting create a tarpit to protect against SSH Brute force
> attempts.  I tried this:
 --snip--
> iptables -A SSH_Brute_Force -p tcp -j TARPIT
> After I type the last command typed I got this error message:
> iptables: No chain/target/match by that name

> What am I doing wrong?

Hi Erik

The standard Gentoo-sources kernel does not include the TARPIT target.
You need to pick up an updated kernel iptables source from
netfilter.org, and install it as follows:

I assume you have a subversion client already installed on your machine.

  cd /usr/src

Pick up patch-o-matic-ng:

  svn co https://svn.netfilter.org/netfilter/trunk/patch-o-matic-ng

Pick up iptables source code:

  svn co https://svn.netfilter.org/netfilter/trunk/iptables

Install kernel patches to iptables extra code

  cd patch-o-matic-ng
  ./runme extra

Here you can select the targets/filters (e.g TARPIT) you want patching
into the kernel iptables modules.

After installing patches you must regenerate your kernel and modules to
activate the patches, and then re-emerge iptables to pick up the kernel
patches.

make menuconfig
make && make modules_install && make install

Make sure that you have USE="extensions" in your /etc/make.conf before
you emerge iptables, or it will ignore the new non-standard extensions.

 emerge iptables

This worked for me.

Cheers, Dave
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Iptables Tarpit

2006-03-08 Thread Andrew Frink 
You could also just add the "extensions" USE flag to iptables and that should give you tarpit supportOn 3/7/06, Dave Jones <
[EMAIL PROTECTED]> wrote:Erik Westenbroek wrote on 03/07/06 04:18:> I am attempting create a tarpit to protect against SSH Brute force
> attempts.  I tried this: --snip--> iptables -A SSH_Brute_Force -p tcp -j TARPIT> After I type the last command typed I got this error message:> iptables: No chain/target/match by that name
> What am I doing wrong?Hi ErikThe standard Gentoo-sources kernel does not include the TARPIT target.You need to pick up an updated kernel iptables source from
netfilter.org, and install it as follows:I assume you have a subversion client already installed on your machine.  cd /usr/srcPick up patch-o-matic-ng:  svn co 
https://svn.netfilter.org/netfilter/trunk/patch-o-matic-ngPick up iptables source code:  svn co https://svn.netfilter.org/netfilter/trunk/iptables
Install kernel patches to iptables extra code  cd patch-o-matic-ng  ./runme extraHere you can select the targets/filters (e.g TARPIT) you want patchinginto the kernel iptables modules.
After installing patches you must regenerate your kernel and modules toactivate the patches, and then re-emerge iptables to pick up the kernelpatches.make menuconfigmake && make modules_install && make install
Make sure that you have USE="extensions" in your /etc/make.conf beforeyou emerge iptables, or it will ignore the new non-standard extensions. emerge iptablesThis worked for me.
Cheers, Dave--gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Iptables Tarpit

2006-03-08 Thread Dave Jones 
Hi Andrew,

Andrew Frink wrote on 03/08/06 14:57:
> You could also just add the "extensions" USE flag to iptables and that
> should give you tarpit support

> On 3/7/06, *Dave Jones* < [EMAIL PROTECTED]
> > wrote:

> Erik Westenbroek wrote on 03/07/06 04:18:
> > I am attempting create a tarpit to protect against SSH Brute force
> > attempts.  I tried this:
> --snip--
> > iptables -A SSH_Brute_Force -p tcp -j TARPIT
> > After I type the last command typed I got this error message:
> > iptables: No chain/target/match by that name

> The standard Gentoo-sources kernel does not include the TARPIT target.
> You need to pick up an updated kernel iptables source from
> netfilter.org 

   --- snip---

Simply adding "extensions" to your /etc/make.conf USE is not enough.

Without the iptables kernel source updates you still won't have the
TARPIT target, even though the iptables package will have support for
support it in its library routines.

Cheers, Dave
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Iptables Tarpit

2006-03-08 Thread Andrew Frink 
ahh haven't really played that much with tarpit, thansk for clearing that up :-)On 3/8/06, Dave Jones <[EMAIL PROTECTED]
> wrote:Hi Andrew,Andrew Frink wrote on 03/08/06 14:57:> You could also just add the "extensions" USE flag to iptables and that
> should give you tarpit support> On 3/7/06, *Dave Jones* < [EMAIL PROTECTED]> [EMAIL PROTECTED]
>> wrote:> Erik Westenbroek wrote on 03/07/06 04:18:> > I am attempting create a tarpit to protect against SSH Brute force> > attempts.  I tried this:> --snip--
> > iptables -A SSH_Brute_Force -p tcp -j TARPIT> > After I type the last command typed I got this error message:> > iptables: No chain/target/match by that name> The standard Gentoo-sources kernel does not include the TARPIT target.
> You need to pick up an updated kernel iptables source from> netfilter.org    --- snip---
Simply adding "extensions" to your /etc/make.conf USE is not enough.Without the iptables kernel source updates you still won't have theTARPIT target, even though the iptables package will have support for
support it in its library routines.Cheers, Dave--gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables question

2006-03-28 Thread Boyd Stephen Smith Jr. 
On Tuesday 28 March 2006 07:38, "Hiren Dave" <[EMAIL PROTECTED]> wrote 
about '[gentoo-user] iptables question':
> #service iptables stop
> #iptables -P INPUT DROP
> #iptables -t filter -A INPUT -s 192.168.1.0/24 --dport 80 -j ACCEPT
>
> But this command sends error that "Unknown arg: --dport"
> HOW CAN I ACHIEVE THIS?

Raw IP doesn't have port numbers;  You'll have to match on the TCP or UDP 
protocol to be able to match ports.

> ALSO IS THERE ANY BOOKS OR ONLINE DOCUMENTS FOR PRACTICALLY LEARNING OF
> IPTABLES?

Tldp is a good resource.

-- 
"If there's one thing we've established over the years,
it's that the vast majority of our users don't have the slightest
clue what's best for them in terms of package stability."
-- Gentoo Developer Ciaran McCreesh


pgp93bYhxqc76.pgp
Description: PGP signature

Re: [gentoo-user] iptables question

2006-03-28 Thread Uwe Thiem 
On 28 March 2006 15:38, Hiren Dave wrote:
> Hi,
>
> I want to configure firewall such that network 192.168.1.0/24 can
> only access http server from server1(192.168.0.2/24) and
> network 192.168.0.0/24 can not access http server. So I tried this:
>
> #service iptables stop
> #iptables -P INPUT DROP
> #iptables -t filter -A INPUT -s 192.168.1.0/24 --dport 80 -j ACCEPT
>
> But this command sends error that "Unknown arg: --dport"
> HOW CAN I ACHIEVE THIS?

Iptables is right, that line is nonsense.

>
> ALSO IS THERE ANY BOOKS OR ONLINE DOCUMENTS FOR PRACTICALLY LEARNING OF
> IPTABLES?

I don't have the URL handy right now, but google for "Iptables Tutorial 
1.2.0".

Uwe

-- 
Why do consumers keep buying products they will live to curse?
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables question

2006-03-28 Thread JimD 
On Tue, 28 Mar 2006 19:08:38 +0530
"Hiren Dave" <[EMAIL PROTECTED]> wrote:

> Hi,
> 
> I want to configure firewall such that network 192.168.1.0/24 can
> only access http server from server1(192.168.0.2/24) and
> network 192.168.0.0/24 can not access http server. So I tried this:
> 
> #service iptables stop
> #iptables -P INPUT DROP
> #iptables -t filter -A INPUT -s 192.168.1.0/24 --dport 80 -j ACCEPT
>
> But this command sends error that "Unknown arg: --dport"
> HOW CAN I ACHIEVE THIS?

Because you need to put in a protocol like -p tcp.

> ALSO IS THERE ANY BOOKS OR ONLINE DOCUMENTS FOR PRACTICALLY LEARNING
> OF IPTABLES?

http://www.google.com/search?q=iptables+howto
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] IPtables question

2007-01-31 Thread Albert Hopkins 
On Wed, 2007-01-31 at 15:36 -0500, James Colby wrote:
> List members -
> 
> I have a small home server that I have connected to the internet
> through a linksys router and cable modem.  The linksys router is
> currently forwarding all ssh traffic to my gentoo box.  What I would
> like to do is set up iptables to only allow ssh logins from a small
> number of internet hosts, and to reject and log all other ssh
> attempts.  Can someone please help me out with this.  All of the
> tutorials and documentation that I have found are setting up a fully
> functioning firewall / NAT / proxy, and I think that is a little
> overkill for my needs.s

If you don't want the whole iptables suite you might want to consider
good ole hosts.allow/hosts.deny as an alternative.  They work fine with
sshd if you have tcpwrappers enabled.


-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] IPtables question

2007-01-31 Thread Mick 
On Wednesday 31 January 2007 20:56, Albert Hopkins wrote:
> On Wed, 2007-01-31 at 15:36 -0500, James Colby wrote:
> > List members -
> >
> > I have a small home server that I have connected to the internet
> > through a linksys router and cable modem.  The linksys router is
> > currently forwarding all ssh traffic to my gentoo box.  What I would
> > like to do is set up iptables to only allow ssh logins from a small
> > number of internet hosts, and to reject and log all other ssh
> > attempts.  Can someone please help me out with this.  All of the
> > tutorials and documentation that I have found are setting up a fully
> > functioning firewall / NAT / proxy, and I think that is a little
> > overkill for my needs.s
>
> If you don't want the whole iptables suite you might want to consider
> good ole hosts.allow/hosts.deny as an alternative.  They work fine with
> sshd if you have tcpwrappers enabled.

It depends how secure you want your set up to be.  I always suggest to disable 
passwd authentication and enable public key authentication, after you copy & 
paste each client's public key in the file ~/.ssh/authorized_keys.  Any 
passwd cracking attacks will simply fail.  I would also suggest that you move 
your sshd port from 22 to a higher number.  All/most of these bots scanning 
port 22 will now leave you alone.  Finally, you can set up additional layers 
like allow/deny users, MAC addresses, etc.  While you're at it, don't forget 
disabling root logins.

If you want to introduce diverse protection then iptables (and as previously 
suggested hosts.allow/hosts.deny) is an option.  In your iptables script (or 
saved set of iptables rules) add something like:

iptables -A INPUT -i eth0 -p tcp -s  -m tcp --dport 22 -d 
 -j ACCEPT

Of course, I suggest that you change port 22 in the line above to a higher 
number 'free' port.  Your final catch-all rule at the bottom of your iptables 
will drop any packets (on any port) from hosts other than the clients you 
specified in my line above.

Finally, you can repeat this in your router's firewall rules, assuming that 
you can specify WAN ip addresses (I know that you can in my hardware router, 
but don't know in yours).

If any one manages to break in to the server through such a sshd setup, then 
they bl**dy well deserve it!

HTH.
-- 
Regards,
Mick


pgpABfgXYkFTf.pgp
Description: PGP signature

Re: [gentoo-user] IPtables question

2007-01-31 Thread Norberto Bensa 
James Colby wrote:
> currently forwarding all ssh traffic to my gentoo box.  What I would
> like to do is set up iptables to only allow ssh logins from a small
> number of internet hosts, 

iptables -A INPUT -s ip-address-of-know-host --dport 22 -j ACCEPT


> and to reject and log all other ssh 
> attempts.  

iptables -A INPUT --dport 22 -j LOG
iptables -A INPUT --dport 22 -j REJECT

Regards,
Norberto



pgp1bYpX8fXSL.pgp
Description: PGP signature

Re: [gentoo-user] IPtables question

2007-02-02 Thread Pawel Kraszewski 
Dnia środa, 31 stycznia 2007, James Colby napisał:

> I have a small home server that I have connected to the internet
> through a linksys router and cable modem.  The linksys router is
> currently forwarding all ssh traffic to my gentoo box.  What I would
 ^

Take note, that forwarded traffic (it is DNAT-ed in Linksys) would appear on 
your host as originating from your router. Original source address is 
stripped by router's NAT.

Ergo, you need source address filtering in your router.


-- 
 Pawel Kraszewski
 www.kraszewscy.net

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] IPtables question

2007-02-02 Thread Hans-Werner Hilse 
Hi,

On Fri, 2 Feb 2007 09:45:53 +0100 Pawel Kraszewski
<[EMAIL PROTECTED]> wrote:

> Dnia środa, 31 stycznia 2007, James Colby napisał:
> 
> > I have a small home server that I have connected to the internet
> > through a linksys router and cable modem.  The linksys router is
> > currently forwarding all ssh traffic to my gentoo box.  What I would
>  ^
> 
> Take note, that forwarded traffic (it is DNAT-ed in Linksys) would
> appear on your host as originating from your router. Original source
> address is stripped by router's NAT.

Nope, just the target Adress is rewritten (by routing). DNAT is
Destination NAT! I.e. the target IP of the packet is rewritten. Since
the Linksys is the default gateway, packets can keep their source IP
address. Of course, the source MAC address will be rewritten to the
router's -- but that's got nothing to do with NAT but routing instead.

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] IPtables question

2007-02-02 Thread Pawel Kraszewski 
Dnia piątek, 2 lutego 2007, Hans-Werner Hilse napisał:
> Nope, just the target Adress is rewritten (by routing). DNAT is
> Destination NAT! I.e. the target IP of the packet is rewritten. Since
> the Linksys is the default gateway, packets can keep their source IP
> address. Of course, the source MAC address will be rewritten to the
> router's -- but that's got nothing to do with NAT but routing instead.

Jeee, I'm terrible sorry. My only excuse is that it was written without the 
morning coffee... Of course SNAT rewrites source IP and DNAT destination IP, 
and port forwarding uses DNAT. Once more, sorry for confusion - my mind was 
somehow floating around proxying not forwarding.

-- 
 Pawel Kraszewski
 www.kraszewscy.net

-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] iptables configuration problem

2007-05-13 Thread Chuanwen Wu 

Hi,guys!
I use iptables to let the PCs in the subnet to connect the internet outside.

And i write a simple script,but it doesn't work:

#!/bin/sh
iptables -F
#Define packets from Internet server to Intranet
iptables -A FORWARD -d 198.168.1.0/24 -i eth0 -j ACCEPT
#Define packets from Intranet to Internet
iptables -A FORWARD -s 198.168.1.0/24 -i eth1 -j ACCEPT


Here is the result of iptables -L:

# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source   destination

Chain FORWARD (policy DROP)
target prot opt source   destination
ACCEPT all  --  anywhere 198.168.1.0/24
ACCEPT all  --  198.168.1.0/24   anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source   destination


The eth0 here has the real ip,and the eth1 have a subnet ip:192.168.1.21.
How to fix this problem?All I need now is just to let my office
machine to use the internet!
Thanks in advanced!!
--
wcw
--
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] iptables error

2006-11-08 Thread Hans-Werner Hilse 
Hi,

On Wed, 8 Nov 2006 16:29:45 +0100 Arnau Bria <[EMAIL PROTECTED]>
wrote:

> I've done a kernel upgrade, from 2.6.16 to 17-r8 and my iptables stop
> working.

As iptables is very depending on the kernel's API, did you
- change kernel configuration?
- try re-emerging iptables?

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables error

2006-11-08 Thread Tim Garton 
Perhaps try these modules as well?gentoo sbin # lsmodModule  Size  Used byxt_tcpudp   7936  1 iptable_nat    10756  1 ip_nat 21292  1 iptable_nat
ip_conntrack   51332  2 iptable_nat,ip_natiptable_filter  7296  0 ip_tables  22760  2 iptable_nat,iptable_filterx_tables   18568  3 xt_tcpudp,iptable_nat,ip_tables
TimOn 11/8/06, Arnau Bria <[EMAIL PROTECTED]> wrote:
Hi,I've done a kernel upgrade, from 2.6.16 to 17-r8 and my iptables stopworking.I get this error:# iptables-restore < /etc/iptables.noviembregetsockopt failed strangely: No such file or directory
I have those modules loaded:# lsmodModule  Size  Used byiptable_filter  3968  0ip_tables  14436  1 iptable_filterx_tables   14980  1 ip_tables
is there anything missing? It worked fine with old kernel...cheers!--Arnau Briahttp://blog.emergetux.netWiggum: Dispara a las ruedas Lou.Lou: eee, es un tanque jefe.
Wiggum: Me tienes hartito con todas tus excusas.--gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables error

2006-11-08 Thread Arnau Bria 
On Wed, 8 Nov 2006 17:16:20 +0100
Hans-Werner Hilse wrote:

> Hi,
> 
> On Wed, 8 Nov 2006 16:29:45 +0100 Arnau Bria <[EMAIL PROTECTED]>
> wrote:
> 
> > I've done a kernel upgrade, from 2.6.16 to 17-r8 and my iptables
> > stop working.
> 
> As iptables is very depending on the kernel's API, did you
> - change kernel configuration?

nop. just make oldconfig with default values for new options.

> - try re-emerging iptables?
nop, gonna do it.
 
> -hwh
thanks!

-- 
Arnau Bria
http://blog.emergetux.net
Wiggum: Dispara a las ruedas Lou.
Lou: eee, es un tanque jefe.
Wiggum: Me tienes hartito con todas tus excusas.
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables error

2006-11-08 Thread Arnau Bria 
On Wed, 8 Nov 2006 17:33:31 +0100
Arnau Bria wrote:

> > As iptables is very depending on the kernel's API, did you
> > - change kernel configuration? 
> nop. just make oldconfig with default values for new options.

> > - try re-emerging iptables?
I've recompiled iptables and I still have same problem...

  
> > -hwh
thanks! 


-- 
Arnau Bria
http://blog.emergetux.net
Wiggum: Dispara a las ruedas Lou.
Lou: eee, es un tanque jefe.
Wiggum: Me tienes hartito con todas tus excusas.
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables error

2006-11-08 Thread Arnau Bria 
On Wed, 8 Nov 2006 08:20:48 -0800
Tim Garton wrote:

> Perhaps try these modules as well?
> 
> gentoo sbin # lsmod
> Module  Size  Used by
> xt_tcpudp   7936  1
> iptable_nat10756  1
> ip_nat 21292  1 iptable_nat
> ip_conntrack   51332  2 iptable_nat,ip_nat
> iptable_filter  7296  0
> ip_tables  22760  2 iptable_nat,iptable_filter
> x_tables   18568  3 xt_tcpudp,iptable_nat,ip_tables

 # lsmod
Module  Size  Used by
ip_conntrack   46112  0
xt_tcpudp   4096  0
xt_MARK 3328  0
iptable_filter  3968  0
ip_tables  14436  1 iptable_filter
x_tables   14980  3 xt_tcpudp,xt_MARK,ip_tables

# iptables-restore < /etc/iptables.noviembre
getsockopt failed strangely: No such file or directory

(I don't use nat).

Thanks for your reply.

-- 
Arnau Bria
http://blog.emergetux.net
Wiggum: Dispara a las ruedas Lou.
Lou: eee, es un tanque jefe.
Wiggum: Me tienes hartito con todas tus excusas.
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables error

2006-11-08 Thread Mike Williams 
On Wednesday 08 November 2006 15:29, Arnau Bria wrote:
> I get this error:
>
> # iptables-restore < /etc/iptables.noviembre
> getsockopt failed strangely: No such file or directory

Whenever I get errors like these my first step is to run the command under 
strace, then follow the reams of output backwards to find the file or 
directory it's looking for.

# emerge strace
# strace iptables-restore < /etc/iptables.noviembre

Not quite sure how it will react to the redirection.

-- 
Mike Williams
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables error

2006-11-08 Thread Richard Fish 

On 11/8/06, Arnau Bria <[EMAIL PROTECTED]> wrote:

Hi,

I've done a kernel upgrade, from 2.6.16 to 17-r8 and my iptables stop
working.

I get this error:

# iptables-restore < /etc/iptables.noviembre
getsockopt failed strangely: No such file or directory


I'd suggest you make a copy of this file and try to identify which
rule from this file is causing the error.  It is a plain text file, so
you can comment out (with '#' characters) various rules (lines that
start with '[') to figure out which rule is causing the error.

BTW, many of the filter options changed in recent kernels.  You should
double check your kernel configuration and make sure you have at least

CONFIG_NETFILTER=y
CONFIG_NETFILTER_XTABLES=m

You'll also need at least some CONFIG_NETFILTER_XT_* options under

Networking->
   Networking options ->
   Network packet filtering ->
   Core Netfilter Configuration ->

-Richard
--
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables error

2006-11-08 Thread Hans-Werner Hilse 
Hi,

On Wed, 8 Nov 2006 17:50:13 +0100
Arnau Bria <[EMAIL PROTECTED]> wrote:

> On Wed, 8 Nov 2006 17:33:31 +0100
> Arnau Bria wrote:
> 
> > > As iptables is very depending on the kernel's API, did you
> > > - change kernel configuration? 
> > nop. just make oldconfig with default values for new options.
> 
> > > - try re-emerging iptables?
> I've recompiled iptables and I still have same problem...

Hrm. Rethinking this, it might be due to an older set of include files
in /usr/include/linux. But don't change that, it'll break various
things. It might also be older an older interface used by glibc.

Do you have other things emerged that are netfilter related?

You can try to

$ strace iptables-restore < iptables.saved

and post the last 10-30 lines of output here. There'll probably be a
getsockopt call that fails.

Also have a look at your kernel's "make menuconfig", the module
architecture for iptables has changed -- maybe "oldconfig" didn't do
its job well... but I doubt that, since I've compiled everything as
modules, too, and there's only the modules you mentioned first loaded
for me.

Are you running with ACCEPT_KEYWORDS="~x86" ? Maybe you should try for
iptables, e.g.

$ ACCEPT_KEYWORDS="~x86" emerge iptables

that should give you iptables-1.3.6(-r1).

-hwh
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables error

2006-11-09 Thread Arnau Bria 
On Wed, 8 Nov 2006 10:19:10 -0700
Richard Fish wrote:

> On 11/8/06, Arnau Bria <[EMAIL PROTECTED]> wrote:

> I'd suggest you make a copy of this file and try to identify which
> rule from this file is causing the error.  It is a plain text file, so
> you can comment out (with '#' characters) various rules (lines that
> start with '[') to figure out which rule is causing the error.
Well, I found them:
 #-A INPUT -i eth0 -p tcp -m multiport --dports 4662,18491 -m tcp
--tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT 

#-A INPUT -i eth0 -p udp -m multiport --dports 4666,18491 -j ACCEPT

anyone knows what happens with both rules?


> -Richard
Thanks!

-- 
Arnau Bria
http://blog.emergetux.net
Wiggum: Dispara a las ruedas Lou.
Lou: eee, es un tanque jefe.
Wiggum: Me tienes hartito con todas tus excusas.
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables error

2006-11-09 Thread Tim Garton 
perhaps the multiport module?  (xt_multiport)On 11/9/06, Arnau Bria <[EMAIL PROTECTED]> wrote:
On Wed, 8 Nov 2006 10:19:10 -0700Richard Fish wrote:> On 11/8/06, Arnau Bria <[EMAIL PROTECTED]> wrote:> I'd suggest you make a copy of this file and try to identify which
> rule from this file is causing the error.  It is a plain text file, so> you can comment out (with '#' characters) various rules (lines that> start with '[') to figure out which rule is causing the error.
Well, I found them: #-A INPUT -i eth0 -p tcp -m multiport --dports 4662,18491 -m tcp--tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT#-A INPUT -i eth0 -p udp -m multiport --dports 4666,18491 -j ACCEPTanyone knows what happens with both rules?
> -RichardThanks!--Arnau Briahttp://blog.emergetux.netWiggum: Dispara a las ruedas Lou.Lou: eee, es un tanque jefe.Wiggum: Me tienes hartito con todas tus excusas.
--gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables error

2006-11-09 Thread Arnau Bria 
On Thu, 9 Nov 2006 08:40:12 -0800
Tim Garton wrote:

> xt_multiport

Oh! 
I've not looked for the solution yet :-(

Thanks a lot! that solved my problem!

-- 
Arnau Bria
http://blog.emergetux.net
Wiggum: Dispara a las ruedas Lou.
Lou: eee, es un tanque jefe.
Wiggum: Me tienes hartito con todas tus excusas.
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables wiki

2006-07-05 Thread Daniel 
james wrote:
> Hello,
> 
> I'm attempting to follow this wiki to build a test firewall running iptables:
> http://gentoo-wiki.com/HOWTO_Iptables_for_newbies#QuickStart
> 
> Kernel is 'hardened' with netfilter et al activated.
> 
> It looks reasonable and is suppose to be up to date.
> 
> My nics are set up in /etc/conf.d/net
> iface_eth0="192.168.2.20 broadcast 192.168.2.255 netmask 255.255.255.0"
> iface_eth1="192.168.3.11 broadcast 192.168.3.255 netmask 255.255.255.0"
> iface_eth2="  broadcast  netmask 255.255.255.252"
> routes_eth2=( "default gw " )
> 
> All work fine.
> 
> port forwarding is enabled:
> 
> Rulesets get saved to /var/lib/iptables/rules-save
> As specificed in /etc/conf.d/iptables
> and 
> /etc/init.d/iptables is the script that launces iptables
> plus  rc-update add iptables default
> 
> I think all of this is correct(correct me if I'm wrong).
> 
> When I go to /etc/init to write my rules into firewall.sh
> as specified in the aforementioned wiki I automatically get
> this shoved into the script:
> 
> #!/sbin/runscript
> # Copyright 1999-2006 Gentoo Foundation
> # Distributed under the terms of the GNU General Public License v2
> # $Header: $
> depend() {
> }
> start() {
> }
> stop() {
> }
> restart() {
> }
> 
> 
> 
> curiously none of the example talk about this.
> 
> Is this the correct place to put my script(/etc/init.d/, 
> which is somewhat similar to the one suggested in the
> wiki?
> 
> 
> None of the examples I found googling discuss the details of where to put
> the script, how to launch it and other such details. Any suggestion
> are welcome. I have found lots of  example scripts similar to my 3 nic
> net/lan/dmz setup though.
> 
> Any suggestions are very welcome.
> 
> James
> 
> 
> 
> 

Actually IMHO gentoo has internal mechanism for dealing with iptables rules.

After you are ready and sure the rules work OK, you do:

1) /etc/init.d/iptables save

This would record your rules in /var/lib/iptables/rules-save as you
issued the command "iptables-save > /var/lib/iptables/rules-save" ]


Then you put iptables in the init sequence so the rules are restored at
every system start:

2) rc-update add iptables default

This would do "iptablebs-restore < /var/lib/iptables/rules-save" at
every boot.


3) Additionally you can set some parameters in /etc/conf.d/iptables


Hope This Helps

--
Best regards
Daniel

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] iptables (not) started?

2013-03-29 Thread Mick 
On Friday 29 Mar 2013 18:25:11 Jarry wrote:
> Hi Gentoo-users,
> 
> I noticed one thing on my server: during boot-up no message
> about firewall being started is printed on console. I always
> have to check manually if iptables-rules have been loaded.
> Strange thing, when doing shutdown, I see messages I expect:
> 
> * Saving iptables state ...  [ ok ]
> * Stopping firewall ...  [ ok ]
> 
> I checked also /etc/init.d/iptables and I think it should
> show some messages at start:
> 
> start() {
> checkconfig || return 1
> ebegin "Loading ${iptables_name} state and starting firewall"
> ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
> eend $?
> }
> 
> Can someone explain to me why this message is not printed?

Do you have some other script starting your iptables, rather than the vanilla 
/etc/init.d/iptables?

Does '/etc/init.d/iptables status' show that it is running?
-- 
Regards,
Mick


signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] iptables (not) started?

2013-03-29 Thread Jarry 

On 29-Mar-13 19:43, Mick wrote:

On Friday 29 Mar 2013 18:25:11 Jarry wrote:

Hi Gentoo-users,

I noticed one thing on my server: during boot-up no message
about firewall being started is printed on console. I always
have to check manually if iptables-rules have been loaded.
Strange thing, when doing shutdown, I see messages I expect:

* Saving iptables state ...  [ ok ]
* Stopping firewall ...  [ ok ]

I checked also /etc/init.d/iptables and I think it should
show some messages at start:

start() {
checkconfig || return 1
ebegin "Loading ${iptables_name} state and starting firewall"
${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
eend $?
}

Can someone explain to me why this message is not printed?


Do you have some other script starting your iptables, rather than the vanilla
/etc/init.d/iptables?


No.


Does '/etc/init.d/iptables status' show that it is running?


* status: started

I recorded screen with my video-camera to be sure I did not miss
some message. But I found no trace about iptables being started...

Jarry
--
___
This mailbox accepts e-mails only from selected mailing-lists!
Everything else is considered to be spam and therefore deleted.

Re: [gentoo-user] iptables (not) started?

2013-03-29 Thread Pandu Poluan 
On Mar 30, 2013 1:27 AM, "Jarry"  wrote:
>
> Hi Gentoo-users,
>
> I noticed one thing on my server: during boot-up no message
> about firewall being started is printed on console. I always
> have to check manually if iptables-rules have been loaded.
> Strange thing, when doing shutdown, I see messages I expect:
>
> * Saving iptables state ...  [ ok ]
> * Stopping firewall ...  [ ok ]

Slightly tangential to the subject, but related...

I personally prefer *not* to automatically save iptables rules on shutdown.

That way, if I made some stupid mistake, a reboot restores the system to
the "LKGC" (Last Known Good Configuration)...

Rgds,
--

Re: [gentoo-user] iptables (not) started?

2013-03-29 Thread Mick 
On Friday 29 Mar 2013 19:03:57 Jarry wrote:
> On 29-Mar-13 19:43, Mick wrote:
> > On Friday 29 Mar 2013 18:25:11 Jarry wrote:
> >> Hi Gentoo-users,
> >> 
> >> I noticed one thing on my server: during boot-up no message
> >> about firewall being started is printed on console. I always
> >> have to check manually if iptables-rules have been loaded.
> >> Strange thing, when doing shutdown, I see messages I expect:
> >> 
> >> * Saving iptables state ...  [ ok ]
> >> * Stopping firewall ...  [ ok ]
> >> 
> >> I checked also /etc/init.d/iptables and I think it should
> >> show some messages at start:
> >> 
> >> start() {
> >> checkconfig || return 1
> >> ebegin "Loading ${iptables_name} state and starting firewall"
> >> ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
> >> eend $?
> >> }
> >> 
> >> Can someone explain to me why this message is not printed?
> > 
> > Do you have some other script starting your iptables, rather than the
> > vanilla /etc/init.d/iptables?
> 
> No.
> 
> > Does '/etc/init.d/iptables status' show that it is running?
> 
> * status: started
> 
> I recorded screen with my video-camera to be sure I did not miss
> some message. But I found no trace about iptables being started...

I have not set rc_logger in /etc/conf.d/iptables to know if it would make a 
difference and can confirm that I can clearly see it on my boxen at boot time:

  * Loading iptables state and starting firewall ...[ ok ]


Another thing to check is that it is in the default level:

$ eselect rc list | grep iptables
  iptables  default

I'm not sure if it would show up, or the message be suppressed if you add it 
to the boot level.

-- 
Regards,
Mick


signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] iptables (not) started?

2013-03-29 Thread Mick 
On Friday 29 Mar 2013 19:34:39 Mick wrote:
> On Friday 29 Mar 2013 19:03:57 Jarry wrote:
> > On 29-Mar-13 19:43, Mick wrote:
> > > On Friday 29 Mar 2013 18:25:11 Jarry wrote:
> > >> Hi Gentoo-users,
> > >> 
> > >> I noticed one thing on my server: during boot-up no message
> > >> about firewall being started is printed on console. I always
> > >> have to check manually if iptables-rules have been loaded.
> > >> Strange thing, when doing shutdown, I see messages I expect:
> > >> 
> > >> * Saving iptables state ...  [ ok ]
> > >> * Stopping firewall ...  [ ok ]
> > >> 
> > >> I checked also /etc/init.d/iptables and I think it should
> > >> show some messages at start:
> > >> 
> > >> start() {
> > >> checkconfig || return 1
> > >> ebegin "Loading ${iptables_name} state and starting firewall"
> > >> ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} < "${iptables_save}"
> > >> eend $?
> > >> }
> > >> 
> > >> Can someone explain to me why this message is not printed?
> > > 
> > > Do you have some other script starting your iptables, rather than the
> > > vanilla /etc/init.d/iptables?
> > 
> > No.
> > 
> > > Does '/etc/init.d/iptables status' show that it is running?
> > 
> > * status: started
> > 
> > I recorded screen with my video-camera to be sure I did not miss
> > some message. But I found no trace about iptables being started...
> 
> I have not set rc_logger in /etc/conf.d/iptables to know if it would make a
> difference and can confirm that I can clearly see it on my boxen at boot
> time:
> 
>   * Loading iptables state and starting firewall ...  [ ok ]
> 
> 
> Another thing to check is that it is in the default level:
> 
> $ eselect rc list | grep iptables
>   iptablesdefault
> 
> I'm not sure if it would show up, or the message be suppressed if you add
> it to the boot level.

Just tested this - it does not suppress it in my machine if I set it to boot 
level.  Which makes me think ...

Why do wikis and the like suggest that iptables should be in default rather 
than boot runlevel?
-- 
Regards,
Mick


signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] iptables (not) started?

2013-03-29 Thread Neil Bothwick 
On Fri, 29 Mar 2013 19:44:14 +, Mick wrote:

> Why do wikis and the like suggest that iptables should be in default
> rather than boot runlevel?

Why not? There's no need to start it especially early, as long as it is
running before the network comes up, and the init script takes care of
that.


-- 
Neil Bothwick

Vuja De: the feeling that you've never been here before.


signature.asc
Description: PGP signature

Re: [gentoo-user] iptables (not) started?

2013-03-29 Thread Mick 
On Friday 29 Mar 2013 20:37:20 Neil Bothwick wrote:
> On Fri, 29 Mar 2013 19:44:14 +, Mick wrote:
> > Why do wikis and the like suggest that iptables should be in default
> > rather than boot runlevel?
> 
> Why not? There's no need to start it especially early, as long as it is
> running before the network comes up, and the init script takes care of
> that.

I haven't seen anything in net.lo that waits for iptables and I seem to recall 
that the network interfaces are started before iptables is run, unless I start 
iptables at boot level.
-- 
Regards,
Mick


signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] iptables (not) started?

2013-03-29 Thread Neil Bothwick 
On Fri, 29 Mar 2013 23:29:39 +, Mick wrote:

> > > Why do wikis and the like suggest that iptables should be in default
> > > rather than boot runlevel?  
> > 
> > Why not? There's no need to start it especially early, as long as it
> > is running before the network comes up, and the init script takes
> > care of that.  
> 
> I haven't seen anything in net.lo that waits for iptables and I seem to
> recall that the network interfaces are started before iptables is run,
> unless I start iptables at boot level.

The iptables init script contains "before net".


-- 
Neil Bothwick

Advanced: (adj.) doesn't work yet, but it's pretty close. See: bug,
glitch.


signature.asc
Description: PGP signature

Re: [gentoo-user] IPTables - Going Stateless

2013-05-21 Thread Alan McKinnon 
On 21/05/2013 17:07, Nick Khamis wrote:
> Hello Everyone,
> 
> We recently moved our stateful firewall inside, and would like to
> strip down the firewall at our router connected to the outside world.
> The problem I am experiencing is getting things to work properly
> without connection tracking. 

Now why, oh why, do you want to do that? A world of pain awaits you.

Stateless firewalls are a colossal mindfuck that will drive you crazy.
So unless you have a very very good reason for doing this I recommedn
you seriously revisit your choice. iptables really does not consume that
much resources (and if you truly are low on resources then you need to
get a bigger router, because after all it is a router and I assume in
production)


I hope I am not in breach of mailing list
> rules however, a stripped down configuration is as follows:
> 
> #!/bin/bash
> IPTABLES='/sbin/iptables'
> 
> #Set interface values
> INTIF1='eth0'
> 
> #flush rules and delete chains
> $IPTABLES -F
> $IPTABLES -X
> 
> #echo -e "   - Accepting input lo traffic"
> $IPTABLES -A INPUT -i lo -j ACCEPT
> 
> #echo -e "   - Accepting output lo traffic"
> $IPTABLES -A OUTPUT -o lo -j ACCEPT
> 
> #echo -e "   - Defined Chains"
> $IPTABLES -N TCP
> $IPTABLES -N UDP
> 
> #echo -e "   - Accepting SSH Traffic"
> $IPTABLES -A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5
> --dport 22 -j ACCEPT
> $IPTABLES -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP
> 
> #echo -e "   - Accepting input TCP and UDP traffic to open ports"
> $IPTABLES -A INPUT -i $INTIF1 -p tcp --syn -j TCP
> $IPTABLES -A INPUT -i $INTIF1 -p udp -j UDP
> 
> #echo -e "   - Accepting output TCP and UDP traffic to open ports"
> $IPTABLES -A OUTPUT -o $INTIF1 -p tcp --syn -j TCP
> $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j UDP
> 
> #echo -e "   - Dropping input TCP and UDP traffic to closed ports"
> # $IPTABLES -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
> # $IPTABLES -A INPUT -i $INTIF1 -p udp -j REJECT --reject-with
> icmp-port-unreachable
> 
> #echo -e "   - Dropping output TCP and UDP traffic to closed ports"
> # $IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
> # $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j REJECT --reject-with
> icmp-port-unreachable
> 
> #echo -e "   - Dropping input traffic to remaining protocols sent
> to closed ports"
> # $IPTABLES -A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable
> 
> #echo -e "   - Dropping output traffic to remaining protocols sent
> to closed ports"
> # $IPTABLES -A OUTPUT -o $INTIF1 -j REJECT --reject-with 
> icmp-proto-unreachable
> 
> 
> Everything works fine with the REJECT rules commented out, but when
> included SSH access is blocked out. Not sure why, isn't the sequence
> correct (i.e., the ACCPET entries before the DROP and REJECT)?
> 
> Also, any pointers or heads up when going stateless would be greatly
> appreciated.
> 
> Kind Regards,
> 
> Nick
> 


-- 
Alan McKinnon
alan.mckin...@gmail.com

Re: [gentoo-user] IPTables - Going Stateless

2013-05-21 Thread Jarry 

On 21-May-13 17:07, Nick Khamis wrote:

We recently moved our stateful firewall inside, and would like to
strip down the firewall at our router connected to the outside world.
The problem I am experiencing is getting things to work properly
without connection tracking. I hope I am not in breach of mailing list
rules however, a stripped down configuration is as follows:





#echo -e "   - Defined Chains"
$IPTABLES -N TCP
$IPTABLES -N UDP

#echo -e "   - Accepting SSH Traffic"
$IPTABLES -A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5
--dport 22 -j ACCEPT
$IPTABLES -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP

#echo -e "   - Accepting input TCP and UDP traffic to open ports"
$IPTABLES -A INPUT -i $INTIF1 -p tcp --syn -j TCP
$IPTABLES -A INPUT -i $INTIF1 -p udp -j UDP

#echo -e "   - Accepting output TCP and UDP traffic to open ports"
$IPTABLES -A OUTPUT -o $INTIF1 -p tcp --syn -j TCP
$IPTABLES -A OUTPUT -o $INTIF1 -p udp -j UDP





Everything works fine with the REJECT rules commented out, but when
included SSH access is blocked out. Not sure why, isn't the sequence
correct (i.e., the ACCPET entries before the DROP and REJECT)?

Also, any pointers or heads up when going stateless would be greatly
appreciated.


I do not understand why you *want* to omit statefullness,
but if you do, you have to take care of corresponding part
of ip-traffic yourself.

First, you'd better learn someting about "3-way handshaking".
That's the way tcp/ip connection is opened. Shortly:

1. client sends to server tcp/ip packet with "syn" flag
2. server responds with "syn/ack" flags
3. client sends "ack"

Now look at your rules: you covered only the first part with:
$IPTABLES -A INPUT -i $INTIF1 -p tcp --syn -j TCP

Where is OUTPUT rule for "syn/ack", and INPUT for "ack"?
Nowhere, and because of that you can not open tcp-connection
if drop/reject rules are in effect.

But instead of playing with tcp-flags I strongly recommend
to use statefull firewall, which takes care of this with
one simple rule.

Jarry

--
___
This mailbox accepts e-mails only from selected mailing-lists!
Everything else is considered to be spam and therefore deleted.

Re: [gentoo-user] IPTables - Going Stateless

2013-05-21 Thread Nick Khamis 
Hello Everyone,

Thank you so much for your responses. I agree Alan, total pain in the
neck!!! But it's a ticket that was passed down to me. We moved the
stateful firewalls inside the network, broken down to each department.

But as a first on site defense on our BGP router running Quagga, we
only require stateless for performance reasons. Jerry, thank you so
much! I might need some additional help with the three way handsahkes.
What I did to stay scalable was:

Define a chain:

-N TCP

Handle two way for a specific service:

-A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5 --dport 22 -j ACCEPT
-A TCP -p tcp -m tcp -s 192.168.2.5 --sport 22 -d 192.168.2.0/24 -j ACCEPT
-A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP

Accepting Input and output requests to services included in the chain:

#echo -e "   - Accepting input TCP traffic to open ports"
-A INPUT -i $INTIF1 -p tcp -j TCP

#echo -e "   - Accepting output TCP traffic to open ports"
-A OUTPUT -o $INTIF1 -p tcp -j TCP

Dropping Everything Else:


#echo -e "   - Dropping input TCP to closed ports"
$IPTABLES -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst

#echo -e "   - Dropping output TCP traffic to closed ports"
$IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst

#echo -e "   - Dropping input traffic to remaining protocols sent
to closed ports"
$IPTABLES -A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable

#echo -e "   - Dropping output traffic to remaining protocols sent
to closed ports"
$IPTABLES -A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable

Hope this keeps me scalable enough to keep the world of pain at bay as
much as possible...

N.

Re: [gentoo-user] IPTABLES syntax change?

2012-12-26 Thread Michael Orlitzky 
On 12/26/2012 07:47 PM, Walter Dnes wrote:
>   Many years ago, I understood IPCHAINS, and the first versions of
> IPTABLES.  However, IPTABLES has followed the example of Larry Wall's
> Practical Extraction and Reporting Language
> and turned into a pseudo-OS that I barely comprehend.  Some rules
> that I added many years ago were designed to reject unsolicited
> connection attempts (after whitelisting my small LAN)...
> 
> -A ICMP_IN -p icmp -m state -j UNSOLICITED
> -A TCP_IN -p tcp -m state -m tcp -j UNSOLICITED
> -A UDP_IN -p udp -m state -j UNSOLICITED
> 
>   Now these all give me the error message...
> 
> WARNING: The state match is obsolete. Use conntrack instead.
> iptables-restore v1.4.16.3: state: option "--state" must be specified
> 

The 'conntrack' module is supposed to be a superset of 'state', so most
things should be compatible. You really have two warnings there; the
first is for the state -> conntrack switch, and the second is because
you're missing the --state flag in your rules.

In your example, you turn on the state matching,

  iptables -A TCP_IN -p tcp -m state -m tcp -j UNSOLICITED

but you don't specify *which* state(s) you want to match. It wants you
to specify --state SOMETHING. I'd guess that it used to interpret "no
state" as "any state."

You said that you whitelisted your LAN prior to that rule, so you're
probably just rejecting every {ICMP, TCP, UDP} packet with those three
rules.

If so, the equivalent rules are just,

  iptables -A ICMP_IN -p icmp -j DROP
  iptables -A TCP_IN  -p tcp  -j DROP
  iptables -A UDP_IN  -p udp  -j DROP

In other words, you only really need the connection tracking to /accept/
related connections. You don't want to deny related or established
connections, usually. And once you have accepted those two types, you
can just reject the rest, because they're necessarily new (or in rare
cases, "invalid").

I would be wary of this:

  -A ICMP_IN -p icmp -m conntrack --ctstate INVALID -j UNSOLICITED

since if the old rule works like I think it does (reject everything) the
new one might allow some things that the old one didn't.

Re: [gentoo-user] IPTABLES syntax change?

2012-12-27 Thread Graham Murray 
Michael Orlitzky  writes:

> The 'conntrack' module is supposed to be a superset of 'state', so most
> things should be compatible. You really have two warnings there; the
> first is for the state -> conntrack switch, and the second is because
> you're missing the --state flag in your rules.
>
> In your example, you turn on the state matching,
>
>   iptables -A TCP_IN -p tcp -m state -m tcp -j UNSOLICITED
>
> but you don't specify *which* state(s) you want to match. It wants you
> to specify --state SOMETHING. I'd guess that it used to interpret "no
> state" as "any state."

The problem is not really the OP's fault. The problem is that if you
have tables with the form "-m state --state XXX" at the point you
upgrade, iptables-save (quite possibly called automatically by
/etc/init.d/iptables stop) will save it as "-m state --state" - ie
'forgetting' which state(s) the rule applies to. 

The solution is to either change all your rules to use "-m conntrack
--ctstate XXX" before upgrading or editing /var/lib/iptables/rules-save
to globally replace '-m state' by '-m conntrack' and '--state' by
'--ctstate' prior to the upgrade and (at least temporarily) edit
/etc/conf.d/iptables to set SAVE_ON_STOP="no". The same will also need
to be done with ip6tables if you use that.

I think that this is a serious enough change in behaviour that an elog
warning should have been issued.

  1   2   3   >