Re: [gentoo-user] iptables wiki page questions
сб, 15 авг. 2020 г. в 01:34, tastytea : > Note that, if you set rc_depend_strict="NO" in /etc/rc.conf, the > dependency “net” is satisfied if only one net.* service is started. If I remember correctly, it happened sometimes that iptables loaded after net.eth0 service even with rc_depend_strict="YES" in /etc/rc.conf (iptables in default runlevel), and I changed one line in /etc/init.d/net.eth0: -after net.lo ... +after net.lo ... iptables I think it does not harm :) ...The option, important for saving iptables state, is: SAVE_ON_STOP="yes" in /etc/conf.d/iptables. It's so by default, AFAIK. -- Best regards, Alex
Re: [gentoo-user] iptables wiki page questions
On 2020-08-14 22:17- Grant Edwards wrote: > […] > ### "rc-service iptables" vs. "/etc/init.d/iptables" rc-service runs the same service scripts that are in /etc/init.d/, so it's the same. However the manpage of rc-service(8) mentions that “Service scripts could be in different places on different systems”, so the most compatible way would be to use rc-service. > […] > At the top of the page, rules are loaded by adding 'iptables' to the > runlevel 'default', while at the bottom of the page, the 'boot' > runlevel is used instead. > > Is there some significance to these differences? I would use the same runlevel I use for net.*. iptables will always be started before net.*, see depend() in /etc/init.d/iptables. Note that, if you set rc_depend_strict="NO" in /etc/rc.conf, the dependency “net” is satisfied if only one net.* service is started. In this case you may want to but iptables in ‘boot’ and net.* in ‘default’. Kind regards, tastytea pgpDTA3FWczc0.pgp Description: Digitale Signatur von OpenPGP
Re: [gentoo-user] iptables-1.8.1 build failure
On Wednesday, 24 October 2018 15:30:06 BST Peter Humphrey wrote: > On Wednesday, 24 October 2018 12:52:24 BST Neil Bothwick wrote: > > On Wed, 24 Oct 2018 10:29:03 +0100, Peter Humphrey wrote: > > > Today's update of iptables to 1.8.1 failed here because I didn't have > > > USE=nftables set. After setting that in package.use it was fine. Before > > > I submit a bug report, though, I'd like to understand one thing: > > > > > > $ grep nftables $(equery w iptables) > > > IUSE="conntrack ipv6 netlink nftables pcap static-libs" > > > > > > nftables? ( > > > nftables? ( > > > nftables? ( net-misc/ethertypes ) > > > > > > $(use_enable nftables) > > > > > > use nftables && emake -C iptables xtables-config-parser.h > > > if use nftables; then > > > > > > Shouldn't that IUSE entry be enough to pull in nftables? > > > > No, IUSE simply lists the USE flags relevant to the ebuild. The > > dependencies are set in DEPEND, which contains > > > > nftables? ( > > > > sys-devel/flex > > virtual/yacc > > > > ) > > > > It sounds like nftables should be in there too. this is with 1.8.0-r1, > > which is the latest I have here after syncing at 0720 today. > > It's 1.8.1 here. All three DEPEND stanzas (DEPEND, RDEPEND and > COMMON_DEPEND) have nftables? conditions, but nowhere is nftables made a > requirement, even though the package won't compile without it. > > Bug report https://bugs.gentoo.org/669498 submitted. ... and marked as a duplicate of 669486, which didn't show up in my searches. -- Regards, Peter.
Re: [gentoo-user] iptables-1.8.1 build failure
On Wednesday, 24 October 2018 12:52:24 BST Neil Bothwick wrote: > On Wed, 24 Oct 2018 10:29:03 +0100, Peter Humphrey wrote: > > Today's update of iptables to 1.8.1 failed here because I didn't have > > USE=nftables set. After setting that in package.use it was fine. Before > > I submit a bug report, though, I'd like to understand one thing: > > > > $ grep nftables $(equery w iptables) > > IUSE="conntrack ipv6 netlink nftables pcap static-libs" > > > > nftables? ( > > nftables? ( > > nftables? ( net-misc/ethertypes ) > > > > $(use_enable nftables) > > > > use nftables && emake -C iptables xtables-config-parser.h > > if use nftables; then > > > > Shouldn't that IUSE entry be enough to pull in nftables? > > No, IUSE simply lists the USE flags relevant to the ebuild. The > dependencies are set in DEPEND, which contains > > nftables? ( > sys-devel/flex > virtual/yacc > ) > > It sounds like nftables should be in there too. this is with 1.8.0-r1, > which is the latest I have here after syncing at 0720 today. It's 1.8.1 here. All three DEPEND stanzas (DEPEND, RDEPEND and COMMON_DEPEND) have nftables? conditions, but nowhere is nftables made a requirement, even though the package won't compile without it. Bug report https://bugs.gentoo.org/669498 submitted. -- Regards, Peter.
Re: [gentoo-user] iptables-1.8.1 build failure
On Wed, 24 Oct 2018 10:29:03 +0100, Peter Humphrey wrote: > Today's update of iptables to 1.8.1 failed here because I didn't have > USE=nftables set. After setting that in package.use it was fine. Before > I submit a bug report, though, I'd like to understand one thing: > > $ grep nftables $(equery w iptables) > IUSE="conntrack ipv6 netlink nftables pcap static-libs" > nftables? ( > nftables? ( > nftables? ( net-misc/ethertypes ) > $(use_enable nftables) > use nftables && emake -C iptables xtables-config-parser.h > if use nftables; then > > Shouldn't that IUSE entry be enough to pull in nftables? No, IUSE simply lists the USE flags relevant to the ebuild. The dependencies are set in DEPEND, which contains nftables? ( sys-devel/flex virtual/yacc ) It sounds like nftables should be in there too. this is with 1.8.0-r1, which is the latest I have here after syncing at 0720 today. -- Neil Bothwick Q: Why is top-posting evil? A: backwards read don't humans because pgpZ62nnrIQcT.pgp Description: OpenPGP digital signature
Re: [gentoo-user] IPTABLES
"siefke_lis...@web.de"writes: > Hello, > > i try to run iptables, block bad ips and close the system. > > I want run firewall which block all INPUT, only ALLOW services i defined. > Ipset want to use to block spam ips, make it sure awesome as ever set rules > manuell. After reading a good iptables tutorial, you may want to take a look at shorewall and it's documentation. If you're referring to IP addresses from which you receive emails that are spam, I'd recommend getting familiar with exim and perhaps spamassassin. For extreme cases, you might want to use something like fail2ban.
Re: [gentoo-user] IPTABLES
Hello, On Thu, 24 Dec 2015 15:11:55 +0300 Andrew Savchenkowrote: > ... > It is a bit old and isn't an ultimate description of all > iptables features (you have manuals for that), but will give you a > good understanding of how packet flow works and how they should be > processed. > ... thank you for your information, now i know more where i am. Silvio Silvio Siefke pgpiggtf558BS.pgp Description: PGP signature
Re: [gentoo-user] IPTABLES
Hi, On Tue, 22 Dec 2015 22:45:12 +0100 siefke_lis...@web.de wrote: > i try to run iptables, block bad ips and close the system. > > I want run firewall which block all INPUT, only ALLOW services i defined. > Ipset want to use to block spam ips, make it sure awesome as ever set rules > manuell. > > Im not so sure is okay, i has try and read but at end often i kick me out > from rootserver. So better ask what say profis of Gentoo. > > The Firewall Script > http://pastebin.com/b3305i41 I recommend you to read a good tutorial first, e.g. this one: https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html It is a bit old and isn't an ultimate description of all iptables features (you have manuals for that), but will give you a good understanding of how packet flow works and how they should be processed. I see three main problems with your current rules: 1. ESTABLISHED,RELATED packets are not accepted in the INPUT. You will have legitimate traffic blocked because of that. 2. Rules are vulnerable to SYN/ACK attack (see manual above on how to fix this). FORWARDed traffic is not protected at all (are tun+ interfaces completely trusted?). 3. Rules are far from being optimal, e.g. instead of having many enrtries for each accepted port, you can write just two rules using multiport target: one for tcp and another one for udp. These way your rules will be much faster. Also you should consider proper ordering of rules: those with higher hit rate should go first if this doesn't impact security scheme. There are minor issues of course, like blacklist check late on the rules (it should come one of the first, otherwise blacklisted hosts will be allowed to connect your open services). For remote debugging I recommend a small script like: ./iptables-current; sleep 1m; iptables-good where iptables-current is the script with your current rules you want to test and iptables-good are tested rules which work for you. This way if you'll screw up with current rules and remote control well be lost, in a minute good old rules will be applied. Of course, you should terminate this command with ^C if new rules are good, so that old ones will not be fired in a minute. Best regards, Andrew Savchenko pgpZWFGV4tF5F.pgp Description: PGP signature
Re: [gentoo-user] iptables tunneling a chrooted Linux?
On Sat, Aug 15, 2015 at 2:53 AM, Andrew Savchenko birc...@gentoo.org wrote: On Sat, 15 Aug 2015 06:53:30 +0200 meino.cra...@gmx.de wrote: on my Android tablet I have installed a Gentoo rootfs. I can start this by chgrooting it after Android has booted. Via xvnc I can connect from a running Android to the also running Gentoo Linux. If I set up a firewall as root (the Android is rooted) while I am in the chrooted Linux this firewall setting have to be active also in the Android environment, right? Of vice versa: I can track any network traffic of the Android OS inside my chrooted Linux, right? One kernel to rule them all...? If this is only chroot, you have to set all iptables rules (and other network configuration) in the host system environment (on Android). A bit of clarification here: Chroots and their hosts share the same network configuration. So, if you configure an iptables rule in the chroot, it affects the host, and vice-versa. That means you can set things up on either side, as long as you're talking about kernel-space settings (iptables, iproute2, etc). If you're touching resolv.conf or /etc/hosts that of course needs to be done in both places. If you are using LXC or other container...then you have to set up network inside container and bridge/route it with the host system. If you're using containers, the network namespace can be shared or not. If the namespace is shared, then it behaves the same as a chroot with regard to the network, iptables, etc. If the network namespace is not shared then the container gets its own interface, and there are a lot of options for how you go from there. Usually you just bridge a virtual ethernet interface to the host, but if you have multiple physical interfaces you could have each namespace have its own physical interface (I have no idea if the cell network vs wifi network interfaces are separated in android). You could set iptables either on the bridge on the host (which MUST be done from the host), or on the virtual interface in the container, and each set of rules affects the packets that go through it. Also, if you're bridging your container will have a different IP, so you might need NAT on the host if your cell provider blocks multiple DHCP assignments to the same device. I actually have openvpn running in a container and it acts as the gateway for my network (everything else just sees it as a standard router, including the host). That does need some iproute2 magic if your host ends up also servicing non-vpn traffic since it is multi-networked. It would be easier to set up on a phone. -- Rich
Re: [gentoo-user] iptables tunneling a chrooted Linux?
Hi, On Sat, 15 Aug 2015 06:53:30 +0200 meino.cra...@gmx.de wrote: on my Android tablet I have installed a Gentoo rootfs. I can start this by chgrooting it after Android has booted. Via xvnc I can connect from a running Android to the also running Gentoo Linux. If I set up a firewall as root (the Android is rooted) while I am in the chrooted Linux this firewall setting have to be active also in the Android environment, right? Of vice versa: I can track any network traffic of the Android OS inside my chrooted Linux, right? One kernel to rule them all...? If this is only chroot, you have to set all iptables rules (and other network configuration) in the host system environment (on Android). If you are using LXC or other container, involving network namespace separation (not sure this is doable on Android, kernel must support NET_NS as well as userspace tools should support this), then you have to set up network inside container and bridge/route it with the host system. Best regards, Andrew Savchenko pgp79Vhj9xFZf.pgp Description: PGP signature
Re: [gentoo-user] iptables tunneling a chrooted Linux?
Rich Freeman ri...@gentoo.org [15-08-15 13:04]: On Sat, Aug 15, 2015 at 2:53 AM, Andrew Savchenko birc...@gentoo.org wrote: On Sat, 15 Aug 2015 06:53:30 +0200 meino.cra...@gmx.de wrote: on my Android tablet I have installed a Gentoo rootfs. I can start this by chgrooting it after Android has booted. Via xvnc I can connect from a running Android to the also running Gentoo Linux. If I set up a firewall as root (the Android is rooted) while I am in the chrooted Linux this firewall setting have to be active also in the Android environment, right? Of vice versa: I can track any network traffic of the Android OS inside my chrooted Linux, right? One kernel to rule them all...? If this is only chroot, you have to set all iptables rules (and other network configuration) in the host system environment (on Android). A bit of clarification here: Chroots and their hosts share the same network configuration. So, if you configure an iptables rule in the chroot, it affects the host, and vice-versa. That means you can set things up on either side, as long as you're talking about kernel-space settings (iptables, iproute2, etc). If you're touching resolv.conf or /etc/hosts that of course needs to be done in both places. If you are using LXC or other container...then you have to set up network inside container and bridge/route it with the host system. If you're using containers, the network namespace can be shared or not. If the namespace is shared, then it behaves the same as a chroot with regard to the network, iptables, etc. If the network namespace is not shared then the container gets its own interface, and there are a lot of options for how you go from there. Usually you just bridge a virtual ethernet interface to the host, but if you have multiple physical interfaces you could have each namespace have its own physical interface (I have no idea if the cell network vs wifi network interfaces are separated in android). You could set iptables either on the bridge on the host (which MUST be done from the host), or on the virtual interface in the container, and each set of rules affects the packets that go through it. Also, if you're bridging your container will have a different IP, so you might need NAT on the host if your cell provider blocks multiple DHCP assignments to the same device. I actually have openvpn running in a container and it acts as the gateway for my network (everything else just sees it as a standard router, including the host). That does need some iproute2 magic if your host ends up also servicing non-vpn traffic since it is multi-networked. It would be easier to set up on a phone. -- Rich Hi Andrew, hi Rich, thanks for your replies! 8) Android has a problem: Apps/Applications for the masses with advanced features broken down to a few colored bottoms to press. Sounds a little pessimistic...it is not. Its only the sound of frustration. I want to block out the man (goo...) in the middle while copying files from my PC to my tablet and vice versa via wifi. As soon the wifi is switched on, my tablet starts talking to persons I had never known (goo...). So I installed some Android firewalls and a Android SFTP-servers. No go...all firewalls I tried block all incoming traffic and there is no switch to deactivate or define it better. Some SFTP-server application even stop working, if they could not phone home. Last chance: Installing a fully functional chrooted Linux, setup some handcrafted iptables/ipset/sidmat stuff (which I still have to do) and...get a Yes, network is shared on kernel level as answer from this thread. :) And I got this answer...YEAH! :)) Thanks a lot for your help!!! Best regards and have a nice weekend! Meino
Re: [gentoo-user] iptables tunneling a chrooted Linux?
On Sat, Aug 15, 2015 at 7:45 AM, meino.cra...@gmx.de wrote: Last chance: Installing a fully functional chrooted Linux, setup some handcrafted iptables/ipset/sidmat stuff (which I still have to do) and...get a Yes, network is shared on kernel level as answer from this thread. :) And I got this answer...YEAH! :)) Yup. If your goal is to block outgoing connections to selected IPs then you just need to have iptables/etc installed. Doing it from a chroot is probably a good a solution as any. You could also go the prefix route, though that is trickier. Neither is any better, so I'd stick with simple and use the chroot. -- Rich
Re: [gentoo-user] IPTables question... simple as possible for starters
On Dec 30, 2013 7:31 PM, shawn wilson ag4ve...@gmail.com wrote: Minor additions to what Pandu said... On Mon, Dec 30, 2013 at 7:02 AM, Pandu Poluan pa...@poluan.info wrote: On Mon, Dec 30, 2013 at 6:07 PM, Tanstaafl tansta...@libertytrek.org wrote: The numbers within [brackets] are statistics/countes. Just replace them with [0:0], unless you really really really have a good reason to not start counting from 0... AFAIK, there's no reason this shouldn't alway be set to 0. If you want to keep your counter do --noflush NOTE: In that ServerFault posting, I suggested using the anti-attack rules in -t raw -A PREROUTING. This saves a great deal of processing, becase the raw table is just that: raw, unadulterated, unanalyzed packets. The CPU assumes nothing, it merely tries to match well-known fields' values. And because nothing is assumed, you can't prepend a conntrack rule. I can't think of why you'd ever want those packets (and I should probably move at least those 4 masks to raw) but just an FYI - no processing means no processing. Also see nftables: http://netfilter.org/projects/nftables/ Very interesting... were they aiming for something similar to *BSD's pf firewall? I personally prefer iptables-style firewall; no guessing about how a state machine will respond in strange situations. Especially since I greatly leverage ipset and '-m condition' (part of xtables-addons), which might or might not be fully supported by nftables. Rgds, --
Re: [gentoo-user] IPTables question... simple as possible for starters
On Tue, Dec 31, 2013 at 9:08 AM, Pandu Poluan pa...@poluan.info wrote: On Dec 30, 2013 7:31 PM, shawn wilson ag4ve...@gmail.com wrote: Minor additions to what Pandu said... On Mon, Dec 30, 2013 at 7:02 AM, Pandu Poluan pa...@poluan.info wrote: On Mon, Dec 30, 2013 at 6:07 PM, Tanstaafl tansta...@libertytrek.org wrote: The numbers within [brackets] are statistics/countes. Just replace them with [0:0], unless you really really really have a good reason to not start counting from 0... AFAIK, there's no reason this shouldn't alway be set to 0. If you want to keep your counter do --noflush NOTE: In that ServerFault posting, I suggested using the anti-attack rules in -t raw -A PREROUTING. This saves a great deal of processing, becase the raw table is just that: raw, unadulterated, unanalyzed packets. The CPU assumes nothing, it merely tries to match well-known fields' values. And because nothing is assumed, you can't prepend a conntrack rule. I can't think of why you'd ever want those packets (and I should probably move at least those 4 masks to raw) but just an FYI - no processing means no processing. Also see nftables: http://netfilter.org/projects/nftables/ Very interesting... were they aiming for something similar to *BSD's pf firewall? IDK (I think I remember reading that, but maybe I was just dreaming as I can't recall where), but that's sorta what it's looking like at this point. I personally prefer iptables-style firewall; no guessing about how a state machine will respond in strange situations. Especially since I greatly leverage ipset and '-m condition' (part of xtables-addons), which might or might not be fully supported by nftables. pf is easier to learn. I use iptables much more, but if I need to do something with pf, it wouldn't take me very long to re-learn what's going on so that's sorta a plus for pf. IIRC, nftables is supposed to be backward compatible. But, will x module work I hope they didn't go and break stuff too much :)
Re: [gentoo-user] IPTables question... simple as possible for starters
On 2013-12-29 1:39 PM, shawn wilson ag4ve...@gmail.com wrote: On Sun, Dec 29, 2013 at 1:07 PM, Tanstaafl tansta...@libertytrek.org wrote: Hi all, Ok, I'm setting up a new server, and I'd like to rethink my iptables rules. I'd like to start with something fairly simple: 1. Allow connections from anywhere ONLY to certain ports ie, for encrypted IMAP/SMTP connections from users 2. Allow connections from only certain IP addresses to certain ports ie, for limiting SSH access I'd reverse the order that #1 and #2 appear. Well, I was just writing that as a general description. Looking in the rules 3. DROP ALL other connection attempts ie, I don't want to see these disallowed attempts in the logs In order to keep my rules more manageable, I have a commented text file that I manually edit whenever modifying my rules, then I do an 'iptables-restore /path/to/iptables-rules' to update them. My first question is about a trick I learned some time ago (but don't remember where)... For the ports for which I want to allow only restricted access, I have something like: ### # bgn exceptions blocks ### :f_22_I - [0:0] :f_25_I - [0:0] :f_22_O - [0:0] :f_25_O - [0:0] Am I correct that the above are what are called 'chains' in iptables speak? That defines non-kernel chains but you still need to jump to them from INPUT/OUTPUT or whatever. So, something like: -A -m tcp -p tcp --dport 22 --sport 1024:65535 -j f_22_I Well, yeah... I didn't post my entire ruleset... ;) ^ I just And am I also correct that the above adds each rule to the named chain in order, and that the order is significant? Yep - like ACLs, rules are processed from top down. ACCEPT, REJECT, and DROP are end points when they match. Good, thanks. Then... assuming that I have all of the specific rules after these set up to allow just the traffic I want, and I wanted to add a final rule that just silently DROPped all other inbound connection attempts, it would be: -A INPUT -j DROP What you're looking for is the policy which are by default ACCEPT on all kernel rules and which you change in the save file with something like this: :INPUT DROP [0:0] And, just so that there's no confusion, you should state the policy of OUTPUT and FORWARD at the top of your save file along with INPUT - see the output of iptables-save as an example of what your file should look like. Ok, well, maybe I should have posted my entire ruleset... I have this above where I define my chains: # *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] # Does it matter where this goes? And then above that, I have something else that I've never understood: *mangle :PREROUTING ACCEPT [1378800222:449528056411] :INPUT ACCEPT [1363738727:447358082301] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1221121261:1103241097263] :POSTROUTING ACCEPT [1221116979:1103240864155] -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP COMMIT Also, if you're creating a chain just to do the same thing with different addresses, look at using ipset. Then you just: ipset create ssh_in iphash ipset add ssh_in 1.2.3.4 and then this works: -A -m set --match-set ssh_in src -j ACCEPT ipset has the same save/load type things as ipt (minor differences with how you handle reload, but google or ask if you want to know). The set needs to be in place before the ipt rule is added, so ipset comes first in your boot sequence. Thanks, looks interesting and useful... So much to learn, so little time... ;)
Re: [gentoo-user] IPTables question... simple as possible for starters
On Mon, Dec 30, 2013 at 6:07 PM, Tanstaafl tansta...@libertytrek.org wrote: [-- LE SNIP --] Ok, well, maybe I should have posted my entire ruleset... I have this above where I define my chains: # *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] # Does it matter where this goes? Yes. Chain declarations must come before the rules themselves. And then above that, I have something else that I've never understood: *mangle Begin declaration of the mangle table. :PREROUTING ACCEPT [1378800222:449528056411] :INPUT ACCEPT [1363738727:447358082301] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1221121261:1103241097263] :POSTROUTING ACCEPT [1221116979:1103240864155] The numbers within [brackets] are statistics/countes. Just replace them with [0:0], unless you really really really have a good reason to not start counting from 0... The second word is the 'policy' of the chain, i.e., the default action taken if no rules match in the chain -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP Alright, the `--tcp-flags` option takes two parameters: flags_to_check and expected_flags These 4 rules collectively block 'well-known TCP Attacks', which I've listed here: http://serverfault.com/a/245713/15440 NOTE: In that ServerFault posting, I suggested using the anti-attack rules in -t raw -A PREROUTING. This saves a great deal of processing, becase the raw table is just that: raw, unadulterated, unanalyzed packets. The CPU assumes nothing, it merely tries to match well-known fields' values. You *do* have to make sure that you don't forget to compile kernel support for RAW tables ;-) COMMIT End of mangle table declaration. Commit all chain definitions and chain rules in one atomic operation. ipset create ssh_in iphash ipset add ssh_in 1.2.3.4 and then this works: -A -m set --match-set ssh_in src -j ACCEPT ipset has the same save/load type things as ipt (minor differences with how you handle reload, but google or ask if you want to know). The set needs to be in place before the ipt rule is added, so ipset comes first in your boot sequence. Thanks, looks interesting and useful... So much to learn, so little time... ;) iptables is a powerful beast; learn it well, and you'll prosper :-) Rgds, -- FdS Pandu E Poluan ~ IT Optimizer ~ • LOPSA Member #15248 • Blog : http://pandu.poluan.info/blog/ • Linked-In : http://id.linkedin.com/in/pepoluan
Re: [gentoo-user] IPTables question... simple as possible for starters
Minor additions to what Pandu said... On Mon, Dec 30, 2013 at 7:02 AM, Pandu Poluan pa...@poluan.info wrote: On Mon, Dec 30, 2013 at 6:07 PM, Tanstaafl tansta...@libertytrek.org wrote: The numbers within [brackets] are statistics/countes. Just replace them with [0:0], unless you really really really have a good reason to not start counting from 0... AFAIK, there's no reason this shouldn't alway be set to 0. If you want to keep your counter do --noflush NOTE: In that ServerFault posting, I suggested using the anti-attack rules in -t raw -A PREROUTING. This saves a great deal of processing, becase the raw table is just that: raw, unadulterated, unanalyzed packets. The CPU assumes nothing, it merely tries to match well-known fields' values. And because nothing is assumed, you can't prepend a conntrack rule. I can't think of why you'd ever want those packets (and I should probably move at least those 4 masks to raw) but just an FYI - no processing means no processing. Also see nftables: http://netfilter.org/projects/nftables/
Re: [gentoo-user] IPTables question... simple as possible for starters
On Sun, Dec 29, 2013 at 1:07 PM, Tanstaafl tansta...@libertytrek.org wrote: Hi all, Ok, I'm setting up a new server, and I'd like to rethink my iptables rules. I'd like to start with something fairly simple: 1. Allow connections from anywhere ONLY to certain ports ie, for encrypted IMAP/SMTP connections from users 2. Allow connections from only certain IP addresses to certain ports ie, for limiting SSH access I'd reverse the order that #1 and #2 appear. 3. DROP ALL other connection attempts ie, I don't want to see these disallowed attempts in the logs In order to keep my rules more manageable, I have a commented text file that I manually edit whenever modifying my rules, then I do an 'iptables-restore /path/to/iptables-rules' to update them. My first question is about a trick I learned some time ago (but don't remember where)... For the ports for which I want to allow only restricted access, I have something like: ### # bgn exceptions blocks ### :f_22_I - [0:0] :f_25_I - [0:0] :f_22_O - [0:0] :f_25_O - [0:0] Am I correct that the above are what are called 'chains' in iptables speak? That defines non-kernel chains but you still need to jump to them from INPUT/OUTPUT or whatever. So, something like: -A -m tcp -p tcp --dport 22 --sport 1024:65535 -j f_22_I ^ I just came up with something for the sport - it's possible there's a default mor narrower for your client. # ### allow connections only from the following IP's # ## SSH # # my local admin hosts -A f_22_I -s ###.###.###.### -j ACCEPT -A f_22_I -s ###.###.###.### -j ACCEPT -A f_22_I -s ###.###.###.### -j ACCEPT -A f_22_I -s ###.###.###.### -j ACCEPT -A f_22_I -s ###.###.###.### -j ACCEPT # # external hosts -A f_22_I -s ###.###.###.### -j ACCEPT -A f_22_I -s ###.###.###.### -j ACCEPT And am I also correct that the above adds each rule to the named chain in order, and that the order is significant? Yep - like ACLs, rules are processed from top down. ACCEPT, REJECT, and DROP are end points when they match. So, if I wanted to add a last rule to that chain that DROPs all other connection attempts, it would be just: -A f_22_I -j DROP I would do this just because it simplifies my life when looking at stuff (and probably removes microseconds of processing from the kernel). Only do this if you limit what hits this jump though (with --dport or whatever). Otherwise, the default behavior is basically a -j RETURN. ? Then... assuming that I have all of the specific rules after these set up to allow just the traffic I want, and I wanted to add a final rule that just silently DROPped all other inbound connection attempts, it would be: -A INPUT -j DROP What you're looking for is the policy which are by default ACCEPT on all kernel rules and which you change in the save file with something like this: :INPUT DROP [0:0] And, just so that there's no confusion, you should state the policy of OUTPUT and FORWARD at the top of your save file along with INPUT - see the output of iptables-save as an example of what your file should look like. Also, if you're creating a chain just to do the same thing with different addresses, look at using ipset. Then you just: ipset create ssh_in iphash ipset add ssh_in 1.2.3.4 and then this works: -A -m set --match-set ssh_in src -j ACCEPT ipset has the same save/load type things as ipt (minor differences with how you handle reload, but google or ask if you want to know). The set needs to be in place before the ipt rule is added, so ipset comes first in your boot sequence. ? Thanks...
[gentoo-user] Re: [gentoo-user] IPTables - Going Stateless
Вторник, 21 мая 2013, 11:07 -04:00 от Nick Khamis sym...@gmail.com: Hello Everyone, We recently moved our stateful firewall inside, and would like to strip down the firewall at our router connected to the outside world. The problem I am experiencing is getting things to work properly without connection tracking. I hope I am not in breach of mailing list rules however, a stripped down configuration is as follows: #!/bin/bash IPTABLES='/sbin/iptables' #Set interface values INTIF1='eth0' #flush rules and delete chains $IPTABLES -F $IPTABLES -X #echo -e- Accepting input lo traffic $IPTABLES -A INPUT -i lo -j ACCEPT #echo -e- Accepting output lo traffic $IPTABLES -A OUTPUT -o lo -j ACCEPT #echo -e- Defined Chains $IPTABLES -N TCP $IPTABLES -N UDP #echo -e- Accepting SSH Traffic $IPTABLES -A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5 --dport 22 -j ACCEPT $IPTABLES -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP #echo -e- Accepting input TCP and UDP traffic to open ports $IPTABLES -A INPUT -i $INTIF1 -p tcp --syn -j TCP $IPTABLES -A INPUT -i $INTIF1 -p udp -j UDP #echo -e- Accepting output TCP and UDP traffic to open ports $IPTABLES -A OUTPUT -o $INTIF1 -p tcp --syn -j TCP $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j UDP #echo -e- Dropping input TCP and UDP traffic to closed ports # $IPTABLES -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst # $IPTABLES -A INPUT -i $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable #echo -e- Dropping output TCP and UDP traffic to closed ports # $IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst # $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable #echo -e- Dropping input traffic to remaining protocols sent to closed ports # $IPTABLES -A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable #echo -e- Dropping output traffic to remaining protocols sent to closed ports # $IPTABLES -A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable Everything works fine with the REJECT rules commented out, but when included SSH access is blocked out. Not sure why, isn't the sequence correct (i.e., the ACCPET entries before the DROP and REJECT)? Also, any pointers or heads up when going stateless would be greatly appreciated. Kind Regards, Nick Looks like the packet never gets to the tcp chain. what is --syn?
Re: [gentoo-user] Re: [gentoo-user] IPTables - Going Stateless
Looks like the packet never gets to the tcp chain. what is --syn? It seems that way I am not sure what --syn is actually. But even if I comment it out it does not work. Also, for testing I changed the SSH rule to allow bidirectional traffic until this is fixed: -A TCP -p tcp -m tcp --dport 22 -j ACCEPT As mentioned before everything works as expected until when I try to close up the ports not included in the TCP and UDP chains: #echo -e- Dropping input TCP and UDP traffic to closed ports -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst -A INPUT -i $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable #echo -e- Dropping output TCP and UDP traffic to closed ports -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst -A OUTPUT -o $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable #echo -e- Dropping input traffic to remaining protocols sent to closed ports -A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable #echo -e- Dropping output traffic to remaining protocols sent to closed ports -A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable Thanks in Advance, Nick.
Re: [gentoo-user] IPTables - Going Stateless
On 21/05/2013 17:07, Nick Khamis wrote: Hello Everyone, We recently moved our stateful firewall inside, and would like to strip down the firewall at our router connected to the outside world. The problem I am experiencing is getting things to work properly without connection tracking. Now why, oh why, do you want to do that? A world of pain awaits you. Stateless firewalls are a colossal mindfuck that will drive you crazy. So unless you have a very very good reason for doing this I recommedn you seriously revisit your choice. iptables really does not consume that much resources (and if you truly are low on resources then you need to get a bigger router, because after all it is a router and I assume in production) I hope I am not in breach of mailing list rules however, a stripped down configuration is as follows: #!/bin/bash IPTABLES='/sbin/iptables' #Set interface values INTIF1='eth0' #flush rules and delete chains $IPTABLES -F $IPTABLES -X #echo -e- Accepting input lo traffic $IPTABLES -A INPUT -i lo -j ACCEPT #echo -e- Accepting output lo traffic $IPTABLES -A OUTPUT -o lo -j ACCEPT #echo -e- Defined Chains $IPTABLES -N TCP $IPTABLES -N UDP #echo -e- Accepting SSH Traffic $IPTABLES -A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5 --dport 22 -j ACCEPT $IPTABLES -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP #echo -e- Accepting input TCP and UDP traffic to open ports $IPTABLES -A INPUT -i $INTIF1 -p tcp --syn -j TCP $IPTABLES -A INPUT -i $INTIF1 -p udp -j UDP #echo -e- Accepting output TCP and UDP traffic to open ports $IPTABLES -A OUTPUT -o $INTIF1 -p tcp --syn -j TCP $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j UDP #echo -e- Dropping input TCP and UDP traffic to closed ports # $IPTABLES -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst # $IPTABLES -A INPUT -i $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable #echo -e- Dropping output TCP and UDP traffic to closed ports # $IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst # $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable #echo -e- Dropping input traffic to remaining protocols sent to closed ports # $IPTABLES -A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable #echo -e- Dropping output traffic to remaining protocols sent to closed ports # $IPTABLES -A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable Everything works fine with the REJECT rules commented out, but when included SSH access is blocked out. Not sure why, isn't the sequence correct (i.e., the ACCPET entries before the DROP and REJECT)? Also, any pointers or heads up when going stateless would be greatly appreciated. Kind Regards, Nick -- Alan McKinnon alan.mckin...@gmail.com
Re: [gentoo-user] IPTables - Going Stateless
Hello Everyone, Thank you so much for your responses. I agree Alan, total pain in the neck!!! But it's a ticket that was passed down to me. We moved the stateful firewalls inside the network, broken down to each department. But as a first on site defense on our BGP router running Quagga, we only require stateless for performance reasons. Jerry, thank you so much! I might need some additional help with the three way handsahkes. What I did to stay scalable was: Define a chain: -N TCP Handle two way for a specific service: -A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5 --dport 22 -j ACCEPT -A TCP -p tcp -m tcp -s 192.168.2.5 --sport 22 -d 192.168.2.0/24 -j ACCEPT -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP Accepting Input and output requests to services included in the chain: #echo -e- Accepting input TCP traffic to open ports -A INPUT -i $INTIF1 -p tcp -j TCP #echo -e- Accepting output TCP traffic to open ports -A OUTPUT -o $INTIF1 -p tcp -j TCP Dropping Everything Else: #echo -e- Dropping input TCP to closed ports $IPTABLES -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst #echo -e- Dropping output TCP traffic to closed ports $IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst #echo -e- Dropping input traffic to remaining protocols sent to closed ports $IPTABLES -A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable #echo -e- Dropping output traffic to remaining protocols sent to closed ports $IPTABLES -A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable Hope this keeps me scalable enough to keep the world of pain at bay as much as possible... N.
Re: [gentoo-user] iptables (not) started?
On Friday 29 Mar 2013 18:25:11 Jarry wrote: Hi Gentoo-users, I noticed one thing on my server: during boot-up no message about firewall being started is printed on console. I always have to check manually if iptables-rules have been loaded. Strange thing, when doing shutdown, I see messages I expect: * Saving iptables state ... [ ok ] * Stopping firewall ... [ ok ] I checked also /etc/init.d/iptables and I think it should show some messages at start: start() { checkconfig || return 1 ebegin Loading ${iptables_name} state and starting firewall ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} ${iptables_save} eend $? } Can someone explain to me why this message is not printed? Do you have some other script starting your iptables, rather than the vanilla /etc/init.d/iptables? Does '/etc/init.d/iptables status' show that it is running? -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] iptables (not) started?
On 29-Mar-13 19:43, Mick wrote: On Friday 29 Mar 2013 18:25:11 Jarry wrote: Hi Gentoo-users, I noticed one thing on my server: during boot-up no message about firewall being started is printed on console. I always have to check manually if iptables-rules have been loaded. Strange thing, when doing shutdown, I see messages I expect: * Saving iptables state ... [ ok ] * Stopping firewall ... [ ok ] I checked also /etc/init.d/iptables and I think it should show some messages at start: start() { checkconfig || return 1 ebegin Loading ${iptables_name} state and starting firewall ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} ${iptables_save} eend $? } Can someone explain to me why this message is not printed? Do you have some other script starting your iptables, rather than the vanilla /etc/init.d/iptables? No. Does '/etc/init.d/iptables status' show that it is running? * status: started I recorded screen with my video-camera to be sure I did not miss some message. But I found no trace about iptables being started... Jarry -- ___ This mailbox accepts e-mails only from selected mailing-lists! Everything else is considered to be spam and therefore deleted.
Re: [gentoo-user] iptables (not) started?
On Mar 30, 2013 1:27 AM, Jarry mr.ja...@gmail.com wrote: Hi Gentoo-users, I noticed one thing on my server: during boot-up no message about firewall being started is printed on console. I always have to check manually if iptables-rules have been loaded. Strange thing, when doing shutdown, I see messages I expect: * Saving iptables state ... [ ok ] * Stopping firewall ... [ ok ] Slightly tangential to the subject, but related... I personally prefer *not* to automatically save iptables rules on shutdown. That way, if I made some stupid mistake, a reboot restores the system to the LKGC (Last Known Good Configuration)... Rgds, --
Re: [gentoo-user] iptables (not) started?
On Friday 29 Mar 2013 19:03:57 Jarry wrote: On 29-Mar-13 19:43, Mick wrote: On Friday 29 Mar 2013 18:25:11 Jarry wrote: Hi Gentoo-users, I noticed one thing on my server: during boot-up no message about firewall being started is printed on console. I always have to check manually if iptables-rules have been loaded. Strange thing, when doing shutdown, I see messages I expect: * Saving iptables state ... [ ok ] * Stopping firewall ... [ ok ] I checked also /etc/init.d/iptables and I think it should show some messages at start: start() { checkconfig || return 1 ebegin Loading ${iptables_name} state and starting firewall ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} ${iptables_save} eend $? } Can someone explain to me why this message is not printed? Do you have some other script starting your iptables, rather than the vanilla /etc/init.d/iptables? No. Does '/etc/init.d/iptables status' show that it is running? * status: started I recorded screen with my video-camera to be sure I did not miss some message. But I found no trace about iptables being started... I have not set rc_logger in /etc/conf.d/iptables to know if it would make a difference and can confirm that I can clearly see it on my boxen at boot time: * Loading iptables state and starting firewall ...[ ok ] Another thing to check is that it is in the default level: $ eselect rc list | grep iptables iptables default I'm not sure if it would show up, or the message be suppressed if you add it to the boot level. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] iptables (not) started?
On Friday 29 Mar 2013 19:34:39 Mick wrote: On Friday 29 Mar 2013 19:03:57 Jarry wrote: On 29-Mar-13 19:43, Mick wrote: On Friday 29 Mar 2013 18:25:11 Jarry wrote: Hi Gentoo-users, I noticed one thing on my server: during boot-up no message about firewall being started is printed on console. I always have to check manually if iptables-rules have been loaded. Strange thing, when doing shutdown, I see messages I expect: * Saving iptables state ... [ ok ] * Stopping firewall ... [ ok ] I checked also /etc/init.d/iptables and I think it should show some messages at start: start() { checkconfig || return 1 ebegin Loading ${iptables_name} state and starting firewall ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS} ${iptables_save} eend $? } Can someone explain to me why this message is not printed? Do you have some other script starting your iptables, rather than the vanilla /etc/init.d/iptables? No. Does '/etc/init.d/iptables status' show that it is running? * status: started I recorded screen with my video-camera to be sure I did not miss some message. But I found no trace about iptables being started... I have not set rc_logger in /etc/conf.d/iptables to know if it would make a difference and can confirm that I can clearly see it on my boxen at boot time: * Loading iptables state and starting firewall ... [ ok ] Another thing to check is that it is in the default level: $ eselect rc list | grep iptables iptablesdefault I'm not sure if it would show up, or the message be suppressed if you add it to the boot level. Just tested this - it does not suppress it in my machine if I set it to boot level. Which makes me think ... Why do wikis and the like suggest that iptables should be in default rather than boot runlevel? -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] iptables (not) started?
On Fri, 29 Mar 2013 19:44:14 +, Mick wrote: Why do wikis and the like suggest that iptables should be in default rather than boot runlevel? Why not? There's no need to start it especially early, as long as it is running before the network comes up, and the init script takes care of that. -- Neil Bothwick Vuja De: the feeling that you've never been here before. signature.asc Description: PGP signature
Re: [gentoo-user] iptables (not) started?
On Friday 29 Mar 2013 20:37:20 Neil Bothwick wrote: On Fri, 29 Mar 2013 19:44:14 +, Mick wrote: Why do wikis and the like suggest that iptables should be in default rather than boot runlevel? Why not? There's no need to start it especially early, as long as it is running before the network comes up, and the init script takes care of that. I haven't seen anything in net.lo that waits for iptables and I seem to recall that the network interfaces are started before iptables is run, unless I start iptables at boot level. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] iptables (not) started?
On Fri, 29 Mar 2013 23:29:39 +, Mick wrote: Why do wikis and the like suggest that iptables should be in default rather than boot runlevel? Why not? There's no need to start it especially early, as long as it is running before the network comes up, and the init script takes care of that. I haven't seen anything in net.lo that waits for iptables and I seem to recall that the network interfaces are started before iptables is run, unless I start iptables at boot level. The iptables init script contains before net. -- Neil Bothwick Advanced: (adj.) doesn't work yet, but it's pretty close. See: bug, glitch. signature.asc Description: PGP signature
Re: [gentoo-user] IPTABLES syntax change?
On Sat, Jan 05, 2013 at 11:57:10AM +, Mick wrote It will, but only partially. It seems that the list is long and it is getting longer and longer! Check this out: whois -h whois.radb.net -- '-i origin AS32934' | grep ^route (as advised by https://developers.facebook.com/docs/ApplicationSecurity/) ELVIS Thank you, Thank you, Thank you verrry verrry much /ELVIS It's not as bad as it looks, because... a) there's a lot of duplication b) many of the blocks are subsets with a bigger Facebook block 31.13.24.0/21 inetnum:31.13.24.0 - 31.13.31.255 netname:IE-FACEBOOK-20110418 descr: Facebook Ireland Ltd country:IE 31.13.64.0/18 31.13.64.0/19 31.13.64.0/24 31.13.65.0/24 31.13.66.0/24 31.13.67.0/24 31.13.68.0/24 31.13.69.0/24 31.13.70.0/24 31.13.71.0/24 31.13.72.0/24 31.13.73.0/24 31.13.74.0/24 31.13.75.0/24 31.13.76.0/24 31.13.77.0/24 31.13.78.0/24 31.13.79.0/24 31.13.80.0/24 31.13.82.0/24 31.13.83.0/24 31.13.84.0/24 31.13.85.0/24 31.13.86.0/24 31.13.87.0/24 31.13.88.0/24 31.13.89.0/24 31.13.90.0/24 31.13.91.0/24 31.13.92.0/24 31.13.93.0/24 31.13.94.0/24 31.13.95.0/24 31.13.96.0/19 inetnum:31.13.64.0 - 31.13.127.255 netname:IE-FACEBOOK-20110418 descr: Facebook Ireland Ltd country:IE 66.220.144.0/20 66.220.144.0/20 66.220.144.0/21 66.220.152.0/21 66.220.159.0/24 NetRange: 66.220.144.0 - 66.220.159.255 CIDR: 66.220.144.0/20 OrgName:Facebook, Inc. OrgId: THEFA-3 69.63.176.0/20 69.63.176.0/20 69.63.176.0/20 69.63.176.0/21 69.63.176.0/21 69.63.176.0/24 69.63.178.0/24 69.63.184.0/21 69.63.184.0/21 69.63.186.0/24 NetRange: 69.63.176.0 - 69.63.191.255 CIDR: 69.63.176.0/20 OrgName:Facebook, Inc. OrgId: THEFA-3 69.171.224.0/19 69.171.224.0/20 69.171.239.0/24 69.171.240.0/20 69.171.253.0/24 69.171.255.0/24 NetRange: 69.171.224.0 - 69.171.255.255 CIDR: 69.171.224.0/19 OrgName:Facebook, Inc. OrgId: THEFA-3 74.119.76.0/22 NetRange: 74.119.76.0 - 74.119.79.255 CIDR: 74.119.76.0/22 OrgName:Facebook, Inc. OrgId: THEFA-3 103.4.96.0/22 inetnum:103.4.96.0 - 103.4.99.255 netname:FACEBOOK-SG 173.252.64.0/18 173.252.64.0/19 173.252.70.0/24 173.252.96.0/19 NetRange: 173.252.64.0 - 173.252.127.255 CIDR: 173.252.64.0/18 OriginAS: AS32934 NetName:FACEBOOK-INC 204.15.20.0/22 204.15.20.0/22 NetRange: 204.15.20.0 - 204.15.23.255 CIDR: 204.15.20.0/22 OrgName:Facebook, Inc. OrgId: THEFA-3 A grand total of 9 IPV4 ranges, of which I already have 6. Time for a minor update. Thanks again for the whois lookup command. BTW, websites may break if you block all these ip ranges. LENNART It's their fault that they're broken, not mine /LENNART -- Walter Dnes waltd...@waltdnes.org I don't run desktop environments; I run useful applications
Re: [gentoo-user] IPTABLES syntax change?
On Wed, Jan 02, 2013 at 11:32:58PM -0500, Michael Orlitzky wrote On 12/30/2012 10:21 PM, Walter Dnes wrote: [0:0] -A FECESBOOK -j LOG --log-prefix FECESBOOK: --log-level 6 [0:0] -A FECESBOOK -j DROP [0:0] -A INPUT -s 192.168.123.248/29 -i eth0 -j ACCEPT [0:0] -A INPUT -s 169.254.0.0/16 -i eth0 -j ACCEPT [0:0] -A INPUT -i lo -j ACCEPT [0:0] -A INPUT -m conntrack --ctstate INVALID,NEW -j UNSOLICITED In fact, since you're blocking all outgoing packets to facebook, the only state that a packet from facebook can have here is INVALID or NEW. So traffic from facebook will be sent to the UNSOLICITED chain and DROPped. [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK [0:0] -A INPUT -s 69.220.144.0/20 -j FECESBOOK [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK [0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK [0:0] -A INPUT -s 200.58.112.0/20 -j FECESBOOK [0:0] -A INPUT -s 213.155.64.0/19 -j FECESBOOK ...making these pointless =) I've run into at least one newspaper website (I forget which, it's occasionally used for links on Slashdot) which ends up trying to redirect me to a Facebook site even though the URL does not mention Facebook at all. There is other integration as well. See the first post in http://www.dslreports.com/forum/r26618459-Increasing-integration-of-facebook-into-many-web-sites I believe this may have been straightened out since then, but 13 months ago that post was correct. And then there's the LIKE button which shows up all over the web. The mere fact that you haven't manually typed in... http://www.facebook.com/blah_blah_blah does not mean you're not connecting to it. -- Walter Dnes waltd...@waltdnes.org I don't run desktop environments; I run useful applications
Re: [gentoo-user] IPTABLES syntax change?
On Fri, Jan 4, 2013 at 3:17 PM, Walter Dnes waltd...@waltdnes.org wrote: On Wed, Jan 02, 2013 at 11:32:58PM -0500, Michael Orlitzky wrote On 12/30/2012 10:21 PM, Walter Dnes wrote: [0:0] -A FECESBOOK -j LOG --log-prefix FECESBOOK: --log-level 6 [0:0] -A FECESBOOK -j DROP [0:0] -A INPUT -s 192.168.123.248/29 -i eth0 -j ACCEPT [0:0] -A INPUT -s 169.254.0.0/16 -i eth0 -j ACCEPT [0:0] -A INPUT -i lo -j ACCEPT [0:0] -A INPUT -m conntrack --ctstate INVALID,NEW -j UNSOLICITED In fact, since you're blocking all outgoing packets to facebook, the only state that a packet from facebook can have here is INVALID or NEW. So traffic from facebook will be sent to the UNSOLICITED chain and DROPped. [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK [0:0] -A INPUT -s 69.220.144.0/20 -j FECESBOOK [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK [0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK [0:0] -A INPUT -s 200.58.112.0/20 -j FECESBOOK [0:0] -A INPUT -s 213.155.64.0/19 -j FECESBOOK ...making these pointless =) I've run into at least one newspaper website (I forget which, it's occasionally used for links on Slashdot) which ends up trying to redirect me to a Facebook site even though the URL does not mention Facebook at all. There is other integration as well. See the first post in http://www.dslreports.com/forum/r26618459-Increasing-integration-of-facebook-into-many-web-sites I believe this may have been straightened out since then, but 13 months ago that post was correct. And then there's the LIKE button which shows up all over the web. The mere fact that you haven't manually typed in... http://www.facebook.com/blah_blah_blah does not mean you're not connecting to it. But all that's above layer 3, since it's an HTTP redirect, or a page transclusion which necessitates a new GET request. Michael's point stands. -- :wq
Re: [gentoo-user] IPTABLES syntax change?
On Fri, Jan 04, 2013 at 03:27:59PM -0500, Michael Mol wrote On Fri, Jan 4, 2013 at 3:17 PM, Walter Dnes waltd...@waltdnes.org wrote: The mere fact that you haven't manually typed in... http://www.facebook.com/blah_blah_blah does not mean you're not connecting to it. But all that's above layer 3, since it's an HTTP redirect, or a page transclusion which necessitates a new GET request. Michael's point stands. And I want to make sure that new GET request is blocked coming and going. -- Walter Dnes waltd...@waltdnes.org I don't run desktop environments; I run useful applications
Re: [gentoo-user] IPTABLES syntax change?
On Jan 4, 2013 8:33 PM, Walter Dnes waltd...@waltdnes.org wrote: On Fri, Jan 04, 2013 at 03:27:59PM -0500, Michael Mol wrote On Fri, Jan 4, 2013 at 3:17 PM, Walter Dnes waltd...@waltdnes.org wrote: The mere fact that you haven't manually typed in... http://www.facebook.com/blah_blah_blah does not mean you're not connecting to it. But all that's above layer 3, since it's an HTTP redirect, or a page transclusion which necessitates a new GET request. Michael's point stands. And I want to make sure that new GET request is blocked coming and going. -- Walter Dnes waltd...@waltdnes.org I don't run desktop environments; I run useful applications And it will, for the simple reason that outbound psckets are dropped, so inbound packets are nevrr valid. That was Michael's point.
Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)?
On 2013-01-02 7:14 PM, Mick michaelkintz...@gmail.com wrote: On Wednesday 02 Jan 2013 19:47:11 Tanstaafl wrote: Oh, ok - so, if I don't have any rules that use the 'mangle' command, then I can safely remove mangle support from my kernel and lose the mangle table altogether? Yes, I would think so. You can build it as a module anyway and un/not load it to see if iptables starts up without errors. This is a server, so no modules support at all... But no worries, I always keep my previous kernel when upgrading, so if something doesn't work right, I just reboot back to the previous one... it has saved me more than a few times... Thanks again
Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)?
On 01/02/13 08:38, Tanstaafl wrote: Hi all, This has been bugging me for a while... I've googled, and can't seem to find a definitive answer to this question... Lots of references to the Mangle table, but nothing that really explains what this table is or does, and when or why I would want/need it. It allows you to mangle the low level bits of a packet. You only need it for routing gymnastics. Currently, I have this in my rules (since forever, honestly don't even remember where it came from): *mangle :PREROUTING ACCEPT [1378800222:449528056411] :INPUT ACCEPT [1363738727:447358082301] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1221121261:1103241097263] :POSTROUTING ACCEPT [1221116979:1103240864155] -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP COMMIT # Completed on Sun Dec 11 14:11:01 2011 The PREROUTING table happens before the routing decision is made. So those rules happen before the network stack decides what to do with a packet. Suppose, for example, that you forward all packets from your LAN to wherever they're supposed to go. You might want to alter the source IP of VPN traffic (which a priori is not from the LAN interface) so that it appears to come from the LAN before you decide whether or not to forward it. The POSTROUTING table is similar, only it happens after the packet's destination is set in stone. So you can, say, change the source IP address in the packet and still have it routed wherever it was going to go originally. This is on a mail/web server with a static IP, it does not do any NAT and does not act as a perimeter firewall, it only protects itself... Thanks for any pointers to tfm that explains this if there is one, or just for a simple explanation if not... I don't know what you were trying to do there, but it doesn't sound like you need it. You might have been trying to block packets in an invalid state. If so, consider using conntrack's --ctstate INVALID to drop them instead.
Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)?
On Wednesday 02 Jan 2013 13:38:27 Tanstaafl wrote: Hi all, This has been bugging me for a while... I've googled, and can't seem to find a definitive answer to this question... Lots of references to the Mangle table, but nothing that really explains what this table is or does, and when or why I would want/need it. Currently, I have this in my rules (since forever, honestly don't even remember where it came from): *mangle :PREROUTING ACCEPT [1378800222:449528056411] :INPUT ACCEPT [1363738727:447358082301] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1221121261:1103241097263] :POSTROUTING ACCEPT [1221116979:1103240864155] -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP COMMIT # Completed on Sun Dec 11 14:11:01 2011 This is on a mail/web server with a static IP, it does not do any NAT and does not act as a perimeter firewall, it only protects itself... Thanks for any pointers to tfm that explains this if there is one, or just for a simple explanation if not... The rules you show above do not do any mangling. They just filter out packets during prerouting with certain tcp flags. You would mangle packets if you needed to change some headers, e.g. ToS field and TTL. You could also set a MARK value so that you can thereafter process the MARK'ed packet accordingly (e.g. limit bandwidth for such packets, or do some fancy routing for them) If you have a look at 'man iptables-extensions' it gives some examples of using -t mangle. I haven't looked in Google recently, but there should be some examples there too. -- Regards, Mick smime.p7s Description: S/MIME cryptographic signature
Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)?
On 2013-01-02 2:01 PM, Mick michaelkintz...@gmail.com wrote: If you have a look at 'man iptables-extensions' it gives some examples of using -t mangle. I haven't looked in Google recently, but there should be some examples there too. Oh, ok - so, if I don't have any rules that use the 'mangle' command, then I can safely remove mangle support from my kernel and lose the mangle table altogether? Thanks guys...
Re: [gentoo-user] IPTABLES syntax change?
On 12/30/12 22:21, Walter Dnes wrote: OK, here is version 2. I had an excellent adventure along the way. I'm doing the upgrade on our servers right now, and there's another possible gotcha: the newer iptables (requiring conntrack) requires NETFILTER_XT_MATCH_CONNTRACK support in the kernel. This is in contrast to the state matches which used NETFILTER_XT_MATCH_STATE. To minimize downtime during the switch, I'm doing, 1. Rebuild the kernel, enable conntrack and disable state. 2. Fix my iptables-config script to use the conntrack stuff 3. Create a dummy set of rules that allows me to SSH in (without state matching) 4. Run and save those rules 5. Reboot to new kernel 6. SSH in and run iptables-config 7. Save the rules [0:0] -A INPUT -s 192.168.123.248/29 -i eth0 -j ACCEPT [0:0] -A INPUT -s 169.254.0.0/16 -i eth0 -j ACCEPT [0:0] -A INPUT -i lo -j ACCEPT [0:0] -A INPUT -m conntrack --ctstate INVALID,NEW -j UNSOLICITED [0:0] -A INPUT -p tcp -m multiport --dports 0:1023,6000:6063 -j BAD_DPORT [0:0] -A INPUT -p udp -m multiport --dports 0:1023,6000:6063 -j BAD_DPORT [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK [0:0] -A INPUT -s 69.220.144.0/20 -j FECESBOOK [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK [0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK [0:0] -A INPUT -s 200.58.112.0/20 -j FECESBOOK [0:0] -A INPUT -s 213.155.64.0/19 -j FECESBOOK [0:0] -A INPUT -s 10.0.0.0/8 -j PRIVATE_LOG [0:0] -A INPUT -s 127.0.0.0/8 -j PRIVATE_LOG [0:0] -A INPUT -s 172.16.0.0/12 -j PRIVATE_LOG [0:0] -A INPUT -s 192.168.0.0/16 -j PRIVATE_LOG [0:0] -A INPUT -p icmp -j ICMP_IN [0:0] -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT These rules will be evaluated in order. I have no evidence for this, but I suspect you're better off accepting the ESTABLISHED,RELATED stuff earlier in the chain so you don't slow down the packets that you want.
Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)?
On Wednesday 02 Jan 2013 19:47:11 Tanstaafl wrote: On 2013-01-02 2:01 PM, Mick michaelkintz...@gmail.com wrote: If you have a look at 'man iptables-extensions' it gives some examples of using -t mangle. I haven't looked in Google recently, but there should be some examples there too. Oh, ok - so, if I don't have any rules that use the 'mangle' command, then I can safely remove mangle support from my kernel and lose the mangle table altogether? Thanks guys... Yes, I would think so. You can build it as a module anyway and un/not load it to see if iptables starts up without errors. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)?
On Jan 3, 2013 1:57 AM, Michael Orlitzky mich...@orlitzky.com wrote: On 01/02/13 08:38, Tanstaafl wrote: Hi all, This has been bugging me for a while... I've googled, and can't seem to find a definitive answer to this question... Lots of references to the Mangle table, but nothing that really explains what this table is or does, and when or why I would want/need it. It allows you to mangle the low level bits of a packet. You only need it for routing gymnastics. Currently, I have this in my rules (since forever, honestly don't even remember where it came from): *mangle :PREROUTING ACCEPT [1378800222:449528056411] :INPUT ACCEPT [1363738727:447358082301] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1221121261:1103241097263] :POSTROUTING ACCEPT [1221116979:1103240864155] -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP COMMIT # Completed on Sun Dec 11 14:11:01 2011 The PREROUTING table happens before the routing decision is made. So those rules happen before the network stack decides what to do with a packet. Suppose, for example, that you forward all packets from your LAN to wherever they're supposed to go. You might want to alter the source IP of VPN traffic (which a priori is not from the LAN interface) so that it appears to come from the LAN before you decide whether or not to forward it. The POSTROUTING table is similar, only it happens after the packet's destination is set in stone. So you can, say, change the source IP address in the packet and still have it routed wherever it was going to go originally. This is on a mail/web server with a static IP, it does not do any NAT and does not act as a perimeter firewall, it only protects itself... Thanks for any pointers to tfm that explains this if there is one, or just for a simple explanation if not... I don't know what you were trying to do there, but it doesn't sound like you need it. You might have been trying to block packets in an invalid state. If so, consider using conntrack's --ctstate INVALID to drop them instead. Just to add some references... When dealing with iptables (and its kissing cousin, ebtables), I always find these diagrams to be most helpful: Definitive: http://www.wenzk.net/bbs/attachments/PacketFlow_BTgdX6im2Scu.png Complementary: http://linux-ip.net/nf/nfk-traversal.png Rgds, --
Re: [gentoo-user] IPTABLES syntax change?
On Jan 3, 2013 4:40 AM, Michael Orlitzky mich...@orlitzky.com wrote: On 12/30/12 22:21, Walter Dnes wrote: OK, here is version 2. I had an excellent adventure along the way. I'm doing the upgrade on our servers right now, and there's another possible gotcha: the newer iptables (requiring conntrack) requires NETFILTER_XT_MATCH_CONNTRACK support in the kernel. This is in contrast to the state matches which used NETFILTER_XT_MATCH_STATE. To minimize downtime during the switch, I'm doing, 1. Rebuild the kernel, enable conntrack and disable state. 2. Fix my iptables-config script to use the conntrack stuff 3. Create a dummy set of rules that allows me to SSH in (without state matching) 4. Run and save those rules 5. Reboot to new kernel 6. SSH in and run iptables-config 7. Save the rules [0:0] -A INPUT -s 192.168.123.248/29 -i eth0 -j ACCEPT [0:0] -A INPUT -s 169.254.0.0/16 -i eth0 -j ACCEPT [0:0] -A INPUT -i lo -j ACCEPT [0:0] -A INPUT -m conntrack --ctstate INVALID,NEW -j UNSOLICITED [0:0] -A INPUT -p tcp -m multiport --dports 0:1023,6000:6063 -j BAD_DPORT [0:0] -A INPUT -p udp -m multiport --dports 0:1023,6000:6063 -j BAD_DPORT [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK [0:0] -A INPUT -s 69.220.144.0/20 -j FECESBOOK [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK [0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK [0:0] -A INPUT -s 200.58.112.0/20 -j FECESBOOK [0:0] -A INPUT -s 213.155.64.0/19 -j FECESBOOK [0:0] -A INPUT -s 10.0.0.0/8 -j PRIVATE_LOG [0:0] -A INPUT -s 127.0.0.0/8 -j PRIVATE_LOG [0:0] -A INPUT -s 172.16.0.0/12 -j PRIVATE_LOG [0:0] -A INPUT -s 192.168.0.0/16 -j PRIVATE_LOG [0:0] -A INPUT -p icmp -j ICMP_IN [0:0] -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT These rules will be evaluated in order. I have no evidence for this, but I suspect you're better off accepting the ESTABLISHED,RELATED stuff earlier in the chain so you don't slow down the packets that you want. True. But you will want to filter out 'suspicious' packets beforehand. In my previous employment, I had a Gentoo-based firewall with more than 100 lines of rules. Plus I also employ 'ipset' to allow on-the-fly manipulation of blocking/routing. If you want to see the whole nine yards, I can try asking my replacement to send me the whole deal. Rgds, --
Re: [gentoo-user] IPTABLES syntax change?
On 12/30/2012 10:21 PM, Walter Dnes wrote: [0:0] -A FECESBOOK -j LOG --log-prefix FECESBOOK: --log-level 6 [0:0] -A FECESBOOK -j DROP [0:0] -A INPUT -s 192.168.123.248/29 -i eth0 -j ACCEPT [0:0] -A INPUT -s 169.254.0.0/16 -i eth0 -j ACCEPT [0:0] -A INPUT -i lo -j ACCEPT [0:0] -A INPUT -m conntrack --ctstate INVALID,NEW -j UNSOLICITED In fact, since you're blocking all outgoing packets to facebook, the only state that a packet from facebook can have here is INVALID or NEW. So traffic from facebook will be sent to the UNSOLICITED chain and DROPped. [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK [0:0] -A INPUT -s 69.220.144.0/20 -j FECESBOOK [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK [0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK [0:0] -A INPUT -s 200.58.112.0/20 -j FECESBOOK [0:0] -A INPUT -s 213.155.64.0/19 -j FECESBOOK ...making these pointless =) [0:0] -A INPUT -s 10.0.0.0/8 -j PRIVATE_LOG [0:0] -A INPUT -s 127.0.0.0/8 -j PRIVATE_LOG [0:0] -A INPUT -s 172.16.0.0/12 -j PRIVATE_LOG [0:0] -A INPUT -s 192.168.0.0/16 -j PRIVATE_LOG I believe the same applies here, since you already accepted your legitimate LAN traffic above. For this to catch anything, you'd first have to send a packet to one of those subnets and something would have to respond to it. [0:0] -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT So it makes even more sense to move this above the rest. If you still want to log facebook and other private traffic, the INVALID,NEW rule should come after those, otherwise the facebook/private stuff will just be dropped as UNSOLICITED.
Re: [gentoo-user] IPTABLES syntax change?
On 12/29/2012 01:32 PM, Walter Dnes wrote: Two questions I'm not sure about. 1) I run a desktop, and use passive ftp. Is there any need for me to accept RELATED packets? Probably not, I think the server needs it though. 2) Does a -j LOG return to the chain it was called from, or does it do an implicit DROP? It returns to spot where it was called from.
Re: [gentoo-user] IPTABLES syntax change?
2) Does a -j LOG return to the chain it was called from, or does it do an implicit DROP? It returns to spot where it was called from. Yep, so you could create a new chain to drop and log; /sbin/iptables -N logdrop /sbin/iptables -A logdrop -j LOG --log-prefix 'DROP ' /sbin/iptables -A logdrop -j DROP Then call that one /sbin/iptables -A tcp_packets -p TCP --dport 80 -j ACCEPT /sbin/iptables -A tcp_packets -p TCP -j logdrop
Re: [gentoo-user] IPTABLES syntax change?
OK, here is version 2. I had an excellent adventure along the way. * At the very last line (COMMIT), iptables-restore said it failed, but no clue whatsoever as to why. * I copied the rules file to a scratch-file, and converted it to a bash script that called iptables each time. * This method showed errors when using -m multiport * multiport is apparently not part of the core of iptables. It's an extra kernel option that has to be invoked explicity. * cd /usr/src/linux make menuconfig [*] Networking support --- Networking options --- [*] Network packet filtering framework (Netfilter) --- Here's where it gets tricky. You *MUST* first enable... [*] Advanced netfilter configuration ...and then go into... Core Netfilter Configuration --- ...and select... * multiport Multiple port match support Rebuild kernel and reboot. Now for the iptables rules, version 2 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :BAD_DPORT - [0:0] :BAD_SPORT - [0:0] :DROP_LOG - [0:0] :FECESBOOK - [0:0] :ICMP_IN - [0:0] :ICMP_OUT - [0:0] :PRIVATE_LOG - [0:0] :UNSOLICITED - [0:0] [0:0] -A BAD_DPORT -j LOG --log-prefix BAD_DPORT: --log-level 6 [0:0] -A BAD_DPORT -j DROP [0:0] -A BAD_SPORT -j LOG --log-prefix BAD_SPORT: --log-level 6 [0:0] -A BAD_SPORT -j DROP [0:0] -A DROP_LOG -j LOG --log-level 6 [0:0] -A DROP_LOG -j DROP [0:0] -A FECESBOOK -j LOG --log-prefix FECESBOOK: --log-level 6 [0:0] -A FECESBOOK -j DROP [0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 0 -j ACCEPT [0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 3 -j ACCEPT [0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 4 -j ACCEPT [0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 11 -j ACCEPT [0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 12 -j ACCEPT [0:0] -A ICMP_IN -j LOG --log-prefix IN_BAD_ICMP: --log-level 6 [0:0] -A ICMP_IN -j DROP [0:0] -A ICMP_OUT -p icmp -m icmp --icmp-type 3 -j ACCEPT [0:0] -A ICMP_OUT -p icmp -m icmp --icmp-type 8 -j ACCEPT [0:0] -A ICMP_OUT -p icmp -m icmp --icmp-type 30 -j ACCEPT [0:0] -A ICMP_OUT -j LOG --log-prefix OUT_BAD_ICMP: --log-level 6 [0:0] -A ICMP_OUT -j DROP [0:0] -A INPUT -s 192.168.123.248/29 -i eth0 -j ACCEPT [0:0] -A INPUT -s 169.254.0.0/16 -i eth0 -j ACCEPT [0:0] -A INPUT -i lo -j ACCEPT [0:0] -A INPUT -m conntrack --ctstate INVALID,NEW -j UNSOLICITED [0:0] -A INPUT -p tcp -m multiport --dports 0:1023,6000:6063 -j BAD_DPORT [0:0] -A INPUT -p udp -m multiport --dports 0:1023,6000:6063 -j BAD_DPORT [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK [0:0] -A INPUT -s 69.220.144.0/20 -j FECESBOOK [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK [0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK [0:0] -A INPUT -s 200.58.112.0/20 -j FECESBOOK [0:0] -A INPUT -s 213.155.64.0/19 -j FECESBOOK [0:0] -A INPUT -s 10.0.0.0/8 -j PRIVATE_LOG [0:0] -A INPUT -s 127.0.0.0/8 -j PRIVATE_LOG [0:0] -A INPUT -s 172.16.0.0/12 -j PRIVATE_LOG [0:0] -A INPUT -s 192.168.0.0/16 -j PRIVATE_LOG [0:0] -A INPUT -p icmp -j ICMP_IN [0:0] -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT [0:0] -A OUTPUT -d 192.168.123.248/29 -o eth0 -j ACCEPT [0:0] -A OUTPUT -o lo -j ACCEPT [0:0] -A OUTPUT -p tcp -m multiport --sports 0:1023,6000:6063 -j BAD_SPORT [0:0] -A OUTPUT -p udp -m multiport --sports 0:1023,6000:6063 -j BAD_SPORT [0:0] -A OUTPUT -d 69.63.176.0/20 -j FECESBOOK [0:0] -A OUTPUT -d 69.220.144.0/20 -j FECESBOOK [0:0] -A OUTPUT -d 69.63.176.0/20 -j FECESBOOK [0:0] -A OUTPUT -d 69.171.224.0/19 -j FECESBOOK [0:0] -A OUTPUT -d 200.58.112.0/20 -j FECESBOOK [0:0] -A OUTPUT -d 213.155.64.0/19 -j FECESBOOK [0:0] -A PRIVATE_LOG -j LOG --log-prefix IN_BAD_ADDR: --log-level 6 [0:0] -A PRIVATE_LOG -j DROP [0:0] -A UNSOLICITED -j LOG --log-prefix UNSOLICITED: --log-level 6 [0:0] -A UNSOLICITED -j DROP COMMIT -- Walter Dnes waltd...@waltdnes.org I don't run desktop environments; I run useful applications
Re: [gentoo-user] IPTABLES syntax change?
Two questions I'm not sure about. 1) I run a desktop, and use passive ftp. Is there any need for me to accept RELATED packets? 2) Does a -j LOG return to the chain it was called from, or does it do an implicit DROP? -- Walter Dnes waltd...@waltdnes.org I don't run desktop environments; I run useful applications
Re: [gentoo-user] IPTABLES syntax change?
On 29-Dec-12 19:32, Walter Dnes wrote: 1) I run a desktop, and use passive ftp. Is there any need for me to accept RELATED packets? No, but you must take care of related connections. Even passive ftp opens command (1023 - 21) and data (1023 - 1023) channel. BTW, icmp-error (i.e. host unreachable) can also be connection related to some other one... Jarry -- ___ This mailbox accepts e-mails only from selected mailing-lists! Everything else is considered to be spam and therefore deleted.
Re: [gentoo-user] IPTABLES syntax change?
On Fri, Dec 28, 2012 at 01:07:11AM -0500, Michael Orlitzky wrote On 12/27/2012 10:59 PM, Walter Dnes wrote: Here's my revised Paranoia Plus ruleset. Any comments? Because I'm behind a NAT-ing ADSL router/modem, many of my rules rarely see hits. However, I do have a backup dialup connection in case of problems, so most of my rules don't specify the network interface. A couple of notes... I did a bunch of inline comments below as I was trying to understand the rules. At the end I give the tl;dr, but maybe the inline comments are useful too. Thanks. My ruleset has accumulated years of cruft. I should really sit down and rewrite the thing from square 1. I have one comment. You show what appears to be a bash script for setting up the rules. I work with the contents of file /var/lib/iptables/rules-save instead. -- Walter Dnes waltd...@waltdnes.org I don't run desktop environments; I run useful applications
Re: [gentoo-user] IPTABLES syntax change?
Walter Dnes wrote: On Fri, Dec 28, 2012 at 01:07:11AM -0500, Michael Orlitzky wrote On 12/27/2012 10:59 PM, Walter Dnes wrote: Here's my revised Paranoia Plus ruleset. Any comments? Because I'm behind a NAT-ing ADSL router/modem, many of my rules rarely see hits. However, I do have a backup dialup connection in case of problems, so most of my rules don't specify the network interface. A couple of notes... I did a bunch of inline comments below as I was trying to understand the rules. At the end I give the tl;dr, but maybe the inline comments are useful too. Thanks. My ruleset has accumulated years of cruft. I should really sit down and rewrite the thing from square 1. I have one comment. You show what appears to be a bash script for setting up the rules. I work with the contents of file /var/lib/iptables/rules-save instead. Calling iptables repeatedly from a shell script is not advisable. A better approach is described by Jan Engelhardt in his Towards the perfect ruleset document: http://inai.de/documents/Perfect_Ruleset.pdf The method of working with /var/lib/iptables/rules-save is very similar to that which he describes. Cheers, --Kerin
Re: [gentoo-user] IPTABLES syntax change?
Michael Orlitzky mich...@orlitzky.com writes: The 'conntrack' module is supposed to be a superset of 'state', so most things should be compatible. You really have two warnings there; the first is for the state - conntrack switch, and the second is because you're missing the --state flag in your rules. In your example, you turn on the state matching, iptables -A TCP_IN -p tcp -m state -m tcp -j UNSOLICITED but you don't specify *which* state(s) you want to match. It wants you to specify --state SOMETHING. I'd guess that it used to interpret no state as any state. The problem is not really the OP's fault. The problem is that if you have tables with the form -m state --state XXX at the point you upgrade, iptables-save (quite possibly called automatically by /etc/init.d/iptables stop) will save it as -m state --state - ie 'forgetting' which state(s) the rule applies to. The solution is to either change all your rules to use -m conntrack --ctstate XXX before upgrading or editing /var/lib/iptables/rules-save to globally replace '-m state' by '-m conntrack' and '--state' by '--ctstate' prior to the upgrade and (at least temporarily) edit /etc/conf.d/iptables to set SAVE_ON_STOP=no. The same will also need to be done with ip6tables if you use that. I think that this is a serious enough change in behaviour that an elog warning should have been issued.
Re: [gentoo-user] IPTABLES syntax change?
On 12/27/12 06:28, Graham Murray wrote: Michael Orlitzky mich...@orlitzky.com writes: The 'conntrack' module is supposed to be a superset of 'state', so most things should be compatible. You really have two warnings there; the first is for the state - conntrack switch, and the second is because you're missing the --state flag in your rules. In your example, you turn on the state matching, iptables -A TCP_IN -p tcp -m state -m tcp -j UNSOLICITED but you don't specify *which* state(s) you want to match. It wants you to specify --state SOMETHING. I'd guess that it used to interpret no state as any state. The problem is not really the OP's fault. The problem is that if you have tables with the form -m state --state XXX at the point you upgrade, iptables-save (quite possibly called automatically by /etc/init.d/iptables stop) will save it as -m state --state - ie 'forgetting' which state(s) the rule applies to. Youch, thanks, I'll keep an eye out for this when iptables wants a bump. I already keep the rules in a script, but it sounds like this will clobber the running rules after e.g. a reboot. My first -m state rule is, iptables -A INPUT -p ALL -m state \ --state ESTABLISHED,RELATED -j ACCEPT And if what you say is true, I'd be in deep shit if it reset to, iptables -A INPUT -p ALL -m state -j ACCEPT without a warning. I think that this is a serious enough change in behaviour that an elog warning should have been issued. It's not stable yet, right? File a bug (and CC me, please).
Re: [gentoo-user] IPTABLES syntax change?
Michael Orlitzky wrote: My first -m state rule is, iptables -A INPUT -p ALL -m state \ --state ESTABLISHED,RELATED -j ACCEPT That was mine, too (you can omit -p in this case, can't you?). And if what you say is true, I'd be in deep shit if it reset to, iptables -A INPUT -p ALL -m state -j ACCEPT without a warning. It *was* resetted here. I just noticed it reading this discussion. Don't exactly know what the stateless rule did (perhaps just nothing?), but since I didn't notice it for a pretty long time, it can't have been all to bad?! At least, it didn't crash the whole system :-) But I would have appreciated at least an update notice, too! -Matt
Re: [gentoo-user] IPTABLES syntax change?
On 12/27/12 12:52, Matthias Hanft wrote: Michael Orlitzky wrote: My first -m state rule is, iptables -A INPUT -p ALL -m state \ --state ESTABLISHED,RELATED -j ACCEPT That was mine, too (you can omit -p in this case, can't you?). Yeah, it just makes the indentation line up in my case. And if what you say is true, I'd be in deep shit if it reset to, iptables -A INPUT -p ALL -m state -j ACCEPT without a warning. It *was* resetted here. I just noticed it reading this discussion. Don't exactly know what the stateless rule did (perhaps just nothing?), but since I didn't notice it for a pretty long time, it can't have been all to bad?! At least, it didn't crash the whole system :-) But I would have appreciated at least an update notice, too! I confirmed and opened a bug: https://bugs.gentoo.org/show_bug.cgi?id=448906 Thanks again to Graham for pointing this out.
Re: [gentoo-user] IPTABLES syntax change?
On Thu, Dec 27, 2012 at 11:28:15AM +, Graham Murray wrote The problem is not really the OP's fault. The problem is that if you have tables with the form -m state --state XXX at the point you upgrade, iptables-save (quite possibly called automatically by /etc/init.d/iptables stop) will save it as -m state --state - ie 'forgetting' which state(s) the rule applies to. Thanks for pointing that out. I looked back at an archived version, and it had stuff like... -A ICMP_IN -p icmp -m state --state NEW -j UNSOLICITED -A TCP_IN -p tcp -m state --state NEW -m tcp -j UNSOLICITED -A UDP_IN -p udp -m state --state NEW -j UNSOLICITED I.e. new external connection attempts were rejected, except for my lan which bypasses this rule so I can scp/ssh etc between my machines. No wonder I was puzzled by what I saw. -- Walter Dnes waltd...@waltdnes.org I don't run desktop environments; I run useful applications
Re: [gentoo-user] IPTABLES syntax change?
On 12/27/2012 06:11 PM, Walter Dnes wrote: On Thu, Dec 27, 2012 at 11:28:15AM +, Graham Murray wrote The problem is not really the OP's fault. The problem is that if you have tables with the form -m state --state XXX at the point you upgrade, iptables-save (quite possibly called automatically by /etc/init.d/iptables stop) will save it as -m state --state - ie 'forgetting' which state(s) the rule applies to. Thanks for pointing that out. I looked back at an archived version, and it had stuff like... -A ICMP_IN -p icmp -m state --state NEW -j UNSOLICITED -A TCP_IN -p tcp -m state --state NEW -m tcp -j UNSOLICITED -A UDP_IN -p udp -m state --state NEW -j UNSOLICITED I.e. new external connection attempts were rejected, except for my lan which bypasses this rule so I can scp/ssh etc between my machines. No wonder I was puzzled by what I saw. Ah, yes, the original problem. Once you've upgraded, you should be able to add all of your old --state rules normally, albeit with a warning. The new iptables will translate them to conntrack rules, and you can `/etc/init.d/iptables save` the result. The upgrade just fails in a horrible way.
Re: [gentoo-user] IPTABLES syntax change?
On Thu, Dec 27, 2012 at 06:50:07PM -0500, Michael Orlitzky wrote Once you've upgraded, you should be able to add all of your old --state rules normally, albeit with a warning. The new iptables will translate them to conntrack rules, and you can `/etc/init.d/iptables save` the result. The upgrade just fails in a horrible way. Here's my revised Paranoia Plus ruleset. Any comments? Because I'm behind a NAT-ing ADSL router/modem, many of my rules rarely see hits. However, I do have a backup dialup connection in case of problems, so most of my rules don't specify the network interface. A couple of notes... * My little lan is 192.168.123.248/29 * I have a TV tuner box that comes up in the zero-config space, so I have to allow 169.254.0.0/16 * I dislike a certain button following me. # Generated by iptables-save v1.4.16.3 on Thu Dec 27 22:43:12 2012 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :DROP_LOG - [0:0] :FECESBOOK - [0:0] :ICMP_IN - [0:0] :PRIVATE - [0:0] :PRIVATE_LOG - [0:0] :TCP_IN - [0:0] :UDP_IN - [0:0] :UNSOLICITED - [0:0] [0:0] -A INPUT -s 192.168.123.248/29 -i eth0 -j ACCEPT [0:0] -A INPUT -s 169.254.0.0/16 -i eth0 -j ACCEPT [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK [0:0] -A INPUT -s 69.220.144.0/20 -j FECESBOOK [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK [0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK [0:0] -A INPUT -s 200.58.112.0/20 -j FECESBOOK [0:0] -A INPUT -s 213.155.64.0/19 -j FECESBOOK [0:0] -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT [0:0] -A INPUT -p udp -m udp --sport 53 -j ACCEPT [0:0] -A INPUT -i lo -j ACCEPT [0:0] -A INPUT -f -j LOG --log-prefix FRAGMENTS: --log-level 6 [0:0] -A INPUT -f -j DROP [0:0] -A INPUT -p tcp -j TCP_IN [0:0] -A INPUT -p udp -j UDP_IN [0:0] -A INPUT -p icmp -j ICMP_IN [0:0] -A INPUT -j LOG --log-prefix BAD_PROTOCOL: --log-level 6 [0:0] -A INPUT -j DROP [0:0] -A OUTPUT -d 192.168.123.248/29 -o eth0 -j ACCEPT [0:0] -A OUTPUT -o lo -j ACCEPT [0:0] -A OUTPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT [0:0] -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT [0:0] -A OUTPUT -p icmp -m icmp --icmp-type 30 -j ACCEPT [0:0] -A OUTPUT -p tcp -m tcp --sport 0:1023 -j DROP_LOG [0:0] -A OUTPUT -p udp -m udp --sport 0:1023 -j DROP_LOG [0:0] -A OUTPUT -p tcp -m tcp --sport 6000:6063 -j DROP_LOG [0:0] -A OUTPUT -p udp -m udp --sport 6000:6063 -j DROP_LOG [0:0] -A OUTPUT -j ACCEPT [0:0] -A DROP_LOG -j LOG --log-level 6 [0:0] -A DROP_LOG -j DROP [0:0] -A FECESBOOK -j LOG --log-prefix FECESBOOK: --log-level 6 [0:0] -A FECESBOOK -j DROP [0:0] -A ICMP_IN -p icmp -m conntrack --ctstate NEW -j UNSOLICITED [0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 0 -j PRIVATE [0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 3 -j PRIVATE [0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 4 -j PRIVATE [0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 11 -j PRIVATE [0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 12 -j PRIVATE [0:0] -A ICMP_IN -j LOG --log-prefix IN_BAD_ICMP: --log-level 6 [0:0] -A ICMP_IN -j DROP [0:0] -A PRIVATE -s 10.0.0.0/8 -j PRIVATE_LOG [0:0] -A PRIVATE -s 127.0.0.0/8 -j PRIVATE_LOG [0:0] -A PRIVATE -s 172.16.0.0/12 -j PRIVATE_LOG [0:0] -A PRIVATE -s 192.168.0.0/16 -j PRIVATE_LOG [0:0] -A PRIVATE -j ACCEPT [0:0] -A PRIVATE_LOG -j LOG --log-prefix IN_BAD_ADDR: --log-level 6 [0:0] -A PRIVATE_LOG -j DROP [0:0] -A TCP_IN -p tcp -m tcp --dport 0:1023 -j DROP_LOG [0:0] -A TCP_IN -p tcp -m tcp --dport 6000:6063 -j DROP_LOG [0:0] -A TCP_IN -p tcp -m tcp --sport 53 -j PRIVATE [0:0] -A TCP_IN -p tcp -m tcp --sport 80 -j PRIVATE [0:0] -A TCP_IN -p tcp -m conntrack --ctstate NEW -m tcp -j UNSOLICITED [0:0] -A TCP_IN -p tcp -j PRIVATE [0:0] -A UDP_IN -p udp -m udp --dport 0:1023 -j DROP_LOG [0:0] -A UDP_IN -p udp -m udp --dport 6000:6063 -j DROP_LOG [0:0] -A UDP_IN -p udp -m udp --sport 53 -j PRIVATE [0:0] -A UDP_IN -p udp -m udp --sport 80 -j PRIVATE [0:0] -A UDP_IN -p udp -m conntrack --ctstate NEW -j UNSOLICITED [0:0] -A UDP_IN -p udp -j PRIVATE [0:0] -A UNSOLICITED -j LOG --log-prefix UNSOLICITED: --log-level 6 [0:0] -A UNSOLICITED -j DROP COMMIT # Completed on Thu Dec 27 22:43:12 2012 -- Walter Dnes waltd...@waltdnes.org I don't run desktop environments; I run useful applications
Re: [gentoo-user] IPTABLES syntax change?
On 12/27/2012 10:59 PM, Walter Dnes wrote: Here's my revised Paranoia Plus ruleset. Any comments? Because I'm behind a NAT-ing ADSL router/modem, many of my rules rarely see hits. However, I do have a backup dialup connection in case of problems, so most of my rules don't specify the network interface. A couple of notes... I did a bunch of inline comments below as I was trying to understand the rules. At the end I give the tl;dr, but maybe the inline comments are useful too. * My little lan is 192.168.123.248/29 * I have a TV tuner box that comes up in the zero-config space, so I have to allow 169.254.0.0/16 * I dislike a certain button following me. # Generated by iptables-save v1.4.16.3 on Thu Dec 27 22:43:12 2012 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] You can save yourself some complexity by allowing outbound traffic by default. I see that your INPUT policy is set to DROP, but you override this in a few places: at the end of all the chains, you jump to the PRIVATE table, which ends with a -j ACCEPT. So you'll accept anything that isn't rejected by a previous rule. I'd suggesting flipping that: get rid of the -j ACCEPT at the end of the private table, and allow unmatched traffic to be dropped. :DROP_LOG - [0:0] :FECESBOOK - [0:0] :ICMP_IN - [0:0] :PRIVATE - [0:0] :PRIVATE_LOG - [0:0] :TCP_IN - [0:0] :UDP_IN - [0:0] :UNSOLICITED - [0:0] [0:0] -A INPUT -s 192.168.123.248/29 -i eth0 -j ACCEPT Since you've self-proclaimed as paranoid, I don't feel bad suggesting that you choose which ports to allow incoming, even to the LAN. If somebody brings (or creates!) a compromised machine onto your LAN, they're going to be able to hit any ports that you've got open and available through the firewall. Not much you can do about that. But you might as well prevent them from reaching everything. If you expect to SSH from the LAN, sure, let that in. But if you're not serving e.g. web pages, you might as well block port 80 from the LAN. This allows you the freedom to play with apache without worrying about whether or not you've secured it. [0:0] -A INPUT -s 169.254.0.0/16 -i eth0 -j ACCEPT I don't know anything about zeroconf, not qualified to comment. [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK [0:0] -A INPUT -s 69.220.144.0/20 -j FECESBOOK [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK [0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK [0:0] -A INPUT -s 200.58.112.0/20 -j FECESBOOK [0:0] -A INPUT -s 213.155.64.0/19 -j FECESBOOK [0:0] -A FECESBOOK -j LOG --log-prefix FECESBOOK: --log-level 6 [0:0] -A FECESBOOK -j DROP Cute =) That final DROP is only needed since you -j PRIVATE (which defaults to ACCEPT) at the end of everything. [0:0] -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT [0:0] -A INPUT -p udp -m udp --sport 53 -j ACCEPT Ok, in the INPUT chain you're accepting DNS traffic early. You do it again below, so I think the later one is redundant. [0:0] -A INPUT -i lo -j ACCEPT [0:0] -A INPUT -f -j LOG --log-prefix FRAGMENTS: --log-level 6 [0:0] -A INPUT -f -j DROP [0:0] -A INPUT -p tcp -j TCP_IN [0:0] -A INPUT -p udp -j UDP_IN [0:0] -A INPUT -p icmp -j ICMP_IN [0:0] -A INPUT -j LOG --log-prefix BAD_PROTOCOL: --log-level 6 [0:0] -A INPUT -j DROP DROP is redundant, since the INPUT policy is DROP. [0:0] -A OUTPUT -d 192.168.123.248/29 -o eth0 -j ACCEPT [0:0] -A OUTPUT -o lo -j ACCEPT [0:0] -A OUTPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT [0:0] -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT [0:0] -A OUTPUT -p icmp -m icmp --icmp-type 30 -j ACCEPT [0:0] -A OUTPUT -p tcp -m tcp --sport 0:1023 -j DROP_LOG [0:0] -A OUTPUT -p udp -m udp --sport 0:1023 -j DROP_LOG [0:0] -A OUTPUT -p tcp -m tcp --sport 6000:6063 -j DROP_LOG [0:0] -A OUTPUT -p udp -m udp --sport 6000:6063 -j DROP_LOG [0:0] -A OUTPUT -j ACCEPT Aha, you're overriding the OUTPUT policy of DROP here with an ACCEPT. You might as well set the policy to ACCEPT, and get rid of the trailing -j ACCEPT. Anything that is explicitly ACCEPTed above but not otherwise DROPped is also redundant, since traffic will be accepted by default if not dropped. I see that you want to log-before-drop specific traffic; that would still work with a policy of ACCEPT. You would add only those rules to the OUTPUT chain. [0:0] -A DROP_LOG -j LOG --log-level 6 [0:0] -A DROP_LOG -j DROP DROP would be redundant without the -j ACCEPT at the end of the PRIVATE TABLE. [0:0] -A ICMP_IN -p icmp -m conntrack --ctstate NEW -j UNSOLICITED [0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 0 -j PRIVATE [0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 3 -j PRIVATE [0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 4 -j PRIVATE [0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 11 -j PRIVATE [0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 12 -j PRIVATE [0:0] -A ICMP_IN -j LOG --log-prefix IN_BAD_ICMP: --log-level 6 [0:0] -A ICMP_IN -j DROP DROP would be redundant without the -j ACCEPT at the end of the
Re: [gentoo-user] IPTABLES syntax change?
I'm sure I made more than one typo, but the ALLOWED_ICMP below definitely needs a dollar sign. for ok_icmp in ALLOWED_ICMP; do iptables -A ICMP_IN -p icmp --icmp-type ${ok_icmp} -j ACCEPT done
Re: [gentoo-user] IPTABLES syntax change?
On 12/26/2012 07:47 PM, Walter Dnes wrote: Many years ago, I understood IPCHAINS, and the first versions of IPTABLES. However, IPTABLES has followed the example of Larry Wall's Practical Extraction and Reporting Language and turned into a pseudo-OS that I barely comprehend. Some rules that I added many years ago were designed to reject unsolicited connection attempts (after whitelisting my small LAN)... -A ICMP_IN -p icmp -m state -j UNSOLICITED -A TCP_IN -p tcp -m state -m tcp -j UNSOLICITED -A UDP_IN -p udp -m state -j UNSOLICITED Now these all give me the error message... WARNING: The state match is obsolete. Use conntrack instead. iptables-restore v1.4.16.3: state: option --state must be specified The 'conntrack' module is supposed to be a superset of 'state', so most things should be compatible. You really have two warnings there; the first is for the state - conntrack switch, and the second is because you're missing the --state flag in your rules. In your example, you turn on the state matching, iptables -A TCP_IN -p tcp -m state -m tcp -j UNSOLICITED but you don't specify *which* state(s) you want to match. It wants you to specify --state SOMETHING. I'd guess that it used to interpret no state as any state. You said that you whitelisted your LAN prior to that rule, so you're probably just rejecting every {ICMP, TCP, UDP} packet with those three rules. If so, the equivalent rules are just, iptables -A ICMP_IN -p icmp -j DROP iptables -A TCP_IN -p tcp -j DROP iptables -A UDP_IN -p udp -j DROP In other words, you only really need the connection tracking to /accept/ related connections. You don't want to deny related or established connections, usually. And once you have accepted those two types, you can just reject the rest, because they're necessarily new (or in rare cases, invalid). I would be wary of this: -A ICMP_IN -p icmp -m conntrack --ctstate INVALID -j UNSOLICITED since if the old rule works like I think it does (reject everything) the new one might allow some things that the old one didn't.
Re: [gentoo-user] iptables question...
On 12/16/11 22:17, Tanstaafl wrote: Hi all, I was reading up on some iptables rules in the gentoo security handbook: http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1chap=12style=printable It mentions DROPing packets with an INVALID state. It sounded/sounds like a good idea, so I added the following rule: -A INPUT -i eth0 -m state --state INVALID -j LOG As suggested, I addd this rule just ABOVE this one: -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT I also changed the DROP action to LOG so I could see what it did if anything. Right after adding this rule, I started seeing lines like this in the log: Dec 16 10:15:31 myhost kernel: IN=eth0 OUT= MAC=00:e0:81:54:9c:8a:00:90:7f:86:a8:c0:08:00 SRC=208.87.137.233 DST=192.168.1.252 LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP SPT=50113 DPT=25 WINDOW=0 RES=0x00 RST URGP=0 What I don't understand is why it isn't using my LOG prefix that is used for everything else: -A INPUT -j LOG --log-prefix (fw-drop): --log-level 7 Anyone? Did you put the log-prefix rule before or after the LOG rule? Or why didn't you put it in a 1liner, say: -A INPUT -i eth0 -m state --state INVALID -j LOG --log-level 7 --log-prefix (fw-drop): --log-ip-options --log-tcp-options -- Regards,
Re: [gentoo-user] iptables question...
On 2011-12-17 11:34 AM, Hari Purnama h...@mapits.com wrote: Did you put the log-prefix rule before or after the LOG rule? After - the log prefix rule is last... Or why didn't you put it in a 1liner, say: -A INPUT -i eth0 -m state --state INVALID -j LOG --log-level 7 --log-prefix (fw-drop): --log-ip-options --log-tcp-options Well, because I thought the log prefix rule applied to everything that comes before it...?
Re: [gentoo-user] iptables: how can I include multiple hosts/IPs in -s and -d?
Hi, you can define a rule like that: iptables -A FORWARD -s 192.168.235.43,192.168.235.46 -d 10.0.0.1,192.168.0.1 -j ACCEPT it will create 4 rules. be sure to activate Networking support-Networking options-Network packet filtering framework-Core Netfilter Configuration-iprange address range match support Now you can do something like iptables -A FORWARD -m iprange --src-range '10.0.0.1-10.0.0.44' -j ACCEPT hope it helps -Stefan On Mon, Apr 05, 2010 at 07:32:17PM +0200, Jarry wrote: Hi I'd like to ask if there is some way to include multiple discrete hosts/IP's in --source and --destination options of iptables. I'm trying to write firewall rules for my server, but it has 12 IP's from different segments (and maybe it gets a few more later), and the script grows up as I have to write nearly identical rules with difference only in -s/-d IP's. What I'm looking for is a way to define some variable at the beginning of my script, like MY_IP=IP1 IP2 IP3 IP4... and later to use is in rules (iptables -A INPUT -s $MY_IP...). But I do not know how to use it. As far as I understand it, --source/--destination accepts only single IP's or continuous IP-segments... Jarry -- ___ This mailbox accepts e-mails only from selected mailing-lists! Everything else is considered to be spam and therefore deleted. pgp8CBCXDQtso.pgp Description: PGP signature
Re: [gentoo-user] iptables: how can I include multiple hosts/IPs in -s and -d?
On Mon, 2010-04-05 at 19:32 +0200, Jarry wrote: Hi I'd like to ask if there is some way to include multiple discrete hosts/IP's in --source and --destination options of iptables. I'm trying to write firewall rules for my server, but it has 12 IP's from different segments (and maybe it gets a few more later), and the script grows up as I have to write nearly identical rules with difference only in -s/-d IP's. What I'm looking for is a way to define some variable at the beginning of my script, like MY_IP=IP1 IP2 IP3 IP4... and later to use is in rules (iptables -A INPUT -s $MY_IP...). But I do not know how to use it. As far as I understand it, --source/--destination accepts only single IP's or continuous IP-segments... You can do something like: (100) iptables -N IP_SET_CHECK (110) iptables -A IP_SET_CHECK -s $IP1 -j RETURN (120) iptables -A IP_SET_CHECK -s $IP2 -j RETURN (130) iptables -A IP_SET_CHECK -s $IP3/16 -j RETURN (140) iptables -A IP_SET_CHECK -s $IP4 -j RETURN (150) iptables -A IP_SET_CHECK -j DROP (210) iptables -A INPUT -j IP_SET_CHECK (220) iptables -A INPUT some other rules (230) iptables -A INPUT some other rules So, when it comes to the the line 210, it will start checking newly created chain IP_SET_CHECK. If it won't find appropriate rule it will be dropped at the line (150), but if manages to find one, it will return to the line 220 and will continue looking for -j ACCEPT or -j DROP. The same applies for the OUTPUT chain. Jarry
Re: [gentoo-user] iptables: how can I include multiple hosts/IPs in -s and -d?
Jarry writes: I'd like to ask if there is some way to include multiple discrete hosts/IP's in --source and --destination options of iptables. I'm trying to write firewall rules for my server, but it has 12 IP's from different segments (and maybe it gets a few more later), and the script grows up as I have to write nearly identical rules with difference only in -s/-d IP's. What I'm looking for is a way to define some variable at the beginning of my script, like MY_IP=IP1 IP2 IP3 IP4... and later to use is in rules (iptables -A INPUT -s $MY_IP...). But I do not know how to use it. As far as I understand it, --source/--destination accepts only single IP's or continuous IP-segments... Well, as your iptables script is probably written in bash, you can do loops as you like: myIPs=IP1 IP2 IP3 IP4 ... for ip in $myIPs do # use $myIPs here, not $myIPs! iptables -A INPUT -s $ip ... done Wonko
Re: [gentoo-user] iptables firewall script
2009/7/17 Dave dave.meh...@gmail.com: Hello, Can anyone good with iptables give this script a once over? It is working, but in a very inconsistent manner, sometimes it lets traffic in, other times not. Two things it does not have are dhcp rules as this box gets it's address via dhcp and cifs rules, this machine mounts cifs shares, if anyone has those i'd appreciate them. This is a single nic box, not a router just an internal client i'd like to protect. Adapted from: http://www.novell.com/coolsolutions/feature/18139.html Thanks. Dave. #!/bin/bash # # Script for iptables firewall # define variables IF_PUB=eth0 IP_PUB=192.168.0.106 NET_PRV=192.168.0.0/24 ANYWHERE=0.0.0.0/0 # set up default policies iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # remove any existing rules iptables -F -t nat iptables -F -t mangle iptables -F -t filter # Removes any user-defined chains iptables -X # If the machine is a router enable the next line #echo 1 /proc/sys/net/ipv4/ip_forward If you don't want to forward then echo 0, instead of 1, or instead of just commenting it out. # forward from the public interface #iptables -A FORWARD -i $IF_PUB -m state --state ESTABLISHED,RELATED -j ACCEPT # allow everything to and from the loopback iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # allow communications on the local network # This allows unrestricted communications #iptables -A INPUT -i $IF_PUB -s $NET_PRV -j ACCEPT # This allows only established or forwarded connections iptables -A INPUT -i $IF_PUB -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $IF_PUB -d $NET_PRV -j ACCEPT Not sure that this is necessary. # If your doing nat #iptables -t nat -A POSTROUTING -s $NET_PRV -o $IP_PUB -j SNAT --to $IP_PUB # allow various types of ICMP # 8 for echo request, echo response, destination unreachable, and time exceeded iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT # allow ssh iptables -A INPUT -i $IF_PUB -p tcp -d $IP_PUB -m limit --limit 1/minute --limit-burst 1 -j ACCEPT This opens *all* tcp ports and throttles the connection (you'll be dropping packets and get an unreliable connection). I suggest that you only open the port you need; e.g. -m tcp --dport 10201, also if you only access this box via ssh from your LAN, then restrict access to it from your private subnet: -s NET_PRV and remove the --limit match completely. If you're worried about brute force attacks on your sshd, then perhaps use something like fail2ban, or better use public key authentication only (no passwd), or construct a set of rules to limit the amount of accepted attempts: = Name it something: blah-blah -m state --state NEW --dport 22 -m recent --name ssh_crackers --set Log the persistent attacks: blah-blah -m state --state NEW --dport 22 -m recent --name ssh_crackers --rcheck --seconds 60 --hitcount 4 -j LOG -m limit --limit 3/minute --limit-burst 3 --log-level 4 --log-prefix 'SSH REJECT: ' Block them: blah-blah -m state --state NEW --dport 22 -m recent --name ssh_crackers --rcheck --seconds 60 --hitcount 4 -j REJECT --reject-with tcp-reset = # mail and web server on a different host #iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport smtp -j DNAT --to 192.168.1.254 #iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport http -j DNAT --to 192.168.1.253 #iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p tcp --dport http -j ACCEPT # send a tcp reject iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset # block irc #iptables -A INPUT -p tcp --dport irc -j DROP #iptables -A INPUT -p udp --dport irc -j DROP #iptables -A INPUT -p tcp --dport irc-serv -j DROP #iptables -A INPUT -p udp --dport irc-serv -j DROP #iptables -A INPUT -p tcp --dport ircs -j DROP #iptables -A INPUT -p udp --dport ircs -j DROPThese discard TCP and UDP IRC, IRC server and Secure IRC traffic. # block a specific host #iptables -A INPUT -i $IF_PUB -s 10.220.231.236 -j REJECT --reject-with icmp-host-prohibited # traffic from one port to another #iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport 444 -j DNAT --to 192.168.1.254:443 #iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -o $IF_PRV -p tcp --dport 443 -j ACCEPT Then block anything else: iptables -A INPUT -p all -i any -j DROP Finally, run nmap from within/out your LAN on all ports and see what you get. HTH. -- Regards, Mick
Re: [gentoo-user] iptables
Hi Dave, this one is rather informative: http://www.novell.com/coolsolutions/feature/18139.html Also, this one from gentoo (although for 2.4) is worth reading: http://www.gentoo.org/doc/en/articles/linux-24-stateful-fw-design.xml HTH! -- Regards, Marco On Thu, Jul 16, 2009 at 5:32 AM, Davedave.meh...@gmail.com wrote: Hello, I'm looking for a guide for iptables specifically for gentoo 2.6. I was also wondering if anyone was using apf Advanced Policy Firewall on a gentoo 2008.0 2.6 machine? Thanks. Dave.
Re: [gentoo-user] iptables
Maybe this thread could be helpful as well: http://marc.info/?l=gentoo-userm=124058693215810w=2 -- Regards, Marco On Thu, Jul 16, 2009 at 10:41 AM, Marcolistwo...@gmail.com wrote: Hi Dave, this one is rather informative: http://www.novell.com/coolsolutions/feature/18139.html Also, this one from gentoo (although for 2.4) is worth reading: http://www.gentoo.org/doc/en/articles/linux-24-stateful-fw-design.xml HTH! -- Regards, Marco On Thu, Jul 16, 2009 at 5:32 AM, Davedave.meh...@gmail.com wrote: Hello, I'm looking for a guide for iptables specifically for gentoo 2.6. I was also wondering if anyone was using apf Advanced Policy Firewall on a gentoo 2008.0 2.6 machine? Thanks. Dave.
Re: [gentoo-user] iptables
2009/7/16 Marco listwo...@gmail.com Maybe this thread could be helpful as well: http://marc.info/?l=gentoo-userm=124058693215810w=2 -- Regards, Marco On Thu, Jul 16, 2009 at 10:41 AM, Marcolistwo...@gmail.com wrote: Hi Dave, this one is rather informative: http://www.novell.com/coolsolutions/feature/18139.html Also, this one from gentoo (although for 2.4) is worth reading: http://www.gentoo.org/doc/en/articles/linux-24-stateful-fw-design.xml HTH! -- Regards, Marco On Thu, Jul 16, 2009 at 5:32 AM, Davedave.meh...@gmail.com wrote: Hello, I'm looking for a guide for iptables specifically for gentoo 2.6. I was also wondering if anyone was using apf Advanced Policy Firewall on a gentoo 2008.0 2.6 machine? Thanks. Dave. I use APF, for all my desktop/servers with debian and gentoo, is quite easy and works great. In 10' you have iptables running.
Re: [gentoo-user] iptables
Alejandro wrote: On Thu, Jul 16, 2009 at 5:32 AM, Davedave.meh...@gmail.com mailto:dave.meh...@gmail.com wrote: Hello, I'm looking for a guide for iptables specifically for gentoo 2.6. I was also wondering if anyone was using apf Advanced Policy Firewall on a gentoo 2008.0 2.6 machine? Thanks. Dave. I use APF, for all my desktop/servers with debian and gentoo, is quite easy and works great. In 10' you have iptables running. I tend to just use webmin. Emerge iptables, emerge webmin, and get a nice easy to follow GUI that sets up the iptables. signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] iptables configuration problem
Chuanwen Wu wrote: I have tried set all the gw in my subnet to 192.168.1.254 or 192.168.1.1. Is't all right? I don't know, it depends on what's your gw's IP is. Let's say you have this setup: GW: 192.168.1.1 Other PCs are: 192.168.1.2... 192.168.1.3... and so on. On the GW you need: echo 1 /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o ethX -j MASQUERADE (note: change ethX by the NIC your internet connection is on. If your cablemodem/adsl/whatever is on eth3 -for example- change ethX to eth3) On the others PC you need to set GW to 192.168.1.1 I hope this helps. Best regards, Norberto -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables configuration problem
2007/5/14, Norberto Bensa [EMAIL PROTECTED]: Chuanwen Wu wrote: I have tried set all the gw in my subnet to 192.168.1.254 or 192.168.1.1. Is't all right? I don't know, it depends on what's your gw's IP is. Let's say you have this setup: GW: 192.168.1.1 Other PCs are: 192.168.1.2... 192.168.1.3... and so on. On the GW you need: echo 1 /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o ethX -j MASQUERADE (note: change ethX by the NIC your internet connection is on. If your cablemodem/adsl/whatever is on eth3 -for example- change ethX to eth3) On the others PC you need to set GW to 192.168.1.1 I hope this helps. Best regards, Norberto Thank you!I think i have done what you meant. Here is the information: /etc/conf.d/net in the server config_eth0=( 202.114.10.134 netmask 255.255.255.0 brd 202.114.10.255 ) routes_eth0=( default gw 202.114.10.129 ) config_eth1=( 192.168.1.63 netmask 255.255.255.0 brd 192.168.1.255 ) routes_eth1=( default gw 192.168.1.1 ) /etc/conf.d/net in one PC config_eth0=( 192.168.1.35 netmask 255.255.255.0 brd 192.168.1.255 ) routes_eth0=( default gw 192.168.1.1 ) -- wcw -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables configuration problem
On Mon, May 14, 2007 8:23 am, Chuanwen Wu wrote: Thank you!I think i have done what you meant. Here is the information: /etc/conf.d/net in the server config_eth0=( 202.114.10.134 netmask 255.255.255.0 brd 202.114.10.255 ) routes_eth0=( default gw 202.114.10.129 ) OK config_eth1=( 192.168.1.63 netmask 255.255.255.0 brd 192.168.1.255 ) routes_eth1=( default gw 192.168.1.1 ) You don't need a route here. /etc/conf.d/net in one PC config_eth0=( 192.168.1.35 netmask 255.255.255.0 brd 192.168.1.255 ) routes_eth0=( default gw 192.168.1.1 ) No. GW should be 192.168.1.63, which is the IP address of your gateway. HTH, Norberto -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables configuration problem
Greetings all. Hope the weather in bejing is pleasant, Mr Wu. On Mon, 14 May 2007 11:58:34 -0300 (ART) Norberto Bensa [EMAIL PROTECTED] wrote: On Mon, May 14, 2007 8:23 am, Chuanwen Wu wrote: Thank you!I think i have done what you meant. Here is the information: /etc/conf.d/net in the server config_eth0=( 202.114.10.134 netmask 255.255.255.0 brd 202.114.10.255 ) routes_eth0=( default gw 202.114.10.129 ) OK config_eth1=( 192.168.1.63 netmask 255.255.255.0 brd 192.168.1.255 ) routes_eth1=( default gw 192.168.1.1 ) You don't need a route here. More exactly, a route to the subnet 192.168.1.0/24 will automatically be created through eth1. A _gateway_ in this case is not necessary because eth1 lives on that subnet. /etc/conf.d/net in one PC config_eth0=( 192.168.1.35 netmask 255.255.255.0 brd 192.168.1.255 ) routes_eth0=( default gw 192.168.1.1 ) No. GW should be 192.168.1.63, which is the IP address of your gateway. HTH, Norberto First, the firewall configuration. Your first message said: The eth0 here has the real ip,and the eth1 have a subnet ip:192.168.1.21. But here you show that you set it to .63, as Norberto pointed out. I assume that was just a typographical error in the first email. Moving on, the default route for the firewall is probably to the outside world, and if you can ping google.com, it works. Second, the client configuration. The route for the subnet it's on (192.168.1/24) is automatically created, as before. The default route is the IP of the firewall/gateway it's behind, namely 192.168.1.63 as Norberto said. The machine that's forwarding packets to the internet for these hosts now provides the route to the outside world for these hosts. Third, you must tell your client PCs nameservers, so that they can resolve domain names. If you fail to do so, even though a ping of google.com, for example, fails, a ping of its ip address (64.233.167.99, in my case) will work. Fourth, you must check your firewall (that is, iptables) configuration to be sure your iptables all refer to the correct subnet. iptables --table nat -A POSTROUTING -s 192.168.8.0/24 -j MASQUERADE that wasn't right -- obviously the subnet should be your own. Since the firewall you're building knows all the information the hosts need to know (subnet information, routes, etc) you may wish to set up a rudimentary DHCP server on it, so that additional hosts can be added without configuration by the user. You may also wish to impliment a caching, recursive nameserver for enhanced efficiency. DNSMasq can do both. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables configuration problem
Thank Norberto and Dan Farrell!I think i had a misunderstand and made some mistakes.I hope I have correct it now. /etc/conf.d/net in the server config_eth0=( 202.114.10.134 netmask 255.255.255.0 brd 202.114.10.255 ) routes_eth0=( default gw 202.114.10.129 ) config_eth1=( 192.168.1.1 netmask 255.255.255.0 brd 192.168.1.255 ) /etc/conf.d/net in a PC config_eth0=( 192.168.1.35 netmask 255.255.255.0 brd 192.168.1.255 ) routes_eth0=( default gw 192.168.1.1 ) 2007/5/15, Dan Farrell [EMAIL PROTECTED]: Greetings all. Hope the weather in bejing is pleasant, Mr Wu. On Mon, 14 May 2007 11:58:34 -0300 (ART) Norberto Bensa [EMAIL PROTECTED] wrote: On Mon, May 14, 2007 8:23 am, Chuanwen Wu wrote: Thank you!I think i have done what you meant. Here is the information: /etc/conf.d/net in the server config_eth0=( 202.114.10.134 netmask 255.255.255.0 brd 202.114.10.255 ) routes_eth0=( default gw 202.114.10.129 ) OK config_eth1=( 192.168.1.63 netmask 255.255.255.0 brd 192.168.1.255 ) routes_eth1=( default gw 192.168.1.1 ) You don't need a route here. More exactly, a route to the subnet 192.168.1.0/24 will automatically be created through eth1. A _gateway_ in this case is not necessary because eth1 lives on that subnet. /etc/conf.d/net in one PC config_eth0=( 192.168.1.35 netmask 255.255.255.0 brd 192.168.1.255 ) routes_eth0=( default gw 192.168.1.1 ) No. GW should be 192.168.1.63, which is the IP address of your gateway. HTH, Norberto First, the firewall configuration. Your first message said: The eth0 here has the real ip,and the eth1 have a subnet ip:192.168.1.21. But here you show that you set it to .63, as Norberto pointed out. I assume that was just a typographical error in the first email. Moving on, the default route for the firewall is probably to the outside world, and if you can ping google.com, it works. Second, the client configuration. The route for the subnet it's on (192.168.1/24) is automatically created, as before. The default route is the IP of the firewall/gateway it's behind, namely 192.168.1.63 as Norberto said. The machine that's forwarding packets to the internet for these hosts now provides the route to the outside world for these hosts. Third, you must tell your client PCs nameservers, so that they can resolve domain names. If you fail to do so, even though a ping of google.com, for example, fails, a ping of its ip address (64.233.167.99, in my case) will work. All my PCs have the same /etc/resove.conf file with the server.And now the PC can't ping through 66.249.89.99(of course,the server can). Fourth, you must check your firewall (that is, iptables) configuration to be sure your iptables all refer to the correct subnet. iptables --table nat -A POSTROUTING -s 192.168.8.0/24 -j MASQUERADE that wasn't right -- obviously the subnet should be your own. I have already corrected it to iptables --table nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE from the first time. Since the firewall you're building knows all the information the hosts need to know (subnet information, routes, etc) you may wish to set up a rudimentary DHCP server on it, so that additional hosts can be added without configuration by the user. You may also wish to impliment a caching, recursive nameserver for enhanced efficiency. DNSMasq can do both. Thanks for your advice! -- [EMAIL PROTECTED] mailing list When a PC ping 66.249.89.99,I got these information from the server: # tcpdump -n -i eth1 net 192.168.1.0/24 and port not 22 and not arp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes 10:01:08.214160 IP 192.168.1.35 66.249.89.99: ICMP echo request, id 35391, seq 599, length 64 10:01:09.214014 IP 192.168.1.35 66.249.89.99: ICMP echo request, id 35391, seq 600, length 64 10:01:10.213899 IP 192.168.1.35 66.249.89.99: ICMP echo request, id 35391, seq 601, length 64 10:01:11.213792 IP 192.168.1.35 66.249.89.99: ICMP echo request, id 35391, seq 602, length 64 10:01:12.213676 IP 192.168.1.35 66.249.89.99: ICMP echo request, id 35391, seq 603, length 64 5 packets captured 5 packets received by filter 0 packets dropped by kernel And # tcpdump -n -i eth0 net 202.114.10.134 and port not 22 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes Does it mean that eth1(the interface in my subnet) receive the request but don't post forward it? -- wcw -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables configuration problem
On Tue, 15 May 2007 10:35:38 +0800 Chuanwen Wu [EMAIL PROTECTED] wrote: Does it mean that eth1(the interface in my subnet) receive the request but don't post forward it? Perhaps you should attach the output of iptables -t nat -L -v; iptables -L -v; so I can see the rules... while you're at it, edit /etc/sysctl.conf so that forwarding is enabled every time you reboot, and make sure it's still enabled now. -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables configuration problem
2007/5/15, Dan Farrell [EMAIL PROTECTED]: On Tue, 15 May 2007 10:35:38 +0800 Chuanwen Wu [EMAIL PROTECTED] wrote: Does it mean that eth1(the interface in my subnet) receive the request but don't post forward it? Perhaps you should attach the output of iptables -t nat -L -v; iptables -L -v; so I can see the rules... while you're at it, # iptables -L -v Chain INPUT (policy ACCEPT 24414 packets, 3853K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 33323 packets, 7123K bytes) pkts bytes target prot opt in out source destination # iptables -L -v -t nat Chain PREROUTING (policy ACCEPT 7546 packets, 1103K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 340 packets, 28034 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- anyany 192.168.1.0/24 anywhere Chain OUTPUT (policy ACCEPT 350 packets, 28746 bytes) pkts bytes target prot opt in out source destination edit /etc/sysctl.conf so that forwarding is enabled every time you reboot, and make sure it's still enabled now. Oh!God!My must forget to enabled forwarding after last night! Now,the PCs in the subnet can connect internal! By the way,do you mean to change #net.ipv4.ip_forward = 0(default in /etc/sysctl.conf) to net.ipv4.ip_forward = 1? -- [EMAIL PROTECTED] mailing list -- wcw -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables configuration problem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Wu, Instead of the commands you posted, you should use echo 1 /proc/sys/net/ipv4/ip_forward iptables --table nat -A POSTROUTING -s 192.168.8.0/24 -j MASQUERADE Long explanation: The first command enables the kernel to _forward_ packets from eth0 to eth1 and vice versa. To do the actual forwarding, the second command is used: - --table nat : Network address translation table. - -A POSTROUTING for altering packets as they are about to go out, after it is determined that they are to be forwarded by means of the first instruction. - -j MASQUERADE Masquerade the addresses of computer in the subnet with the address of the routing computer. The kernel takes care of the subtle details on masquerading. I hope this helps!!! - -- Fabio A. Correa D. Physics Dept, Universidad Nacional, Bogota, Colombia [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] My webpage and OpenPGP key at http://facorread.150m.com [EMAIL PROTECTED] is not working anymore!!! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGRyjPYOZCB4zf2uQRAp2eAJwIYrXAQqldgZjRN0u+uDOW8t/aTgCeOQOb RTmVGHOHQQWUzVxkZomHhHo= =xvIZ -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables configuration problem
2007/5/13, Fabio A Correa [EMAIL PROTECTED]: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Wu, Instead of the commands you posted, you should use echo 1 /proc/sys/net/ipv4/ip_forward iptables --table nat -A POSTROUTING -s 192.168.8.0/24 -j MASQUERADE I have tried.But still not work. Here is the information after execute your advice: - [EMAIL PROTECTED] ~]# echo 1 /proc/sys/net/ipv4/ip_forward [EMAIL PROTECTED] ~]# iptables --table nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE [EMAIL PROTECTED] ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [EMAIL PROTECTED] ~]# iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 192.168.1.0/24 anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination -- Then in my other PCs,I still can't ping the website outside. Why? Long explanation: The first command enables the kernel to _forward_ packets from eth0 to eth1 and vice versa. To do the actual forwarding, the second command is used: - --table nat : Network address translation table. - -A POSTROUTING for altering packets as they are about to go out, after it is determined that they are to be forwarded by means of the first instruction. - -j MASQUERADE Masquerade the addresses of computer in the subnet with the address of the routing computer. The kernel takes care of the subtle details on masquerading. I hope this helps!!! - -- Fabio A. Correa D. Physics Dept, Universidad Nacional, Bogota, Colombia [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] My webpage and OpenPGP key at http://facorread.150m.com [EMAIL PROTECTED] is not working anymore!!! -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGRyjPYOZCB4zf2uQRAp2eAJwIYrXAQqldgZjRN0u+uDOW8t/aTgCeOQOb RTmVGHOHQQWUzVxkZomHhHo= =xvIZ -END PGP SIGNATURE- -- [EMAIL PROTECTED] mailing list Thank you for your details!!! -- wcw -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables configuration problem
Chuanwen Wu wrote: Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 192.168.1.0/24 anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination --- --- Then in my other PCs,I still can't ping the website outside. Why? Have setup a default gateway in those boxes? -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables will not load rule after kernel upgrade (2.6.19-r5 - 2.6.20-r6) SOLVED
On Saturday 21 April 2007 20:34, Mark Shields wrote: On 4/21/07, Dan Johansson [EMAIL PROTECTED] wrote: On Saturday 21 April 2007 15:53, Uwe Thiem wrote: On 21 April 2007, Dan Johansson wrote: After upgrading gentoo-sources to 2.6.20-r6 from 2.6.19-r5 today my firewall won't start (shorewall). The here's the error: iptables: Invalid argument ERROR: Command /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT Failed I'm getting the same errormessage when it try it by hand. When you generated the kernel, did you build all modules necessary. In this particlu case, ipt_state? If you meen CONFIG_NETFILTER_XT_MATCH_STATE=y then yes it's compiled in (not a module). You know of any other part that NEEDS to be activated other the the following? CONFIG_NETFILTER=y CONFIG_NF_CONNTRACK_ENABLED=y CONFIG_NF_CONNTRACK_SUPPORT=y CONFIG_NF_CONNTRACK=y CONFIG_NETFILTER_XTABLES=y CONFIG_NETFILTER_XT_MATCH_LIMIT=y CONFIG_NETFILTER_XT_MATCH_STATE=y CONFIG_IP_NF_QUEUE=y CONFIG_IP_NF_IPTABLES=y CONFIG_IP_NF_FILTER=y CONFIG_IP_NF_TARGET_REJECT=y CONFIG_IP_NF_TARGET_LOG=y CONFIG_IP_NF_MANGLE=y You found your problem, then. When you use iptables -m state, it loads the state module. Since it's not compiled as a module, it won't load. Either change it to module in the kernel or remove the -m state (I think I tried once compiling into the kernel and dropping the -m state, but it didn't work). I found the problem, CONFIG_NF_CONNTRACK_IPV4=y has to be set as well (no need to compile anything as modules). -- Dan Johansson, http://www.dmj.nu *** This message is printed on 100% recycled electrons! *** pgp2ZERcHZE9y.pgp Description: PGP signature
Re: [gentoo-user] iptables will not load rule after kernel upgrade (2.6.19-r5 - 2.6.20-r6)
On 21 April 2007, Dan Johansson wrote: After upgrading gentoo-sources to 2.6.20-r6 from 2.6.19-r5 today my firewall won't start (shorewall). The here's the error: iptables: Invalid argument ERROR: Command /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT Failed I'm getting the same errormessage when it try it by hand. When you generated the kernel, did you build all modules necessary. In this particlu case, ipt_state? Uwe -- The Informal Linux Group Namibia: http://www.linux.org.na SysEx (Pty) Ltd.: http://www.SysEx.com.na -- [EMAIL PROTECTED] mailing list
Re: [gentoo-user] iptables will not load rule after kernel upgrade (2.6.19-r5 - 2.6.20-r6)
On Saturday 21 April 2007 15:53, Uwe Thiem wrote: On 21 April 2007, Dan Johansson wrote: After upgrading gentoo-sources to 2.6.20-r6 from 2.6.19-r5 today my firewall won't start (shorewall). The here's the error: iptables: Invalid argument ERROR: Command /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT Failed I'm getting the same errormessage when it try it by hand. When you generated the kernel, did you build all modules necessary. In this particlu case, ipt_state? If you meen CONFIG_NETFILTER_XT_MATCH_STATE=y then yes it's compiled in (not a module). You know of any other part that NEEDS to be activated other the the following? CONFIG_NETFILTER=y CONFIG_NF_CONNTRACK_ENABLED=y CONFIG_NF_CONNTRACK_SUPPORT=y CONFIG_NF_CONNTRACK=y CONFIG_NETFILTER_XTABLES=y CONFIG_NETFILTER_XT_MATCH_LIMIT=y CONFIG_NETFILTER_XT_MATCH_STATE=y CONFIG_IP_NF_QUEUE=y CONFIG_IP_NF_IPTABLES=y CONFIG_IP_NF_FILTER=y CONFIG_IP_NF_TARGET_REJECT=y CONFIG_IP_NF_TARGET_LOG=y CONFIG_IP_NF_MANGLE=y -- Dan Johansson, http://www.dmj.nu *** This message is printed on 100% recycled electrons! *** pgphJOdBpZj61.pgp Description: PGP signature
Re: [gentoo-user] iptables will not load rule after kernel upgrade (2.6.19-r5 - 2.6.20-r6)
On 4/21/07, Dan Johansson [EMAIL PROTECTED] wrote: On Saturday 21 April 2007 15:53, Uwe Thiem wrote: On 21 April 2007, Dan Johansson wrote: After upgrading gentoo-sources to 2.6.20-r6 from 2.6.19-r5 today my firewall won't start (shorewall). The here's the error: iptables: Invalid argument ERROR: Command /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT Failed I'm getting the same errormessage when it try it by hand. When you generated the kernel, did you build all modules necessary. In this particlu case, ipt_state? If you meen CONFIG_NETFILTER_XT_MATCH_STATE=y then yes it's compiled in (not a module). You know of any other part that NEEDS to be activated other the the following? CONFIG_NETFILTER=y CONFIG_NF_CONNTRACK_ENABLED=y CONFIG_NF_CONNTRACK_SUPPORT=y CONFIG_NF_CONNTRACK=y CONFIG_NETFILTER_XTABLES=y CONFIG_NETFILTER_XT_MATCH_LIMIT=y CONFIG_NETFILTER_XT_MATCH_STATE=y CONFIG_IP_NF_QUEUE=y CONFIG_IP_NF_IPTABLES=y CONFIG_IP_NF_FILTER=y CONFIG_IP_NF_TARGET_REJECT=y CONFIG_IP_NF_TARGET_LOG=y CONFIG_IP_NF_MANGLE=y -- Dan Johansson, http://www.dmj.nu *** This message is printed on 100% recycled electrons! *** You found your problem, then. When you use iptables -m state, it loads the state module. Since it's not compiled as a module, it won't load. Either change it to module in the kernel or remove the -m state (I think I tried once compiling into the kernel and dropping the -m state, but it didn't work). -- - Mark Shields
Re: [gentoo-user] IPtables question
Dnia środa, 31 stycznia 2007, James Colby napisał: I have a small home server that I have connected to the internet through a linksys router and cable modem. The linksys router is currently forwarding all ssh traffic to my gentoo box. What I would ^ Take note, that forwarded traffic (it is DNAT-ed in Linksys) would appear on your host as originating from your router. Original source address is stripped by router's NAT. Ergo, you need source address filtering in your router. -- Pawel Kraszewski www.kraszewscy.net -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] IPtables question
Hi, On Fri, 2 Feb 2007 09:45:53 +0100 Pawel Kraszewski [EMAIL PROTECTED] wrote: Dnia środa, 31 stycznia 2007, James Colby napisał: I have a small home server that I have connected to the internet through a linksys router and cable modem. The linksys router is currently forwarding all ssh traffic to my gentoo box. What I would ^ Take note, that forwarded traffic (it is DNAT-ed in Linksys) would appear on your host as originating from your router. Original source address is stripped by router's NAT. Nope, just the target Adress is rewritten (by routing). DNAT is Destination NAT! I.e. the target IP of the packet is rewritten. Since the Linksys is the default gateway, packets can keep their source IP address. Of course, the source MAC address will be rewritten to the router's -- but that's got nothing to do with NAT but routing instead. -hwh -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] IPtables question
Dnia piątek, 2 lutego 2007, Hans-Werner Hilse napisał: Nope, just the target Adress is rewritten (by routing). DNAT is Destination NAT! I.e. the target IP of the packet is rewritten. Since the Linksys is the default gateway, packets can keep their source IP address. Of course, the source MAC address will be rewritten to the router's -- but that's got nothing to do with NAT but routing instead. Jeee, I'm terrible sorry. My only excuse is that it was written without the morning coffee... Of course SNAT rewrites source IP and DNAT destination IP, and port forwarding uses DNAT. Once more, sorry for confusion - my mind was somehow floating around proxying not forwarding. -- Pawel Kraszewski www.kraszewscy.net -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] IPtables question
On Wednesday 31 January 2007 20:56, Albert Hopkins wrote: On Wed, 2007-01-31 at 15:36 -0500, James Colby wrote: List members - I have a small home server that I have connected to the internet through a linksys router and cable modem. The linksys router is currently forwarding all ssh traffic to my gentoo box. What I would like to do is set up iptables to only allow ssh logins from a small number of internet hosts, and to reject and log all other ssh attempts. Can someone please help me out with this. All of the tutorials and documentation that I have found are setting up a fully functioning firewall / NAT / proxy, and I think that is a little overkill for my needs.s If you don't want the whole iptables suite you might want to consider good ole hosts.allow/hosts.deny as an alternative. They work fine with sshd if you have tcpwrappers enabled. It depends how secure you want your set up to be. I always suggest to disable passwd authentication and enable public key authentication, after you copy paste each client's public key in the file ~/.ssh/authorized_keys. Any passwd cracking attacks will simply fail. I would also suggest that you move your sshd port from 22 to a higher number. All/most of these bots scanning port 22 will now leave you alone. Finally, you can set up additional layers like allow/deny users, MAC addresses, etc. While you're at it, don't forget disabling root logins. If you want to introduce diverse protection then iptables (and as previously suggested hosts.allow/hosts.deny) is an option. In your iptables script (or saved set of iptables rules) add something like: iptables -A INPUT -i eth0 -p tcp -s client_ip_address -m tcp --dport 22 -d server_LAN_ip_address -j ACCEPT Of course, I suggest that you change port 22 in the line above to a higher number 'free' port. Your final catch-all rule at the bottom of your iptables will drop any packets (on any port) from hosts other than the clients you specified in my line above. Finally, you can repeat this in your router's firewall rules, assuming that you can specify WAN ip addresses (I know that you can in my hardware router, but don't know in yours). If any one manages to break in to the server through such a sshd setup, then they bl**dy well deserve it! HTH. -- Regards, Mick pgpABfgXYkFTf.pgp Description: PGP signature
Re: [gentoo-user] IPtables question
James Colby wrote: currently forwarding all ssh traffic to my gentoo box. What I would like to do is set up iptables to only allow ssh logins from a small number of internet hosts, iptables -A INPUT -s ip-address-of-know-host --dport 22 -j ACCEPT and to reject and log all other ssh attempts. iptables -A INPUT --dport 22 -j LOG iptables -A INPUT --dport 22 -j REJECT Regards, Norberto pgp1bYpX8fXSL.pgp Description: PGP signature
Re: [gentoo-user] Iptables
On Thursday 18 January 2007 17:58, Fabrício L. Ribeiro wrote: How can I install and run iptables (with conntrack and all other modules) in a Gentoo 2006.1 box with kernel generated by genkernel? I tried emerge iptables, but when I type iptables -F I get something like this: FATAL: Module ip_tables not found. iptables v1.3.5: can't initialize iptables table `filter': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. genkernel uses a standard .config the first time you use it on a kernel version. In the kernel sources, all the netfilter options are disabled by default, and you MUST enable them via menuconfig. Did you perhaps omit this step? alan -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Iptables
Alan IPTables support must be compiled into the kernel. I am not in front of my gentoo system so cannot help you find the location in make menuconfig but if you poke around you should be able to locate it. Pete On 1/19/07, Alan McKinnon [EMAIL PROTECTED] wrote: On Thursday 18 January 2007 17:58, Fabrício L. Ribeiro wrote: How can I install and run iptables (with conntrack and all other modules) in a Gentoo 2006.1 box with kernel generated by genkernel? I tried emerge iptables, but when I type iptables -F I get something like this: FATAL: Module ip_tables not found. iptables v1.3.5: can't initialize iptables table `filter': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. genkernel uses a standard .config the first time you use it on a kernel version. In the kernel sources, all the netfilter options are disabled by default, and you MUST enable them via menuconfig. Did you perhaps omit this step? alan -- gentoo-user@gentoo.org mailing list -- Pete Pardoe
Re: [gentoo-user] Iptables
People, The response is in Nelson's mail. Thanks Nelson and thanks to all. On 1/19/07, Pete Pardoe [EMAIL PROTECTED] wrote: Alan IPTables support must be compiled into the kernel. I am not in front of my gentoo system so cannot help you find the location in make menuconfig but if you poke around you should be able to locate it. Pete On 1/19/07, Alan McKinnon [EMAIL PROTECTED] wrote: On Thursday 18 January 2007 17:58, Fabrício L. Ribeiro wrote: How can I install and run iptables (with conntrack and all other modules) in a Gentoo 2006.1 box with kernel generated by genkernel? I tried emerge iptables, but when I type iptables -F I get something like this: FATAL: Module ip_tables not found. iptables v1.3.5: can't initialize iptables table `filter': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. genkernel uses a standard .config the first time you use it on a kernel version. In the kernel sources, all the netfilter options are disabled by default, and you MUST enable them via menuconfig. Did you perhaps omit this step? alan -- gentoo-user@gentoo.org mailing list -- Pete Pardoe -- FABRÍCIO L. RIBEIRO === [icq: 66770900] [e-mail, gtalk e msn: [EMAIL PROTECTED] [blog: http://opalavrorio.blogspot.com] -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] Iptables
How can I install and run iptables (with conntrack and all other modules) in a Gentoo 2006.1 box with kernel generated by genkernel? I tried emerge iptables, but when I type iptables -F I get something like this: FATAL: Module ip_tables not found. iptables v1.3.5: can't initialize iptables table `filter': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. Hm, did you start the iptables init-script, i think it loads the necessary modules! -- gentoo-user@gentoo.org mailing list
RE: [gentoo-user] Iptables
-Original Message- From: Fabrício L. Ribeiro [mailto:[EMAIL PROTECTED] Sent: 18 January 2007 15:59 To: gentoo-user@lists.gentoo.org Subject: [gentoo-user] Iptables How can I install and run iptables (with conntrack and all other modules) in a Gentoo 2006.1 box with kernel generated by genkernel? I tried emerge iptables, but when I type iptables -F I get something like this: FATAL: Module ip_tables not found. iptables v1.3.5: can't initialize iptables table `filter': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. Thanks! http://gentoo-wiki.com/HOWTO_Iptables_for_newbies That is the *first* result if you google for 'Gentoo Iptables'. http://www.google.co.uk/search?q=gentoo+iptablesie=utf-8oe=utf-8rls=org.mozilla:en-GB:officialclient=firefox-a djn -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] iptables error
On Wed, 8 Nov 2006 10:19:10 -0700 Richard Fish wrote: On 11/8/06, Arnau Bria [EMAIL PROTECTED] wrote: I'd suggest you make a copy of this file and try to identify which rule from this file is causing the error. It is a plain text file, so you can comment out (with '#' characters) various rules (lines that start with '[') to figure out which rule is causing the error. Well, I found them: #-A INPUT -i eth0 -p tcp -m multiport --dports 4662,18491 -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT #-A INPUT -i eth0 -p udp -m multiport --dports 4666,18491 -j ACCEPT anyone knows what happens with both rules? -Richard Thanks! -- Arnau Bria http://blog.emergetux.net Wiggum: Dispara a las ruedas Lou. Lou: eee, es un tanque jefe. Wiggum: Me tienes hartito con todas tus excusas. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] iptables error
On Thu, 9 Nov 2006 08:40:12 -0800 Tim Garton wrote: xt_multiport Oh! I've not looked for the solution yet :-( Thanks a lot! that solved my problem! -- Arnau Bria http://blog.emergetux.net Wiggum: Dispara a las ruedas Lou. Lou: eee, es un tanque jefe. Wiggum: Me tienes hartito con todas tus excusas. -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] iptables error
Hi, On Wed, 8 Nov 2006 16:29:45 +0100 Arnau Bria [EMAIL PROTECTED] wrote: I've done a kernel upgrade, from 2.6.16 to 17-r8 and my iptables stop working. As iptables is very depending on the kernel's API, did you - change kernel configuration? - try re-emerging iptables? -hwh -- gentoo-user@gentoo.org mailing list
Re: [gentoo-user] iptables error
Perhaps try these modules as well?gentoo sbin # lsmodModule Size Used byxt_tcpudp 7936 1 iptable_nat 10756 1 ip_nat 21292 1 iptable_nat ip_conntrack 51332 2 iptable_nat,ip_natiptable_filter 7296 0 ip_tables 22760 2 iptable_nat,iptable_filterx_tables 18568 3 xt_tcpudp,iptable_nat,ip_tables TimOn 11/8/06, Arnau Bria [EMAIL PROTECTED] wrote: Hi,I've done a kernel upgrade, from 2.6.16 to 17-r8 and my iptables stopworking.I get this error:# iptables-restore /etc/iptables.noviembregetsockopt failed strangely: No such file or directory I have those modules loaded:# lsmodModuleSizeUsed byiptable_filter39680ip_tables144361 iptable_filterx_tables 149801 ip_tables is there anything missing? It worked fine with old kernel...cheers!--Arnau Briahttp://blog.emergetux.netWiggum: Dispara a las ruedas Lou.Lou: eee, es un tanque jefe. Wiggum: Me tienes hartito con todas tus excusas.--gentoo-user@gentoo.org mailing list
Re: [gentoo-user] iptables error
On Wed, 8 Nov 2006 17:16:20 +0100 Hans-Werner Hilse wrote: Hi, On Wed, 8 Nov 2006 16:29:45 +0100 Arnau Bria [EMAIL PROTECTED] wrote: I've done a kernel upgrade, from 2.6.16 to 17-r8 and my iptables stop working. As iptables is very depending on the kernel's API, did you - change kernel configuration? nop. just make oldconfig with default values for new options. - try re-emerging iptables? nop, gonna do it. -hwh thanks! -- Arnau Bria http://blog.emergetux.net Wiggum: Dispara a las ruedas Lou. Lou: eee, es un tanque jefe. Wiggum: Me tienes hartito con todas tus excusas. -- gentoo-user@gentoo.org mailing list