[gentoo-user] iptables broken

Something recent (perhaps this update to libnftnl) broke iptables. Re-emerging it fixed the problem. Fri Feb 11 07:45:54 2022 >>> net-libs/libnftnl-1.2.1 iptables started giving errors such as this: /sbin/iptables -A BASE_INPUT_CHAIN -m conntrack --ctstate ESTABLISHED -j ACCEPT ERROR (2):

Re: [gentoo-user] iptables wiki page questions

сб, 15 авг. 2020 г. в 01:34, tastytea : > Note that, if you set rc_depend_strict="NO" in /etc/rc.conf, the > dependency “net” is satisfied if only one net.* service is started. If I remember correctly, it happened sometimes that iptables loaded after net.eth0 service even with

Re: [gentoo-user] iptables wiki page questions

On 2020-08-14 22:17- Grant Edwards wrote: > […] > ### "rc-service iptables" vs. "/etc/init.d/iptables" rc-service runs the same service scripts that are in /etc/init.d/, so it's the same. However the manpage of rc-service(8) mentions that “Service scripts could be in different places on

[gentoo-user] iptables wiki page questions

I read through the iptables wiki page this afternoon to refresh my memory on how you save rules so they get load on startup. https://wiki.gentoo.org/wiki/Iptables There are some inconsitencies which I'm curious about. ### "rc-service iptables" vs. "/etc/init.d/iptables" Most of the page's

Re: [gentoo-user] iptables-1.8.1 build failure

On Wednesday, 24 October 2018 15:30:06 BST Peter Humphrey wrote: > On Wednesday, 24 October 2018 12:52:24 BST Neil Bothwick wrote: > > On Wed, 24 Oct 2018 10:29:03 +0100, Peter Humphrey wrote: > > > Today's update of iptables to 1.8.1 failed here because I didn't have > > > USE=nftables set. After

Re: [gentoo-user] iptables-1.8.1 build failure

On Wednesday, 24 October 2018 12:52:24 BST Neil Bothwick wrote: > On Wed, 24 Oct 2018 10:29:03 +0100, Peter Humphrey wrote: > > Today's update of iptables to 1.8.1 failed here because I didn't have > > USE=nftables set. After setting that in package.use it was fine. Before > > I submit a bug

Re: [gentoo-user] iptables-1.8.1 build failure

On Wed, 24 Oct 2018 10:29:03 +0100, Peter Humphrey wrote: > Today's update of iptables to 1.8.1 failed here because I didn't have > USE=nftables set. After setting that in package.use it was fine. Before > I submit a bug report, though, I'd like to understand one thing: > > $ grep nftables

[gentoo-user] iptables-1.8.1 build failure

Hello list, Today's update of iptables to 1.8.1 failed here because I didn't have USE=nftables set. After setting that in package.use it was fine. Before I submit a bug report, though, I'd like to understand one thing: $ grep nftables $(equery w iptables) IUSE="conntrack ipv6 netlink nftables

Re: [gentoo-user] IPTABLES

"siefke_lis...@web.de" writes: > Hello, > > i try to run iptables, block bad ips and close the system. > > I want run firewall which block all INPUT, only ALLOW services i defined. > Ipset want to use to block spam ips, make it sure awesome as ever set rules > manuell.

Re: [gentoo-user] IPTABLES

Hello, On Thu, 24 Dec 2015 15:11:55 +0300 Andrew Savchenko wrote: > ... > It is a bit old and isn't an ultimate description of all > iptables features (you have manuals for that), but will give you a > good understanding of how packet flow works and how they should be >

Re: [gentoo-user] IPTABLES

Hi, On Tue, 22 Dec 2015 22:45:12 +0100 siefke_lis...@web.de wrote: > i try to run iptables, block bad ips and close the system. > > I want run firewall which block all INPUT, only ALLOW services i defined. > Ipset want to use to block spam ips, make it sure awesome as ever set rules > manuell.

[gentoo-user] IPTABLES

Hello, i try to run iptables, block bad ips and close the system. I want run firewall which block all INPUT, only ALLOW services i defined. Ipset want to use to block spam ips, make it sure awesome as ever set rules manuell. Im not so sure is okay, i has try and read but at end often i kick

Re: [gentoo-user] iptables tunneling a chrooted Linux?

On Sat, Aug 15, 2015 at 2:53 AM, Andrew Savchenko birc...@gentoo.org wrote: On Sat, 15 Aug 2015 06:53:30 +0200 meino.cra...@gmx.de wrote: on my Android tablet I have installed a Gentoo rootfs. I can start this by chgrooting it after Android has booted. Via xvnc I can connect from a running

Re: [gentoo-user] iptables tunneling a chrooted Linux?

Hi, On Sat, 15 Aug 2015 06:53:30 +0200 meino.cra...@gmx.de wrote: on my Android tablet I have installed a Gentoo rootfs. I can start this by chgrooting it after Android has booted. Via xvnc I can connect from a running Android to the also running Gentoo Linux. If I set up a firewall as root

Re: [gentoo-user] iptables tunneling a chrooted Linux?

Rich Freeman ri...@gentoo.org [15-08-15 13:04]: On Sat, Aug 15, 2015 at 2:53 AM, Andrew Savchenko birc...@gentoo.org wrote: On Sat, 15 Aug 2015 06:53:30 +0200 meino.cra...@gmx.de wrote: on my Android tablet I have installed a Gentoo rootfs. I can start this by chgrooting it after Android

Re: [gentoo-user] iptables tunneling a chrooted Linux?

On Sat, Aug 15, 2015 at 7:45 AM, meino.cra...@gmx.de wrote: Last chance: Installing a fully functional chrooted Linux, setup some handcrafted iptables/ipset/sidmat stuff (which I still have to do) and...get a Yes, network is shared on kernel level as answer from this thread. :) And I got

[gentoo-user] iptables tunneling a chrooted Linux?

Hi, on my Android tablet I have installed a Gentoo rootfs. I can start this by chgrooting it after Android has booted. Via xvnc I can connect from a running Android to the also running Gentoo Linux. If I set up a firewall as root (the Android is rooted) while I am in the chrooted Linux this

Re: [gentoo-user] IPTables question... simple as possible for starters

On Dec 30, 2013 7:31 PM, shawn wilson ag4ve...@gmail.com wrote: Minor additions to what Pandu said... On Mon, Dec 30, 2013 at 7:02 AM, Pandu Poluan pa...@poluan.info wrote: On Mon, Dec 30, 2013 at 6:07 PM, Tanstaafl tansta...@libertytrek.org wrote: The numbers within [brackets] are

Re: [gentoo-user] IPTables question... simple as possible for starters

On Tue, Dec 31, 2013 at 9:08 AM, Pandu Poluan pa...@poluan.info wrote: On Dec 30, 2013 7:31 PM, shawn wilson ag4ve...@gmail.com wrote: Minor additions to what Pandu said... On Mon, Dec 30, 2013 at 7:02 AM, Pandu Poluan pa...@poluan.info wrote: On Mon, Dec 30, 2013 at 6:07 PM, Tanstaafl

Re: [gentoo-user] IPTables question... simple as possible for starters

On 2013-12-29 1:39 PM, shawn wilson ag4ve...@gmail.com wrote: On Sun, Dec 29, 2013 at 1:07 PM, Tanstaafl tansta...@libertytrek.org wrote: Hi all, Ok, I'm setting up a new server, and I'd like to rethink my iptables rules. I'd like to start with something fairly simple: 1. Allow connections

Re: [gentoo-user] IPTables question... simple as possible for starters

On Mon, Dec 30, 2013 at 6:07 PM, Tanstaafl tansta...@libertytrek.org wrote: [-- LE SNIP --] Ok, well, maybe I should have posted my entire ruleset... I have this above where I define my chains: # *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] # Does it matter where

Re: [gentoo-user] IPTables question... simple as possible for starters

Minor additions to what Pandu said... On Mon, Dec 30, 2013 at 7:02 AM, Pandu Poluan pa...@poluan.info wrote: On Mon, Dec 30, 2013 at 6:07 PM, Tanstaafl tansta...@libertytrek.org wrote: The numbers within [brackets] are statistics/countes. Just replace them with [0:0], unless you really really

[gentoo-user] IPTables question... simple as possible for starters

Hi all, Ok, I'm setting up a new server, and I'd like to rethink my iptables rules. I'd like to start with something fairly simple: 1. Allow connections from anywhere ONLY to certain ports ie, for encrypted IMAP/SMTP connections from users 2. Allow connections from only certain IP addresses

Re: [gentoo-user] IPTables question... simple as possible for starters

On Sun, Dec 29, 2013 at 1:07 PM, Tanstaafl tansta...@libertytrek.org wrote: Hi all, Ok, I'm setting up a new server, and I'd like to rethink my iptables rules. I'd like to start with something fairly simple: 1. Allow connections from anywhere ONLY to certain ports ie, for encrypted

[gentoo-user] IPTables - Going Stateless

Hello Everyone, We recently moved our stateful firewall inside, and would like to strip down the firewall at our router connected to the outside world. The problem I am experiencing is getting things to work properly without connection tracking. I hope I am not in breach of mailing list rules

[gentoo-user] Re: [gentoo-user] IPTables - Going Stateless

Вторник, 21 мая 2013, 11:07 -04:00 от Nick Khamis sym...@gmail.com: Hello Everyone, We recently moved our stateful firewall inside, and would like to strip down the firewall at our router connected to the outside world. The problem I am experiencing is getting things to work properly

Re: [gentoo-user] Re: [gentoo-user] IPTables - Going Stateless

Looks like the packet never gets to the tcp chain. what is --syn? It seems that way I am not sure what --syn is actually. But even if I comment it out it does not work. Also, for testing I changed the SSH rule to allow bidirectional traffic until this is fixed: -A TCP -p tcp -m tcp --dport

Re: [gentoo-user] IPTables - Going Stateless

On 21/05/2013 17:07, Nick Khamis wrote: Hello Everyone, We recently moved our stateful firewall inside, and would like to strip down the firewall at our router connected to the outside world. The problem I am experiencing is getting things to work properly without connection tracking. Now

Re: [gentoo-user] IPTables - Going Stateless

Hello Everyone, Thank you so much for your responses. I agree Alan, total pain in the neck!!! But it's a ticket that was passed down to me. We moved the stateful firewalls inside the network, broken down to each department. But as a first on site defense on our BGP router running Quagga, we only

[gentoo-user] iptables (not) started?

Hi Gentoo-users, I noticed one thing on my server: during boot-up no message about firewall being started is printed on console. I always have to check manually if iptables-rules have been loaded. Strange thing, when doing shutdown, I see messages I expect: * Saving iptables state ...

Re: [gentoo-user] iptables (not) started?

On Friday 29 Mar 2013 18:25:11 Jarry wrote: Hi Gentoo-users, I noticed one thing on my server: during boot-up no message about firewall being started is printed on console. I always have to check manually if iptables-rules have been loaded. Strange thing, when doing shutdown, I see messages

Re: [gentoo-user] iptables (not) started?

On 29-Mar-13 19:43, Mick wrote: On Friday 29 Mar 2013 18:25:11 Jarry wrote: Hi Gentoo-users, I noticed one thing on my server: during boot-up no message about firewall being started is printed on console. I always have to check manually if iptables-rules have been loaded. Strange thing, when

Re: [gentoo-user] iptables (not) started?

On Mar 30, 2013 1:27 AM, Jarry mr.ja...@gmail.com wrote: Hi Gentoo-users, I noticed one thing on my server: during boot-up no message about firewall being started is printed on console. I always have to check manually if iptables-rules have been loaded. Strange thing, when doing shutdown, I

Re: [gentoo-user] iptables (not) started?

On Friday 29 Mar 2013 19:03:57 Jarry wrote: On 29-Mar-13 19:43, Mick wrote: On Friday 29 Mar 2013 18:25:11 Jarry wrote: Hi Gentoo-users, I noticed one thing on my server: during boot-up no message about firewall being started is printed on console. I always have to check manually if

Re: [gentoo-user] iptables (not) started?

On Friday 29 Mar 2013 19:34:39 Mick wrote: On Friday 29 Mar 2013 19:03:57 Jarry wrote: On 29-Mar-13 19:43, Mick wrote: On Friday 29 Mar 2013 18:25:11 Jarry wrote: Hi Gentoo-users, I noticed one thing on my server: during boot-up no message about firewall being started is printed

Re: [gentoo-user] iptables (not) started?

On Fri, 29 Mar 2013 19:44:14 +, Mick wrote: Why do wikis and the like suggest that iptables should be in default rather than boot runlevel? Why not? There's no need to start it especially early, as long as it is running before the network comes up, and the init script takes care of that.

Re: [gentoo-user] iptables (not) started?

On Friday 29 Mar 2013 20:37:20 Neil Bothwick wrote: On Fri, 29 Mar 2013 19:44:14 +, Mick wrote: Why do wikis and the like suggest that iptables should be in default rather than boot runlevel? Why not? There's no need to start it especially early, as long as it is running before the

Re: [gentoo-user] iptables (not) started?

On Fri, 29 Mar 2013 23:29:39 +, Mick wrote: Why do wikis and the like suggest that iptables should be in default rather than boot runlevel? Why not? There's no need to start it especially early, as long as it is running before the network comes up, and the init script takes

Re: [gentoo-user] IPTABLES syntax change?

On Sat, Jan 05, 2013 at 11:57:10AM +, Mick wrote It will, but only partially. It seems that the list is long and it is getting longer and longer! Check this out: whois -h whois.radb.net -- '-i origin AS32934' | grep ^route (as advised by

Re: [gentoo-user] IPTABLES syntax change?

On Wed, Jan 02, 2013 at 11:32:58PM -0500, Michael Orlitzky wrote On 12/30/2012 10:21 PM, Walter Dnes wrote: [0:0] -A FECESBOOK -j LOG --log-prefix FECESBOOK: --log-level 6 [0:0] -A FECESBOOK -j DROP [0:0] -A INPUT -s 192.168.123.248/29 -i eth0 -j ACCEPT [0:0] -A INPUT -s 169.254.0.0/16 -i

Re: [gentoo-user] IPTABLES syntax change?

On Fri, Jan 4, 2013 at 3:17 PM, Walter Dnes waltd...@waltdnes.org wrote: On Wed, Jan 02, 2013 at 11:32:58PM -0500, Michael Orlitzky wrote On 12/30/2012 10:21 PM, Walter Dnes wrote: [0:0] -A FECESBOOK -j LOG --log-prefix FECESBOOK: --log-level 6 [0:0] -A FECESBOOK -j DROP [0:0] -A INPUT -s

Re: [gentoo-user] IPTABLES syntax change?

On Fri, Jan 04, 2013 at 03:27:59PM -0500, Michael Mol wrote On Fri, Jan 4, 2013 at 3:17 PM, Walter Dnes waltd...@waltdnes.org wrote: The mere fact that you haven't manually typed in... http://www.facebook.com/blah_blah_blah does not mean you're not connecting to it. But all that's

Re: [gentoo-user] IPTABLES syntax change?

On Jan 4, 2013 8:33 PM, Walter Dnes waltd...@waltdnes.org wrote: On Fri, Jan 04, 2013 at 03:27:59PM -0500, Michael Mol wrote On Fri, Jan 4, 2013 at 3:17 PM, Walter Dnes waltd...@waltdnes.org wrote: The mere fact that you haven't manually typed in...

Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)?

On 2013-01-02 7:14 PM, Mick michaelkintz...@gmail.com wrote: On Wednesday 02 Jan 2013 19:47:11 Tanstaafl wrote: Oh, ok - so, if I don't have any rules that use the 'mangle' command, then I can safely remove mangle support from my kernel and lose the mangle table altogether? Yes, I would

[gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)?

Hi all, This has been bugging me for a while... I've googled, and can't seem to find a definitive answer to this question... Lots of references to the Mangle table, but nothing that really explains what this table is or does, and when or why I would want/need it. Currently, I have this in

Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)?

On 01/02/13 08:38, Tanstaafl wrote: Hi all, This has been bugging me for a while... I've googled, and can't seem to find a definitive answer to this question... Lots of references to the Mangle table, but nothing that really explains what this table is or does, and when or why I would

Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)?

On Wednesday 02 Jan 2013 13:38:27 Tanstaafl wrote: Hi all, This has been bugging me for a while... I've googled, and can't seem to find a definitive answer to this question... Lots of references to the Mangle table, but nothing that really explains what this table is or does, and when

Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)?

On 2013-01-02 2:01 PM, Mick michaelkintz...@gmail.com wrote: If you have a look at 'man iptables-extensions' it gives some examples of using -t mangle. I haven't looked in Google recently, but there should be some examples there too. Oh, ok - so, if I don't have any rules that use the

Re: [gentoo-user] IPTABLES syntax change?

On 12/30/12 22:21, Walter Dnes wrote: OK, here is version 2. I had an excellent adventure along the way. I'm doing the upgrade on our servers right now, and there's another possible gotcha: the newer iptables (requiring conntrack) requires NETFILTER_XT_MATCH_CONNTRACK support in the kernel.

Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)?

On Wednesday 02 Jan 2013 19:47:11 Tanstaafl wrote: On 2013-01-02 2:01 PM, Mick michaelkintz...@gmail.com wrote: If you have a look at 'man iptables-extensions' it gives some examples of using -t mangle. I haven't looked in Google recently, but there should be some examples there too.

Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)?

On Jan 3, 2013 1:57 AM, Michael Orlitzky mich...@orlitzky.com wrote: On 01/02/13 08:38, Tanstaafl wrote: Hi all, This has been bugging me for a while... I've googled, and can't seem to find a definitive answer to this question... Lots of references to the Mangle table, but

Re: [gentoo-user] IPTABLES syntax change?

On Jan 3, 2013 4:40 AM, Michael Orlitzky mich...@orlitzky.com wrote: On 12/30/12 22:21, Walter Dnes wrote: OK, here is version 2. I had an excellent adventure along the way. I'm doing the upgrade on our servers right now, and there's another possible gotcha: the newer iptables

Re: [gentoo-user] IPTABLES syntax change?

On 12/30/2012 10:21 PM, Walter Dnes wrote: [0:0] -A FECESBOOK -j LOG --log-prefix FECESBOOK: --log-level 6 [0:0] -A FECESBOOK -j DROP [0:0] -A INPUT -s 192.168.123.248/29 -i eth0 -j ACCEPT [0:0] -A INPUT -s 169.254.0.0/16 -i eth0 -j ACCEPT [0:0] -A INPUT -i lo -j ACCEPT [0:0] -A INPUT -m

Re: [gentoo-user] IPTABLES syntax change?

On 12/29/2012 01:32 PM, Walter Dnes wrote: Two questions I'm not sure about. 1) I run a desktop, and use passive ftp. Is there any need for me to accept RELATED packets? Probably not, I think the server needs it though. 2) Does a -j LOG return to the chain it was called from, or does

Re: [gentoo-user] IPTABLES syntax change?

2) Does a -j LOG return to the chain it was called from, or does it do an implicit DROP? It returns to spot where it was called from. Yep, so you could create a new chain to drop and log; /sbin/iptables -N logdrop /sbin/iptables -A logdrop -j LOG --log-prefix 'DROP ' /sbin/iptables -A

Re: [gentoo-user] IPTABLES syntax change?

OK, here is version 2. I had an excellent adventure along the way. * At the very last line (COMMIT), iptables-restore said it failed, but no clue whatsoever as to why. * I copied the rules file to a scratch-file, and converted it to a bash script that called iptables each time. * This

Re: [gentoo-user] IPTABLES syntax change?

Two questions I'm not sure about. 1) I run a desktop, and use passive ftp. Is there any need for me to accept RELATED packets? 2) Does a -j LOG return to the chain it was called from, or does it do an implicit DROP? -- Walter Dnes waltd...@waltdnes.org I don't run desktop environments; I

Re: [gentoo-user] IPTABLES syntax change?

On 29-Dec-12 19:32, Walter Dnes wrote: 1) I run a desktop, and use passive ftp. Is there any need for me to accept RELATED packets? No, but you must take care of related connections. Even passive ftp opens command (1023 - 21) and data (1023 - 1023) channel. BTW, icmp-error (i.e. host

Re: [gentoo-user] IPTABLES syntax change?

On Fri, Dec 28, 2012 at 01:07:11AM -0500, Michael Orlitzky wrote On 12/27/2012 10:59 PM, Walter Dnes wrote: Here's my revised Paranoia Plus ruleset. Any comments? Because I'm behind a NAT-ing ADSL router/modem, many of my rules rarely see hits. However, I do have a backup dialup

Re: [gentoo-user] IPTABLES syntax change?

Walter Dnes wrote: On Fri, Dec 28, 2012 at 01:07:11AM -0500, Michael Orlitzky wrote On 12/27/2012 10:59 PM, Walter Dnes wrote: Here's my revised Paranoia Plus ruleset. Any comments? Because I'm behind a NAT-ing ADSL router/modem, many of my rules rarely see hits. However, I do have a

Re: [gentoo-user] IPTABLES syntax change?

Michael Orlitzky mich...@orlitzky.com writes: The 'conntrack' module is supposed to be a superset of 'state', so most things should be compatible. You really have two warnings there; the first is for the state - conntrack switch, and the second is because you're missing the --state flag in

Re: [gentoo-user] IPTABLES syntax change?

On 12/27/12 06:28, Graham Murray wrote: Michael Orlitzky mich...@orlitzky.com writes: The 'conntrack' module is supposed to be a superset of 'state', so most things should be compatible. You really have two warnings there; the first is for the state - conntrack switch, and the second is

Re: [gentoo-user] IPTABLES syntax change?

Michael Orlitzky wrote: My first -m state rule is, iptables -A INPUT -p ALL -m state \ --state ESTABLISHED,RELATED -j ACCEPT That was mine, too (you can omit -p in this case, can't you?). And if what you say is true, I'd be in deep shit if it reset to, iptables -A INPUT -p ALL -m

Re: [gentoo-user] IPTABLES syntax change?

On 12/27/12 12:52, Matthias Hanft wrote: Michael Orlitzky wrote: My first -m state rule is, iptables -A INPUT -p ALL -m state \ --state ESTABLISHED,RELATED -j ACCEPT That was mine, too (you can omit -p in this case, can't you?). Yeah, it just makes the indentation line up in my

Re: [gentoo-user] IPTABLES syntax change?

On Thu, Dec 27, 2012 at 11:28:15AM +, Graham Murray wrote The problem is not really the OP's fault. The problem is that if you have tables with the form -m state --state XXX at the point you upgrade, iptables-save (quite possibly called automatically by /etc/init.d/iptables stop) will

Re: [gentoo-user] IPTABLES syntax change?

On 12/27/2012 06:11 PM, Walter Dnes wrote: On Thu, Dec 27, 2012 at 11:28:15AM +, Graham Murray wrote The problem is not really the OP's fault. The problem is that if you have tables with the form -m state --state XXX at the point you upgrade, iptables-save (quite possibly called

Re: [gentoo-user] IPTABLES syntax change?

On Thu, Dec 27, 2012 at 06:50:07PM -0500, Michael Orlitzky wrote Once you've upgraded, you should be able to add all of your old --state rules normally, albeit with a warning. The new iptables will translate them to conntrack rules, and you can `/etc/init.d/iptables save` the result. The

Re: [gentoo-user] IPTABLES syntax change?

On 12/27/2012 10:59 PM, Walter Dnes wrote: Here's my revised Paranoia Plus ruleset. Any comments? Because I'm behind a NAT-ing ADSL router/modem, many of my rules rarely see hits. However, I do have a backup dialup connection in case of problems, so most of my rules don't specify the

Re: [gentoo-user] IPTABLES syntax change?

I'm sure I made more than one typo, but the ALLOWED_ICMP below definitely needs a dollar sign. for ok_icmp in ALLOWED_ICMP; do iptables -A ICMP_IN -p icmp --icmp-type ${ok_icmp} -j ACCEPT done

[gentoo-user] IPTABLES syntax change?

Many years ago, I understood IPCHAINS, and the first versions of IPTABLES. However, IPTABLES has followed the example of Larry Wall's Practical Extraction and Reporting Language and turned into a pseudo-OS that I barely comprehend. Some rules that I added many years ago were designed to reject

Re: [gentoo-user] IPTABLES syntax change?

On 12/26/2012 07:47 PM, Walter Dnes wrote: Many years ago, I understood IPCHAINS, and the first versions of IPTABLES. However, IPTABLES has followed the example of Larry Wall's Practical Extraction and Reporting Language and turned into a pseudo-OS that I barely comprehend. Some rules

Re: [gentoo-user] iptables question...

On 12/16/11 22:17, Tanstaafl wrote: Hi all, I was reading up on some iptables rules in the gentoo security handbook: http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1chap=12style=printable It mentions DROPing packets with an INVALID state. It sounded/sounds like a good

Re: [gentoo-user] iptables question...

On 2011-12-17 11:34 AM, Hari Purnama h...@mapits.com wrote: Did you put the log-prefix rule before or after the LOG rule? After - the log prefix rule is last... Or why didn't you put it in a 1liner, say: -A INPUT -i eth0 -m state --state INVALID -j LOG --log-level 7 --log-prefix (fw-drop):

[gentoo-user] iptables question...

Hi all, I was reading up on some iptables rules in the gentoo security handbook: http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1chap=12style=printable It mentions DROPing packets with an INVALID state. It sounded/sounds like a good idea, so I added the following rule: -A

[gentoo-user] iptables - do I need the nat table?

Hello, This is on a server box, and I am *not* doing NAT on it... Do I even need the nat table? If not, I'd like to build the kernel without NAT support, but if there's a good reason not to do that, I won't... Thanks -- Charles

Re: [gentoo-user] iptables: how can I include multiple hosts/IPs in -s and -d?

Hi, you can define a rule like that: iptables -A FORWARD -s 192.168.235.43,192.168.235.46 -d 10.0.0.1,192.168.0.1 -j ACCEPT it will create 4 rules. be sure to activate Networking support-Networking options-Network packet filtering framework-Core Netfilter Configuration-iprange address range

Re: [gentoo-user] iptables: how can I include multiple hosts/IPs in -s and -d?

On Mon, 2010-04-05 at 19:32 +0200, Jarry wrote: Hi I'd like to ask if there is some way to include multiple discrete hosts/IP's in --source and --destination options of iptables. I'm trying to write firewall rules for my server, but it has 12 IP's from different segments (and maybe it

Re: [gentoo-user] iptables: how can I include multiple hosts/IPs in -s and -d?

Jarry writes: I'd like to ask if there is some way to include multiple discrete hosts/IP's in --source and --destination options of iptables. I'm trying to write firewall rules for my server, but it has 12 IP's from different segments (and maybe it gets a few more later), and the script

[gentoo-user] iptables: how can I include multiple hosts/IPs in -s and -d?

Hi I'd like to ask if there is some way to include multiple discrete hosts/IP's in --source and --destination options of iptables. I'm trying to write firewall rules for my server, but it has 12 IP's from different segments (and maybe it gets a few more later), and the script grows up as I have

[gentoo-user] iptables firewall script

Hello, Can anyone good with iptables give this script a once over? It is working, but in a very inconsistent manner, sometimes it lets traffic in, other times not. Two things it does not have are dhcp rules as this box gets it's address via dhcp and cifs rules, this machine mounts cifs

Re: [gentoo-user] iptables firewall script

2009/7/17 Dave dave.meh...@gmail.com: Hello,        Can anyone good with iptables give this script a once over? It is working, but in a very inconsistent manner, sometimes it lets traffic in, other times not. Two things it does not have are dhcp rules as this box gets it's address via dhcp

Re: [gentoo-user] iptables

Hi Dave, this one is rather informative: http://www.novell.com/coolsolutions/feature/18139.html Also, this one from gentoo (although for 2.4) is worth reading: http://www.gentoo.org/doc/en/articles/linux-24-stateful-fw-design.xml HTH! -- Regards, Marco On Thu, Jul 16, 2009 at 5:32 AM,

Re: [gentoo-user] iptables

Maybe this thread could be helpful as well: http://marc.info/?l=gentoo-userm=124058693215810w=2 -- Regards, Marco On Thu, Jul 16, 2009 at 10:41 AM, Marcolistwo...@gmail.com wrote: Hi Dave, this one is rather informative: http://www.novell.com/coolsolutions/feature/18139.html Also, this

Re: [gentoo-user] iptables

2009/7/16 Marco listwo...@gmail.com Maybe this thread could be helpful as well: http://marc.info/?l=gentoo-userm=124058693215810w=2 -- Regards, Marco On Thu, Jul 16, 2009 at 10:41 AM, Marcolistwo...@gmail.com wrote: Hi Dave, this one is rather informative:

Re: [gentoo-user] iptables

Alejandro wrote: On Thu, Jul 16, 2009 at 5:32 AM, Davedave.meh...@gmail.com mailto:dave.meh...@gmail.com wrote: Hello, I'm looking for a guide for iptables specifically for gentoo 2.6. I was also wondering if anyone was using apf Advanced

[gentoo-user] iptables

Hello, I'm looking for a guide for iptables specifically for gentoo 2.6. I was also wondering if anyone was using apf Advanced Policy Firewall on a gentoo 2008.0 2.6 machine? Thanks. Dave.

[gentoo-user] iptables + dansguardian + squid

I was following this guide to set it up home filter: iptables, DansGuardian, and Squid. http://www.linux.com/articles/113733 in the past it worked but when I try it now eg: iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT iptables: No chain/target/match by that

Re: [gentoo-user] iptables configuration problem

Chuanwen Wu wrote: I have tried set all the gw in my subnet to 192.168.1.254 or 192.168.1.1. Is't all right? I don't know, it depends on what's your gw's IP is. Let's say you have this setup: GW: 192.168.1.1 Other PCs are: 192.168.1.2... 192.168.1.3... and so on. On the GW you need:

Re: [gentoo-user] iptables configuration problem

2007/5/14, Norberto Bensa [EMAIL PROTECTED]: Chuanwen Wu wrote: I have tried set all the gw in my subnet to 192.168.1.254 or 192.168.1.1. Is't all right? I don't know, it depends on what's your gw's IP is. Let's say you have this setup: GW: 192.168.1.1 Other PCs are: 192.168.1.2...

Re: [gentoo-user] iptables configuration problem

On Mon, May 14, 2007 8:23 am, Chuanwen Wu wrote: Thank you!I think i have done what you meant. Here is the information: /etc/conf.d/net in the server config_eth0=( 202.114.10.134 netmask 255.255.255.0 brd 202.114.10.255 ) routes_eth0=( default gw 202.114.10.129 ) OK config_eth1=(

Re: [gentoo-user] iptables configuration problem

Greetings all. Hope the weather in bejing is pleasant, Mr Wu. On Mon, 14 May 2007 11:58:34 -0300 (ART) Norberto Bensa [EMAIL PROTECTED] wrote: On Mon, May 14, 2007 8:23 am, Chuanwen Wu wrote: Thank you!I think i have done what you meant. Here is the information: /etc/conf.d/net in

Re: [gentoo-user] iptables configuration problem

Thank Norberto and Dan Farrell!I think i had a misunderstand and made some mistakes.I hope I have correct it now. /etc/conf.d/net in the server config_eth0=( 202.114.10.134 netmask 255.255.255.0 brd 202.114.10.255 ) routes_eth0=( default gw 202.114.10.129 ) config_eth1=( 192.168.1.1 netmask

Re: [gentoo-user] iptables configuration problem

On Tue, 15 May 2007 10:35:38 +0800 Chuanwen Wu [EMAIL PROTECTED] wrote: Does it mean that eth1(the interface in my subnet) receive the request but don't post forward it? Perhaps you should attach the output of iptables -t nat -L -v; iptables -L -v; so I can see the rules... while you're at it,

Re: [gentoo-user] iptables configuration problem

2007/5/15, Dan Farrell [EMAIL PROTECTED]: On Tue, 15 May 2007 10:35:38 +0800 Chuanwen Wu [EMAIL PROTECTED] wrote: Does it mean that eth1(the interface in my subnet) receive the request but don't post forward it? Perhaps you should attach the output of iptables -t nat -L -v; iptables -L -v;

[gentoo-user] iptables configuration problem

Hi,guys! I use iptables to let the PCs in the subnet to connect the internet outside. And i write a simple script,but it doesn't work: #!/bin/sh iptables -F #Define packets from Internet server to Intranet iptables -A FORWARD -d 198.168.1.0/24 -i eth0 -j ACCEPT #Define packets from Intranet to

Re: [gentoo-user] iptables configuration problem

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Wu, Instead of the commands you posted, you should use echo 1 /proc/sys/net/ipv4/ip_forward iptables --table nat -A POSTROUTING -s 192.168.8.0/24 -j MASQUERADE Long explanation: The first command enables the kernel to _forward_ packets from

Re: [gentoo-user] iptables configuration problem

2007/5/13, Fabio A Correa [EMAIL PROTECTED]: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Wu, Instead of the commands you posted, you should use echo 1 /proc/sys/net/ipv4/ip_forward iptables --table nat -A POSTROUTING -s 192.168.8.0/24 -j MASQUERADE I have tried.But still not work.

Re: [gentoo-user] iptables configuration problem

Chuanwen Wu wrote: Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 192.168.1.0/24 anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination

Re: [gentoo-user] iptables will not load rule after kernel upgrade (2.6.19-r5 - 2.6.20-r6) SOLVED

On Saturday 21 April 2007 20:34, Mark Shields wrote: On 4/21/07, Dan Johansson [EMAIL PROTECTED] wrote: On Saturday 21 April 2007 15:53, Uwe Thiem wrote: On 21 April 2007, Dan Johansson wrote: After upgrading gentoo-sources to 2.6.20-r6 from 2.6.19-r5 today my firewall won't start

[gentoo-user] iptables will not load rule after kernel upgrade (2.6.19-r5 - 2.6.20-r6)

After upgrading gentoo-sources to 2.6.20-r6 from 2.6.19-r5 today my firewall won't start (shorewall). The here's the error: iptables: Invalid argument ERROR: Command /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT Failed I'm getting the same errormessage when it try

  1   2   >