[gentoo-user] iptables broken

[flzdjhmtax]

Something recent (perhaps this update to libnftnl) broke iptables.
Re-emerging it fixed the problem.

Fri Feb 11 07:45:54
2022 >>> net-libs/libnftnl-1.2.1

iptables started giving errors such as this:

/sbin/iptables -A BASE_INPUT_CHAIN -m conntrack --ctstate ESTABLISHED -j ACCEPT
ERROR (2): iptables v1.8.7 (legacy): Couldn't load match `conntrack':No such 
file or directory

Don't reboot (or restart the firewall on) any servers, in particular
remote ones, before ensuring that your install of iptables is working.


-- 
Alan J. Wylie  https://www.wylie.me.uk/

Dance like no-one's watching. / Encrypt like everyone is.
Security is inversely proportional to convenience

Re: [gentoo-user] iptables wiki page questions

[Alexey Mishustin]

сб, 15 авг. 2020 г. в 01:34, tastytea :

> Note that, if you set rc_depend_strict="NO" in /etc/rc.conf, the
> dependency “net” is satisfied if only one net.* service is started.

If I remember correctly, it happened sometimes that iptables loaded
after net.eth0 service even with rc_depend_strict="YES" in
/etc/rc.conf (iptables in default runlevel), and I changed one line in
/etc/init.d/net.eth0:
-after net.lo ...
+after net.lo ... iptables
I think it does not harm :)

...The option, important for saving iptables state, is:
SAVE_ON_STOP="yes" in /etc/conf.d/iptables.
It's so by default, AFAIK.

-- 
Best regards,
Alex

Re: [gentoo-user] iptables wiki page questions

[tastytea]

On 2020-08-14 22:17- Grant Edwards 
wrote:

> […]
> ### "rc-service iptables" vs. "/etc/init.d/iptables"

rc-service runs the same service scripts that are in /etc/init.d/, so
it's the same. However the manpage of rc-service(8) mentions that
“Service scripts could be in different places on different systems”, so
the most compatible way would be to use rc-service.

> […]
> At the top of the page, rules are loaded by adding 'iptables' to the
> runlevel 'default', while at the bottom of the page, the 'boot'
> runlevel is used instead.
> 
> Is there some significance to these differences?

I would use the same runlevel I use for net.*. iptables will always be
started before net.*, see depend() in /etc/init.d/iptables.
Note that, if you set rc_depend_strict="NO" in /etc/rc.conf, the
dependency “net” is satisfied if only one net.* service is started. In
this case you may want to but iptables in ‘boot’ and net.* in ‘default’.

Kind regards, tastytea



pgpDTA3FWczc0.pgp
Description: Digitale Signatur von OpenPGP

[gentoo-user] iptables wiki page questions

[Grant Edwards]

I read through the iptables wiki page this afternoon to refresh my
memory on how you save rules so they get load on startup.

  https://wiki.gentoo.org/wiki/Iptables

There are some inconsitencies which I'm curious about.

### "rc-service iptables" vs. "/etc/init.d/iptables"

Most of the page's examples use "rc-server iptables " but in a
few spots it is "/etc/init.d/iptables ".

### boot vs. default runlevel

At the top of the page, rules are loaded by adding 'iptables' to the
runlevel 'default', while at the bottom of the page, the 'boot'
runlevel is used instead.

Is there some significance to these differences?

--
Grant

Re: [gentoo-user] iptables-1.8.1 build failure

[Peter Humphrey]

On Wednesday, 24 October 2018 15:30:06 BST Peter Humphrey wrote:
> On Wednesday, 24 October 2018 12:52:24 BST Neil Bothwick wrote:
> > On Wed, 24 Oct 2018 10:29:03 +0100, Peter Humphrey wrote:
> > > Today's update of iptables to 1.8.1 failed here because I didn't have
> > > USE=nftables set. After setting that in package.use it was fine. Before
> > > I submit a bug report, though, I'd like to understand one thing:
> > > 
> > > $ grep nftables $(equery w iptables)
> > > IUSE="conntrack ipv6 netlink nftables pcap static-libs"
> > > 
> > > nftables? (
> > > nftables? (
> > > nftables? ( net-misc/ethertypes )
> > > 
> > > $(use_enable nftables)
> > > 
> > > use nftables && emake -C iptables xtables-config-parser.h
> > > if use nftables; then
> > > 
> > > Shouldn't that IUSE entry be enough to pull in nftables?
> > 
> > No, IUSE simply lists the USE flags relevant to the ebuild. The
> > dependencies are set in DEPEND, which contains
> > 
> > nftables? (
> > 
> > sys-devel/flex
> > virtual/yacc
> > 
> > )
> > 
> > It sounds like nftables should be in there too. this is with 1.8.0-r1,
> > which is the latest I have here after syncing at 0720 today.
> 
> It's 1.8.1 here. All three DEPEND stanzas (DEPEND, RDEPEND and
> COMMON_DEPEND) have nftables? conditions, but nowhere is nftables made a
> requirement, even though the package won't compile without it.
> 
> Bug report https://bugs.gentoo.org/669498 submitted.

... and marked as a duplicate of 669486, which didn't show up in my searches.

-- 
Regards,
Peter.

Re: [gentoo-user] iptables-1.8.1 build failure

[Peter Humphrey]

On Wednesday, 24 October 2018 12:52:24 BST Neil Bothwick wrote:
> On Wed, 24 Oct 2018 10:29:03 +0100, Peter Humphrey wrote:
> > Today's update of iptables to 1.8.1 failed here because I didn't have
> > USE=nftables set. After setting that in package.use it was fine. Before
> > I submit a bug report, though, I'd like to understand one thing:
> > 
> > $ grep nftables $(equery w iptables)
> > IUSE="conntrack ipv6 netlink nftables pcap static-libs"
> > 
> > nftables? (
> > nftables? (
> > nftables? ( net-misc/ethertypes )
> > 
> > $(use_enable nftables)
> > 
> > use nftables && emake -C iptables xtables-config-parser.h
> > if use nftables; then
> > 
> > Shouldn't that IUSE entry be enough to pull in nftables?
> 
> No, IUSE simply lists the USE flags relevant to the ebuild. The
> dependencies are set in DEPEND, which contains
> 
> nftables? (
> sys-devel/flex
> virtual/yacc
> )
> 
> It sounds like nftables should be in there too. this is with 1.8.0-r1,
> which is the latest I have here after syncing at 0720 today.

It's 1.8.1 here. All three DEPEND stanzas (DEPEND, RDEPEND and COMMON_DEPEND) 
have nftables? conditions, but nowhere is nftables made a requirement, even 
though the package won't compile without it.

Bug report https://bugs.gentoo.org/669498 submitted.

-- 
Regards,
Peter.

Re: [gentoo-user] iptables-1.8.1 build failure

[Neil Bothwick]

On Wed, 24 Oct 2018 10:29:03 +0100, Peter Humphrey wrote:

> Today's update of iptables to 1.8.1 failed here because I didn't have 
> USE=nftables set. After setting that in package.use it was fine. Before
> I submit a bug report, though, I'd like to understand one thing:
> 
> $ grep nftables $(equery w iptables)
> IUSE="conntrack ipv6 netlink nftables pcap static-libs"
> nftables? (
> nftables? (
> nftables? ( net-misc/ethertypes )
> $(use_enable nftables)
> use nftables && emake -C iptables xtables-config-parser.h
> if use nftables; then
> 
> Shouldn't that IUSE entry be enough to pull in nftables?

No, IUSE simply lists the USE flags relevant to the ebuild. The
dependencies are set in DEPEND, which contains

nftables? (
sys-devel/flex
virtual/yacc
)

It sounds like nftables should be in there too. this is with 1.8.0-r1,
which is the latest I have here after syncing at 0720 today.


-- 
Neil Bothwick

Q:  Why is top-posting evil?
A: backwards read don't humans because


pgpZ62nnrIQcT.pgp
Description: OpenPGP digital signature

[gentoo-user] iptables-1.8.1 build failure

[Peter Humphrey]

Hello list,

Today's update of iptables to 1.8.1 failed here because I didn't have 
USE=nftables set. After setting that in package.use it was fine. Before I 
submit a bug report, though, I'd like to understand one thing:

$ grep nftables $(equery w iptables)
IUSE="conntrack ipv6 netlink nftables pcap static-libs"
nftables? (
nftables? (
nftables? ( net-misc/ethertypes )
$(use_enable nftables)
use nftables && emake -C iptables xtables-config-parser.h
if use nftables; then

Shouldn't that IUSE entry be enough to pull in nftables?

-- 
Regards,
Peter.

Re: [gentoo-user] IPTABLES

[lee]

"siefke_lis...@web.de"  writes:

> Hello,
>
> i try to run iptables, block bad ips and close the system. 
>
> I want run firewall which block all INPUT, only ALLOW services i defined.
> Ipset want to use to block spam ips, make it sure awesome as ever set rules 
> manuell.

After reading a good iptables tutorial, you may want to take a look at
shorewall and it's documentation.

If you're referring to IP addresses from which you receive emails that
are spam, I'd recommend getting familiar with exim and perhaps
spamassassin.  For extreme cases, you might want to use something like
fail2ban.

Re: [gentoo-user] IPTABLES

[siefke_lis...@web.de]

Hello,

On Thu, 24 Dec 2015 15:11:55 +0300 Andrew Savchenko
 wrote:

> ...
> It is a bit old and isn't an ultimate description of all
> iptables features (you have manuals for that), but will give you a
> good understanding of how packet flow works and how they should be
> processed.
> ...

thank you for your information, now i know more where i am. 


Silvio

Silvio Siefke


pgpiggtf558BS.pgp
Description: PGP signature

Re: [gentoo-user] IPTABLES

[Andrew Savchenko]

Hi,

On Tue, 22 Dec 2015 22:45:12 +0100 siefke_lis...@web.de wrote:
> i try to run iptables, block bad ips and close the system. 
> 
> I want run firewall which block all INPUT, only ALLOW services i defined.
> Ipset want to use to block spam ips, make it sure awesome as ever set rules 
> manuell.
> 
> Im not so sure is okay, i has try and read but at end often i kick me out
> from rootserver. So better ask what say profis of Gentoo. 
> 
> The Firewall Script > http://pastebin.com/b3305i41

I recommend you to read a good tutorial first, e.g. this one:
https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html

It is a bit old and isn't an ultimate description of all
iptables features (you have manuals for that), but will give you a
good understanding of how packet flow works and how they should be
processed.

I see three main problems with your current rules:

1. ESTABLISHED,RELATED packets are not accepted in the INPUT. You
will have legitimate traffic blocked because of that.

2. Rules are vulnerable to SYN/ACK attack (see manual above on how
to fix this). FORWARDed traffic is not protected at all (are tun+
interfaces completely trusted?).

3. Rules are far from being optimal, e.g. instead of having many
enrtries for each accepted port, you can write just two rules
using multiport target: one for tcp and another one for udp. These
way your rules will be much faster. Also you should consider proper
ordering of rules: those with higher hit rate should go first if
this doesn't impact security scheme.

There are minor issues of course, like blacklist check late on the
rules (it should come one of the first, otherwise blacklisted hosts
will be allowed to connect your open services).

For remote debugging I recommend a small script like:
./iptables-current; sleep 1m; iptables-good

where iptables-current is the script with your current rules you
want to test and iptables-good are tested rules which work for you.
This way if you'll screw up with current rules and remote control
well be lost, in a minute good old rules will be applied. Of
course, you should terminate this command with ^C if new rules are
good, so that old ones will not be fired in a minute.

Best regards,
Andrew Savchenko


pgpZWFGV4tF5F.pgp
Description: PGP signature

[gentoo-user] IPTABLES

[siefke_lis...@web.de]

Hello,

i try to run iptables, block bad ips and close the system. 

I want run firewall which block all INPUT, only ALLOW services i defined.
Ipset want to use to block spam ips, make it sure awesome as ever set rules 
manuell.

Im not so sure is okay, i has try and read but at end often i kick me out
from rootserver. So better ask what say profis of Gentoo. 

The Firewall Script > http://pastebin.com/b3305i41


Thank you for help & Nice Day

Silvio Siefke


pgpny1UxlIRK_.pgp
Description: PGP signature

Re: [gentoo-user] iptables tunneling a chrooted Linux?

[Rich Freeman]

On Sat, Aug 15, 2015 at 2:53 AM, Andrew Savchenko birc...@gentoo.org wrote:

 On Sat, 15 Aug 2015 06:53:30 +0200 meino.cra...@gmx.de wrote:
 on my Android tablet I have installed a Gentoo rootfs.
 I can start this by chgrooting it after Android has booted.
 Via xvnc I can connect from a running Android to the also
 running Gentoo Linux.
 If I set up a firewall as root (the Android is rooted) while
 I am in the chrooted Linux this firewall setting have to be
 active also in the Android environment, right?
 Of vice versa: I can track any network traffic of the Android
 OS inside my chrooted Linux, right?

 One kernel to rule them all...?

 If this is only chroot, you have to set all iptables rules (and
 other network configuration) in the host system environment (on
 Android).

A bit of clarification here:  Chroots and their hosts share the same
network configuration.  So, if you configure an iptables rule in the
chroot, it affects the host, and vice-versa.  That means you can set
things up on either side, as long as you're talking about kernel-space
settings (iptables, iproute2, etc).  If you're touching resolv.conf or
/etc/hosts that of course needs to be done in both places.

 If you are using LXC or other container...then you have to set up network 
 inside container and
 bridge/route it with the host system.

If you're using containers, the network namespace can be shared or
not.  If the namespace is shared, then it behaves the same as a chroot
with regard to the network, iptables, etc.  If the network namespace
is not shared then the container gets its own interface, and there are
a lot of options for how you go from there.  Usually you just bridge a
virtual ethernet interface to the host, but if you have multiple
physical interfaces you could have each namespace have its own
physical interface (I have no idea if the cell network vs wifi network
interfaces are separated in android).  You could set iptables either
on the bridge on the host (which MUST be done from the host), or on
the virtual interface in the container, and each set of rules affects
the packets that go through it.  Also, if you're bridging your
container will have a different IP, so you might need NAT on the host
if your cell provider blocks multiple DHCP assignments to the same
device.

I actually have openvpn running in a container and it acts as the
gateway for my network (everything else just sees it as a standard
router, including the host).  That does need some iproute2 magic if
your host ends up also servicing non-vpn traffic since it is
multi-networked.  It would be easier to set up on a phone.

-- 
Rich

Re: [gentoo-user] iptables tunneling a chrooted Linux?

[Andrew Savchenko]

Hi,

On Sat, 15 Aug 2015 06:53:30 +0200 meino.cra...@gmx.de wrote:
 on my Android tablet I have installed a Gentoo rootfs.
 I can start this by chgrooting it after Android has booted.
 Via xvnc I can connect from a running Android to the also
 running Gentoo Linux.
 If I set up a firewall as root (the Android is rooted) while
 I am in the chrooted Linux this firewall setting have to be
 active also in the Android environment, right?
 Of vice versa: I can track any network traffic of the Android
 OS inside my chrooted Linux, right?
 
 One kernel to rule them all...?

If this is only chroot, you have to set all iptables rules (and
other network configuration) in the host system environment (on
Android). If you are using LXC or other container, involving
network namespace separation (not sure this is doable on Android,
kernel must support NET_NS as well as userspace tools should
support this), then you have to set up network inside container and
bridge/route it with the host system.

Best regards,
Andrew Savchenko


pgp79Vhj9xFZf.pgp
Description: PGP signature

Re: [gentoo-user] iptables tunneling a chrooted Linux?

[Meino . Cramer]

Rich Freeman ri...@gentoo.org [15-08-15 13:04]:
 On Sat, Aug 15, 2015 at 2:53 AM, Andrew Savchenko birc...@gentoo.org wrote:
 
  On Sat, 15 Aug 2015 06:53:30 +0200 meino.cra...@gmx.de wrote:
  on my Android tablet I have installed a Gentoo rootfs.
  I can start this by chgrooting it after Android has booted.
  Via xvnc I can connect from a running Android to the also
  running Gentoo Linux.
  If I set up a firewall as root (the Android is rooted) while
  I am in the chrooted Linux this firewall setting have to be
  active also in the Android environment, right?
  Of vice versa: I can track any network traffic of the Android
  OS inside my chrooted Linux, right?
 
  One kernel to rule them all...?
 
  If this is only chroot, you have to set all iptables rules (and
  other network configuration) in the host system environment (on
  Android).
 
 A bit of clarification here:  Chroots and their hosts share the same
 network configuration.  So, if you configure an iptables rule in the
 chroot, it affects the host, and vice-versa.  That means you can set
 things up on either side, as long as you're talking about kernel-space
 settings (iptables, iproute2, etc).  If you're touching resolv.conf or
 /etc/hosts that of course needs to be done in both places.
 
  If you are using LXC or other container...then you have to set up network 
  inside container and
  bridge/route it with the host system.
 
 If you're using containers, the network namespace can be shared or
 not.  If the namespace is shared, then it behaves the same as a chroot
 with regard to the network, iptables, etc.  If the network namespace
 is not shared then the container gets its own interface, and there are
 a lot of options for how you go from there.  Usually you just bridge a
 virtual ethernet interface to the host, but if you have multiple
 physical interfaces you could have each namespace have its own
 physical interface (I have no idea if the cell network vs wifi network
 interfaces are separated in android).  You could set iptables either
 on the bridge on the host (which MUST be done from the host), or on
 the virtual interface in the container, and each set of rules affects
 the packets that go through it.  Also, if you're bridging your
 container will have a different IP, so you might need NAT on the host
 if your cell provider blocks multiple DHCP assignments to the same
 device.
 
 I actually have openvpn running in a container and it acts as the
 gateway for my network (everything else just sees it as a standard
 router, including the host).  That does need some iproute2 magic if
 your host ends up also servicing non-vpn traffic since it is
 multi-networked.  It would be easier to set up on a phone.
 
 -- 
 Rich
 

Hi Andrew, hi Rich,

thanks for your replies! 8)

Android has a problem: Apps/Applications for the masses with
advanced features broken down to a few colored bottoms to press.
Sounds a little pessimistic...it is not. Its only the sound of
frustration.

I want to block out the man (goo...) in the middle while copying
files from my PC to my tablet and vice versa via wifi. As soon the
wifi is switched on, my tablet starts talking to persons I had never
known (goo...).

So I installed some Android firewalls and a Android SFTP-servers.
No go...all firewalls I tried block all incoming traffic and there
is no switch to deactivate or define it better.
Some SFTP-server application even stop working, if they could not
phone home.

Last chance: Installing a fully functional chrooted Linux, setup
some handcrafted iptables/ipset/sidmat stuff (which I still have
to do) and...get a Yes, network is shared on kernel level as answer
from this thread. :)
And I got this answer...YEAH! :))

Thanks a lot for your help!!!
Best regards and have a nice weekend!
Meino

Re: [gentoo-user] iptables tunneling a chrooted Linux?

[Rich Freeman]

On Sat, Aug 15, 2015 at 7:45 AM,  meino.cra...@gmx.de wrote:
 Last chance: Installing a fully functional chrooted Linux, setup
 some handcrafted iptables/ipset/sidmat stuff (which I still have
 to do) and...get a Yes, network is shared on kernel level as answer
 from this thread. :)
 And I got this answer...YEAH! :))


Yup.  If your goal is to block outgoing connections to selected IPs
then you just need to have iptables/etc installed.  Doing it from a
chroot is probably a good a solution as any.  You could also go the
prefix route, though that is trickier.  Neither is any better, so I'd
stick with simple and use the chroot.

-- 
Rich

[gentoo-user] iptables tunneling a chrooted Linux?

[Meino . Cramer]

Hi,

on my Android tablet I have installed a Gentoo rootfs.
I can start this by chgrooting it after Android has booted.
Via xvnc I can connect from a running Android to the also
running Gentoo Linux.
If I set up a firewall as root (the Android is rooted) while
I am in the chrooted Linux this firewall setting have to be
active also in the Android environment, right?
Of vice versa: I can track any network traffic of the Android
OS inside my chrooted Linux, right?

One kernel to rule them all...?

(I am asking before, because I dont want to screw up the
Android side of the system...I am not yet that familiar 
with this...)

What do you think?

Best regards,
Meino

Re: [gentoo-user] IPTables question... simple as possible for starters

[Pandu Poluan]

On Dec 30, 2013 7:31 PM, shawn wilson ag4ve...@gmail.com wrote:

 Minor additions to what Pandu said...

 On Mon, Dec 30, 2013 at 7:02 AM, Pandu Poluan pa...@poluan.info wrote:
  On Mon, Dec 30, 2013 at 6:07 PM, Tanstaafl tansta...@libertytrek.org
wrote:

  The numbers within [brackets] are statistics/countes. Just replace
  them with [0:0], unless you really really really have a good reason to
  not start counting from 0...
 

 AFAIK, there's no reason this shouldn't alway be set to 0. If you want
 to keep your counter do --noflush

  NOTE: In that ServerFault posting, I suggested using the anti-attack
  rules in -t raw -A PREROUTING. This saves a great deal of processing,
  becase the raw table is just that: raw, unadulterated, unanalyzed
  packets. The CPU assumes nothing, it merely tries to match well-known
  fields' values.
 

 And because nothing is assumed, you can't prepend a conntrack rule. I
 can't think of why you'd ever want those packets (and I should
 probably move at least those 4 masks to raw) but just an FYI - no
 processing means no processing.

 Also see nftables: http://netfilter.org/projects/nftables/


Very interesting... were they aiming for something similar to *BSD's pf
firewall?

I personally prefer iptables-style firewall; no guessing about how a state
machine will respond in strange situations. Especially since I greatly
leverage ipset and '-m condition' (part of xtables-addons), which might or
might not be fully supported by nftables.

Rgds,
--

Re: [gentoo-user] IPTables question... simple as possible for starters

[shawn wilson]

On Tue, Dec 31, 2013 at 9:08 AM, Pandu Poluan pa...@poluan.info wrote:

 On Dec 30, 2013 7:31 PM, shawn wilson ag4ve...@gmail.com wrote:

 Minor additions to what Pandu said...

 On Mon, Dec 30, 2013 at 7:02 AM, Pandu Poluan pa...@poluan.info wrote:
  On Mon, Dec 30, 2013 at 6:07 PM, Tanstaafl tansta...@libertytrek.org
  wrote:

  The numbers within [brackets] are statistics/countes. Just replace
  them with [0:0], unless you really really really have a good reason to
  not start counting from 0...
 

 AFAIK, there's no reason this shouldn't alway be set to 0. If you want
 to keep your counter do --noflush

  NOTE: In that ServerFault posting, I suggested using the anti-attack
  rules in -t raw -A PREROUTING. This saves a great deal of processing,
  becase the raw table is just that: raw, unadulterated, unanalyzed
  packets. The CPU assumes nothing, it merely tries to match well-known
  fields' values.
 

 And because nothing is assumed, you can't prepend a conntrack rule. I
 can't think of why you'd ever want those packets (and I should
 probably move at least those 4 masks to raw) but just an FYI - no
 processing means no processing.

 Also see nftables: http://netfilter.org/projects/nftables/


 Very interesting... were they aiming for something similar to *BSD's pf
 firewall?


IDK (I think I remember reading that, but maybe I was just dreaming as
I can't recall where), but that's sorta what it's looking like at this
point.

 I personally prefer iptables-style firewall; no guessing about how a state
 machine will respond in strange situations. Especially since I greatly
 leverage ipset and '-m condition' (part of xtables-addons), which might or
 might not be fully supported by nftables.


pf is easier to learn. I use iptables much more, but if I need to do
something with pf, it wouldn't take me very long to re-learn what's
going on so that's sorta a plus for pf. IIRC, nftables is supposed to
be backward compatible. But, will x module work I hope they didn't
go and break stuff too much :)

Re: [gentoo-user] IPTables question... simple as possible for starters

[Tanstaafl]

On 2013-12-29 1:39 PM, shawn wilson ag4ve...@gmail.com wrote:

On Sun, Dec 29, 2013 at 1:07 PM, Tanstaafl tansta...@libertytrek.org wrote:

Hi all,

Ok, I'm setting up a new server, and I'd like to rethink my iptables rules.

I'd like to start with something fairly simple:

1. Allow connections from anywhere ONLY to certain ports

ie, for encrypted IMAP/SMTP connections from users

2. Allow connections from only certain IP addresses to certain ports

ie, for limiting SSH access



I'd reverse the order that #1 and #2 appear.


Well, I was just writing that as a general description. Looking in the rules


3. DROP ALL other connection attempts

ie, I don't want to see these disallowed attempts in the logs

In order to keep my rules more manageable, I have a commented text file that
I manually edit whenever modifying my rules, then I do an 'iptables-restore
 /path/to/iptables-rules' to update them.

My first question is about a trick I learned some time ago (but don't
remember where)...

For the ports for which I want to allow only restricted access, I have
something like:

###
# bgn exceptions blocks
###
:f_22_I - [0:0]
:f_25_I - [0:0]
:f_22_O - [0:0]
:f_25_O - [0:0]

Am I correct that the above are what are called 'chains' in iptables speak?



That defines non-kernel chains but you still need to jump to them from
INPUT/OUTPUT or whatever. So, something like:
-A -m tcp -p tcp --dport 22 --sport 1024:65535 -j f_22_I


Well, yeah... I didn't post my entire ruleset... ;)
^ I just

And am I also correct that the above adds each rule to the named chain in
order, and that the order is significant?


Yep - like ACLs, rules are processed from top down. ACCEPT, REJECT,
and DROP are end points when they match.


Good, thanks.


Then... assuming that I have all of the specific rules after these set up to
allow just the traffic I want, and I wanted to add a final rule that just
silently DROPped all other inbound connection attempts, it would be:

-A INPUT -j DROP



What you're looking for is the policy which are by default ACCEPT on
all kernel rules and which you change in the save file with something
like this:
:INPUT DROP [0:0]



And, just so that there's no confusion, you should state the policy of
OUTPUT and FORWARD at the top of your save file along with INPUT - see
the output of iptables-save as an example of what your file should
look like.


Ok, well, maybe I should have posted my entire ruleset...

I have this above where I define my chains:

#
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
#

Does it matter where this goes?

And then above that, I have something else that I've never understood:

*mangle
:PREROUTING ACCEPT [1378800222:449528056411]
:INPUT ACCEPT [1363738727:447358082301]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1221121261:1103241097263]
:POSTROUTING ACCEPT [1221116979:1103240864155]
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG 
FIN,PSH,URG -j DROP

-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
COMMIT


Also, if you're creating a chain just to do the same thing with
different addresses, look at using ipset. Then you just:
ipset create ssh_in iphash
ipset add ssh_in 1.2.3.4

and then this works:
-A -m set --match-set ssh_in src -j ACCEPT

ipset has the same save/load type things as ipt (minor differences
with how you handle reload, but google or ask if you want to know).
The set needs to be in place before the ipt rule is added, so ipset
comes first in your boot sequence.


Thanks, looks interesting and useful...

So much to learn, so little time... ;)

Re: [gentoo-user] IPTables question... simple as possible for starters

[Pandu Poluan]

On Mon, Dec 30, 2013 at 6:07 PM, Tanstaafl tansta...@libertytrek.org wrote:


[-- LE SNIP --]

 Ok, well, maybe I should have posted my entire ruleset...

 I have this above where I define my chains:

 #
 *filter
 :INPUT DROP [0:0]
 :FORWARD DROP [0:0]
 :OUTPUT DROP [0:0]
 #

 Does it matter where this goes?


Yes. Chain declarations must come before the rules themselves.

 And then above that, I have something else that I've never understood:

 *mangle

Begin declaration of the mangle table.

 :PREROUTING ACCEPT [1378800222:449528056411]
 :INPUT ACCEPT [1363738727:447358082301]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [1221121261:1103241097263]
 :POSTROUTING ACCEPT [1221116979:1103240864155]

The numbers within [brackets] are statistics/countes. Just replace
them with [0:0], unless you really really really have a good reason to
not start counting from 0...

The second word is the 'policy' of the chain, i.e., the default action
taken if no rules match in the chain

 -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG
 -j DROP
 -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
 -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
 -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP

Alright, the `--tcp-flags` option takes two parameters:
flags_to_check and expected_flags

These 4 rules collectively block 'well-known TCP Attacks', which I've
listed here:

http://serverfault.com/a/245713/15440

NOTE: In that ServerFault posting, I suggested using the anti-attack
rules in -t raw -A PREROUTING. This saves a great deal of processing,
becase the raw table is just that: raw, unadulterated, unanalyzed
packets. The CPU assumes nothing, it merely tries to match well-known
fields' values.

You *do* have to make sure that you don't forget to compile kernel
support for RAW tables ;-)

 COMMIT

End of mangle table declaration. Commit all chain definitions and
chain rules in one atomic operation.

 ipset create ssh_in iphash
 ipset add ssh_in 1.2.3.4

 and then this works:
 -A -m set --match-set ssh_in src -j ACCEPT

 ipset has the same save/load type things as ipt (minor differences
 with how you handle reload, but google or ask if you want to know).
 The set needs to be in place before the ipt rule is added, so ipset
 comes first in your boot sequence.


 Thanks, looks interesting and useful...

 So much to learn, so little time... ;)


iptables is a powerful beast; learn it well, and you'll prosper :-)


Rgds,
-- 
FdS Pandu E Poluan
~ IT Optimizer ~

 • LOPSA Member #15248
 • Blog : http://pandu.poluan.info/blog/
 • Linked-In : http://id.linkedin.com/in/pepoluan

Re: [gentoo-user] IPTables question... simple as possible for starters

[shawn wilson]

Minor additions to what Pandu said...

On Mon, Dec 30, 2013 at 7:02 AM, Pandu Poluan pa...@poluan.info wrote:
 On Mon, Dec 30, 2013 at 6:07 PM, Tanstaafl tansta...@libertytrek.org wrote:

 The numbers within [brackets] are statistics/countes. Just replace
 them with [0:0], unless you really really really have a good reason to
 not start counting from 0...


AFAIK, there's no reason this shouldn't alway be set to 0. If you want
to keep your counter do --noflush

 NOTE: In that ServerFault posting, I suggested using the anti-attack
 rules in -t raw -A PREROUTING. This saves a great deal of processing,
 becase the raw table is just that: raw, unadulterated, unanalyzed
 packets. The CPU assumes nothing, it merely tries to match well-known
 fields' values.


And because nothing is assumed, you can't prepend a conntrack rule. I
can't think of why you'd ever want those packets (and I should
probably move at least those 4 masks to raw) but just an FYI - no
processing means no processing.

Also see nftables: http://netfilter.org/projects/nftables/

[gentoo-user] IPTables question... simple as possible for starters

[Tanstaafl]

Hi all,

Ok, I'm setting up a new server, and I'd like to rethink my iptables rules.

I'd like to start with something fairly simple:

1. Allow connections from anywhere ONLY to certain ports

ie, for encrypted IMAP/SMTP connections from users

2. Allow connections from only certain IP addresses to certain ports

ie, for limiting SSH access

3. DROP ALL other connection attempts

ie, I don't want to see these disallowed attempts in the logs

In order to keep my rules more manageable, I have a commented text file 
that I manually edit whenever modifying my rules, then I do an 
'iptables-restore  /path/to/iptables-rules' to update them.


My first question is about a trick I learned some time ago (but don't 
remember where)...


For the ports for which I want to allow only restricted access, I have 
something like:


###
# bgn exceptions blocks
###
:f_22_I - [0:0]
:f_25_I - [0:0]
:f_22_O - [0:0]
:f_25_O - [0:0]

Am I correct that the above are what are called 'chains' in iptables speak?

#
### allow connections only from the following IP's
#
## SSH
#
# my local admin hosts
-A f_22_I -s ###.###.###.### -j ACCEPT
-A f_22_I -s ###.###.###.### -j ACCEPT
-A f_22_I -s ###.###.###.### -j ACCEPT
-A f_22_I -s ###.###.###.### -j ACCEPT
-A f_22_I -s ###.###.###.### -j ACCEPT
#
# external hosts
-A f_22_I -s ###.###.###.### -j ACCEPT
-A f_22_I -s ###.###.###.### -j ACCEPT

And am I also correct that the above adds each rule to the named chain 
in order, and that the order is significant?


So, if I wanted to add a last rule to that chain that DROPs all other 
connection attempts, it would be just:


-A f_22_I -j DROP

?

Then... assuming that I have all of the specific rules after these set 
up to allow just the traffic I want, and I wanted to add a final rule 
that just silently DROPped all other inbound connection attempts, it 
would be:


-A INPUT -j DROP

?

Thanks...

Re: [gentoo-user] IPTables question... simple as possible for starters

[shawn wilson]

On Sun, Dec 29, 2013 at 1:07 PM, Tanstaafl tansta...@libertytrek.org wrote:
 Hi all,

 Ok, I'm setting up a new server, and I'd like to rethink my iptables rules.

 I'd like to start with something fairly simple:

 1. Allow connections from anywhere ONLY to certain ports

 ie, for encrypted IMAP/SMTP connections from users

 2. Allow connections from only certain IP addresses to certain ports

 ie, for limiting SSH access


I'd reverse the order that #1 and #2 appear.

 3. DROP ALL other connection attempts

 ie, I don't want to see these disallowed attempts in the logs

 In order to keep my rules more manageable, I have a commented text file that
 I manually edit whenever modifying my rules, then I do an 'iptables-restore
  /path/to/iptables-rules' to update them.

 My first question is about a trick I learned some time ago (but don't
 remember where)...

 For the ports for which I want to allow only restricted access, I have
 something like:

 ###
 # bgn exceptions blocks
 ###
 :f_22_I - [0:0]
 :f_25_I - [0:0]
 :f_22_O - [0:0]
 :f_25_O - [0:0]

 Am I correct that the above are what are called 'chains' in iptables speak?


That defines non-kernel chains but you still need to jump to them from
INPUT/OUTPUT or whatever. So, something like:
-A -m tcp -p tcp --dport 22 --sport 1024:65535 -j f_22_I
  ^ I just
came up with something for the sport - it's possible there's a default
mor narrower for your client.

 #
 ### allow connections only from the following IP's
 #
 ## SSH
 #
 # my local admin hosts
 -A f_22_I -s ###.###.###.### -j ACCEPT
 -A f_22_I -s ###.###.###.### -j ACCEPT
 -A f_22_I -s ###.###.###.### -j ACCEPT
 -A f_22_I -s ###.###.###.### -j ACCEPT
 -A f_22_I -s ###.###.###.### -j ACCEPT
 #
 # external hosts
 -A f_22_I -s ###.###.###.### -j ACCEPT
 -A f_22_I -s ###.###.###.### -j ACCEPT

 And am I also correct that the above adds each rule to the named chain in
 order, and that the order is significant?

Yep - like ACLs, rules are processed from top down. ACCEPT, REJECT,
and DROP are end points when they match.


 So, if I wanted to add a last rule to that chain that DROPs all other
 connection attempts, it would be just:

 -A f_22_I -j DROP

I would do this just because it simplifies my life when looking at
stuff (and probably removes microseconds of processing from the
kernel). Only do this if you limit what hits this jump though (with
--dport or whatever). Otherwise, the default behavior is basically a
-j RETURN.


 ?

 Then... assuming that I have all of the specific rules after these set up to
 allow just the traffic I want, and I wanted to add a final rule that just
 silently DROPped all other inbound connection attempts, it would be:

 -A INPUT -j DROP


What you're looking for is the policy which are by default ACCEPT on
all kernel rules and which you change in the save file with something
like this:
:INPUT DROP [0:0]

And, just so that there's no confusion, you should state the policy of
OUTPUT and FORWARD at the top of your save file along with INPUT - see
the output of iptables-save as an example of what your file should
look like.

Also, if you're creating a chain just to do the same thing with
different addresses, look at using ipset. Then you just:
ipset create ssh_in iphash
ipset add ssh_in 1.2.3.4

and then this works:
-A -m set --match-set ssh_in src -j ACCEPT

ipset has the same save/load type things as ipt (minor differences
with how you handle reload, but google or ask if you want to know).
The set needs to be in place before the ipt rule is added, so ipset
comes first in your boot sequence.

 ?

 Thanks...

[gentoo-user] IPTables - Going Stateless

[Nick Khamis]

Hello Everyone,

We recently moved our stateful firewall inside, and would like to
strip down the firewall at our router connected to the outside world.
The problem I am experiencing is getting things to work properly
without connection tracking. I hope I am not in breach of mailing list
rules however, a stripped down configuration is as follows:

#!/bin/bash
IPTABLES='/sbin/iptables'

#Set interface values
INTIF1='eth0'

#flush rules and delete chains
$IPTABLES -F
$IPTABLES -X

#echo -e- Accepting input lo traffic
$IPTABLES -A INPUT -i lo -j ACCEPT

#echo -e- Accepting output lo traffic
$IPTABLES -A OUTPUT -o lo -j ACCEPT

#echo -e- Defined Chains
$IPTABLES -N TCP
$IPTABLES -N UDP

#echo -e- Accepting SSH Traffic
$IPTABLES -A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5
--dport 22 -j ACCEPT
$IPTABLES -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP

#echo -e- Accepting input TCP and UDP traffic to open ports
$IPTABLES -A INPUT -i $INTIF1 -p tcp --syn -j TCP
$IPTABLES -A INPUT -i $INTIF1 -p udp -j UDP

#echo -e- Accepting output TCP and UDP traffic to open ports
$IPTABLES -A OUTPUT -o $INTIF1 -p tcp --syn -j TCP
$IPTABLES -A OUTPUT -o $INTIF1 -p udp -j UDP

#echo -e- Dropping input TCP and UDP traffic to closed ports
# $IPTABLES -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
# $IPTABLES -A INPUT -i $INTIF1 -p udp -j REJECT --reject-with
icmp-port-unreachable

#echo -e- Dropping output TCP and UDP traffic to closed ports
# $IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
# $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j REJECT --reject-with
icmp-port-unreachable

#echo -e- Dropping input traffic to remaining protocols sent
to closed ports
# $IPTABLES -A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable

#echo -e- Dropping output traffic to remaining protocols sent
to closed ports
# $IPTABLES -A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable


Everything works fine with the REJECT rules commented out, but when
included SSH access is blocked out. Not sure why, isn't the sequence
correct (i.e., the ACCPET entries before the DROP and REJECT)?

Also, any pointers or heads up when going stateless would be greatly
appreciated.

Kind Regards,

Nick

[gentoo-user] Re: [gentoo-user] IPTables - Going Stateless

[the guard]

Вторник, 21 мая 2013, 11:07 -04:00 от Nick Khamis sym...@gmail.com:
 Hello Everyone,
 
 We recently moved our stateful firewall inside, and would like to
 strip down the firewall at our router connected to the outside world.
 The problem I am experiencing is getting things to work properly
 without connection tracking. I hope I am not in breach of mailing list
 rules however, a stripped down configuration is as follows:
 
 #!/bin/bash
 IPTABLES='/sbin/iptables'
 
 #Set interface values
 INTIF1='eth0'
 
 #flush rules and delete chains
 $IPTABLES -F
 $IPTABLES -X
 
 #echo -e- Accepting input lo traffic
 $IPTABLES -A INPUT -i lo -j ACCEPT
 
 #echo -e- Accepting output lo traffic
 $IPTABLES -A OUTPUT -o lo -j ACCEPT
 
 #echo -e- Defined Chains
 $IPTABLES -N TCP
 $IPTABLES -N UDP
 
 #echo -e- Accepting SSH Traffic
 $IPTABLES -A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5
 --dport 22 -j ACCEPT
 $IPTABLES -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP
 
 #echo -e- Accepting input TCP and UDP traffic to open ports
 $IPTABLES -A INPUT -i $INTIF1 -p tcp --syn -j TCP
 $IPTABLES -A INPUT -i $INTIF1 -p udp -j UDP
 
 #echo -e- Accepting output TCP and UDP traffic to open ports
 $IPTABLES -A OUTPUT -o $INTIF1 -p tcp --syn -j TCP
 $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j UDP
 
 #echo -e- Dropping input TCP and UDP traffic to closed ports
 # $IPTABLES -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
 # $IPTABLES -A INPUT -i $INTIF1 -p udp -j REJECT --reject-with
 icmp-port-unreachable
 
 #echo -e- Dropping output TCP and UDP traffic to closed ports
 # $IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
 # $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j REJECT --reject-with
 icmp-port-unreachable
 
 #echo -e- Dropping input traffic to remaining protocols sent
 to closed ports
 # $IPTABLES -A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable
 
 #echo -e- Dropping output traffic to remaining protocols sent
 to closed ports
 # $IPTABLES -A OUTPUT -o $INTIF1 -j REJECT --reject-with 
 icmp-proto-unreachable
 
 
 Everything works fine with the REJECT rules commented out, but when
 included SSH access is blocked out. Not sure why, isn't the sequence
 correct (i.e., the ACCPET entries before the DROP and REJECT)?
 
 Also, any pointers or heads up when going stateless would be greatly
 appreciated.
 
 Kind Regards,
 
 Nick

Looks like the packet never gets to the tcp chain. what is --syn?

Re: [gentoo-user] Re: [gentoo-user] IPTables - Going Stateless

[Nick Khamis]

 Looks like the packet never gets to the tcp chain. what is --syn?

It seems that way I am not sure what --syn is actually. But even
if I comment it out it does not work. Also, for testing I changed the
SSH rule to allow bidirectional traffic until this is fixed:

-A TCP -p tcp -m tcp --dport 22 -j ACCEPT

As mentioned before everything works as expected until when I try to
close up the ports not included in the TCP and UDP chains:

#echo -e- Dropping input TCP and UDP traffic to closed ports
-A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
-A INPUT -i $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable

#echo -e- Dropping output TCP and UDP traffic to closed ports
-A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
-A OUTPUT -o $INTIF1 -p udp -j REJECT --reject-with icmp-port-unreachable

#echo -e- Dropping input traffic to remaining protocols sent
to closed ports
-A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable

#echo -e- Dropping output traffic to remaining protocols sent
to closed ports
-A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable


Thanks in Advance,

Nick.

Re: [gentoo-user] IPTables - Going Stateless

[Alan McKinnon]

On 21/05/2013 17:07, Nick Khamis wrote:
 Hello Everyone,
 
 We recently moved our stateful firewall inside, and would like to
 strip down the firewall at our router connected to the outside world.
 The problem I am experiencing is getting things to work properly
 without connection tracking. 

Now why, oh why, do you want to do that? A world of pain awaits you.

Stateless firewalls are a colossal mindfuck that will drive you crazy.
So unless you have a very very good reason for doing this I recommedn
you seriously revisit your choice. iptables really does not consume that
much resources (and if you truly are low on resources then you need to
get a bigger router, because after all it is a router and I assume in
production)


I hope I am not in breach of mailing list
 rules however, a stripped down configuration is as follows:
 
 #!/bin/bash
 IPTABLES='/sbin/iptables'
 
 #Set interface values
 INTIF1='eth0'
 
 #flush rules and delete chains
 $IPTABLES -F
 $IPTABLES -X
 
 #echo -e- Accepting input lo traffic
 $IPTABLES -A INPUT -i lo -j ACCEPT
 
 #echo -e- Accepting output lo traffic
 $IPTABLES -A OUTPUT -o lo -j ACCEPT
 
 #echo -e- Defined Chains
 $IPTABLES -N TCP
 $IPTABLES -N UDP
 
 #echo -e- Accepting SSH Traffic
 $IPTABLES -A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5
 --dport 22 -j ACCEPT
 $IPTABLES -A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP
 
 #echo -e- Accepting input TCP and UDP traffic to open ports
 $IPTABLES -A INPUT -i $INTIF1 -p tcp --syn -j TCP
 $IPTABLES -A INPUT -i $INTIF1 -p udp -j UDP
 
 #echo -e- Accepting output TCP and UDP traffic to open ports
 $IPTABLES -A OUTPUT -o $INTIF1 -p tcp --syn -j TCP
 $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j UDP
 
 #echo -e- Dropping input TCP and UDP traffic to closed ports
 # $IPTABLES -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
 # $IPTABLES -A INPUT -i $INTIF1 -p udp -j REJECT --reject-with
 icmp-port-unreachable
 
 #echo -e- Dropping output TCP and UDP traffic to closed ports
 # $IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst
 # $IPTABLES -A OUTPUT -o $INTIF1 -p udp -j REJECT --reject-with
 icmp-port-unreachable
 
 #echo -e- Dropping input traffic to remaining protocols sent
 to closed ports
 # $IPTABLES -A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable
 
 #echo -e- Dropping output traffic to remaining protocols sent
 to closed ports
 # $IPTABLES -A OUTPUT -o $INTIF1 -j REJECT --reject-with 
 icmp-proto-unreachable
 
 
 Everything works fine with the REJECT rules commented out, but when
 included SSH access is blocked out. Not sure why, isn't the sequence
 correct (i.e., the ACCPET entries before the DROP and REJECT)?
 
 Also, any pointers or heads up when going stateless would be greatly
 appreciated.
 
 Kind Regards,
 
 Nick
 


-- 
Alan McKinnon
alan.mckin...@gmail.com

Re: [gentoo-user] IPTables - Going Stateless

[Nick Khamis]

Hello Everyone,

Thank you so much for your responses. I agree Alan, total pain in the
neck!!! But it's a ticket that was passed down to me. We moved the
stateful firewalls inside the network, broken down to each department.

But as a first on site defense on our BGP router running Quagga, we
only require stateless for performance reasons. Jerry, thank you so
much! I might need some additional help with the three way handsahkes.
What I did to stay scalable was:

Define a chain:

-N TCP

Handle two way for a specific service:

-A TCP -p tcp -m tcp -s 192.168.2.0/24 -d 192.168.2.5 --dport 22 -j ACCEPT
-A TCP -p tcp -m tcp -s 192.168.2.5 --sport 22 -d 192.168.2.0/24 -j ACCEPT
-A TCP -p tcp -m tcp -s 0.0.0.0/0 -d 192.168.2.5 --dport 22 -j DROP

Accepting Input and output requests to services included in the chain:

#echo -e- Accepting input TCP traffic to open ports
-A INPUT -i $INTIF1 -p tcp -j TCP

#echo -e- Accepting output TCP traffic to open ports
-A OUTPUT -o $INTIF1 -p tcp -j TCP

Dropping Everything Else:


#echo -e- Dropping input TCP to closed ports
$IPTABLES -A INPUT -i $INTIF1 -p tcp -j REJECT --reject-with tcp-rst

#echo -e- Dropping output TCP traffic to closed ports
$IPTABLES -A OUTPUT -o $INTIF1 -p tcp -j REJECT --reject-with tcp-rst

#echo -e- Dropping input traffic to remaining protocols sent
to closed ports
$IPTABLES -A INPUT -i $INTIF1 -j REJECT --reject-with icmp-proto-unreachable

#echo -e- Dropping output traffic to remaining protocols sent
to closed ports
$IPTABLES -A OUTPUT -o $INTIF1 -j REJECT --reject-with icmp-proto-unreachable

Hope this keeps me scalable enough to keep the world of pain at bay as
much as possible...

N.

[gentoo-user] iptables (not) started?

[Jarry]

Hi Gentoo-users,

I noticed one thing on my server: during boot-up no message
about firewall being started is printed on console. I always
have to check manually if iptables-rules have been loaded.
Strange thing, when doing shutdown, I see messages I expect:

* Saving iptables state ...  [ ok ]
* Stopping firewall ...  [ ok ]

I checked also /etc/init.d/iptables and I think it should
show some messages at start:

start() {
checkconfig || return 1
ebegin Loading ${iptables_name} state and starting firewall
${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS}  ${iptables_save}
eend $?
}

Can someone explain to me why this message is not printed?

Jarry
--
___
This mailbox accepts e-mails only from selected mailing-lists!
Everything else is considered to be spam and therefore deleted.

Re: [gentoo-user] iptables (not) started?

[Mick]

On Friday 29 Mar 2013 18:25:11 Jarry wrote:
 Hi Gentoo-users,
 
 I noticed one thing on my server: during boot-up no message
 about firewall being started is printed on console. I always
 have to check manually if iptables-rules have been loaded.
 Strange thing, when doing shutdown, I see messages I expect:
 
 * Saving iptables state ...  [ ok ]
 * Stopping firewall ...  [ ok ]
 
 I checked also /etc/init.d/iptables and I think it should
 show some messages at start:
 
 start() {
 checkconfig || return 1
 ebegin Loading ${iptables_name} state and starting firewall
 ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS}  ${iptables_save}
 eend $?
 }
 
 Can someone explain to me why this message is not printed?

Do you have some other script starting your iptables, rather than the vanilla 
/etc/init.d/iptables?

Does '/etc/init.d/iptables status' show that it is running?
-- 
Regards,
Mick


signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] iptables (not) started?

[Jarry]

On 29-Mar-13 19:43, Mick wrote:

On Friday 29 Mar 2013 18:25:11 Jarry wrote:

Hi Gentoo-users,

I noticed one thing on my server: during boot-up no message
about firewall being started is printed on console. I always
have to check manually if iptables-rules have been loaded.
Strange thing, when doing shutdown, I see messages I expect:

* Saving iptables state ...  [ ok ]
* Stopping firewall ...  [ ok ]

I checked also /etc/init.d/iptables and I think it should
show some messages at start:

start() {
checkconfig || return 1
ebegin Loading ${iptables_name} state and starting firewall
${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS}  ${iptables_save}
eend $?
}

Can someone explain to me why this message is not printed?


Do you have some other script starting your iptables, rather than the vanilla
/etc/init.d/iptables?


No.


Does '/etc/init.d/iptables status' show that it is running?


* status: started

I recorded screen with my video-camera to be sure I did not miss
some message. But I found no trace about iptables being started...

Jarry
--
___
This mailbox accepts e-mails only from selected mailing-lists!
Everything else is considered to be spam and therefore deleted.

Re: [gentoo-user] iptables (not) started?

[Pandu Poluan]

On Mar 30, 2013 1:27 AM, Jarry mr.ja...@gmail.com wrote:

 Hi Gentoo-users,

 I noticed one thing on my server: during boot-up no message
 about firewall being started is printed on console. I always
 have to check manually if iptables-rules have been loaded.
 Strange thing, when doing shutdown, I see messages I expect:

 * Saving iptables state ...  [ ok ]
 * Stopping firewall ...  [ ok ]

Slightly tangential to the subject, but related...

I personally prefer *not* to automatically save iptables rules on shutdown.

That way, if I made some stupid mistake, a reboot restores the system to
the LKGC (Last Known Good Configuration)...

Rgds,
--

Re: [gentoo-user] iptables (not) started?

[Mick]

On Friday 29 Mar 2013 19:03:57 Jarry wrote:
 On 29-Mar-13 19:43, Mick wrote:
  On Friday 29 Mar 2013 18:25:11 Jarry wrote:
  Hi Gentoo-users,
  
  I noticed one thing on my server: during boot-up no message
  about firewall being started is printed on console. I always
  have to check manually if iptables-rules have been loaded.
  Strange thing, when doing shutdown, I see messages I expect:
  
  * Saving iptables state ...  [ ok ]
  * Stopping firewall ...  [ ok ]
  
  I checked also /etc/init.d/iptables and I think it should
  show some messages at start:
  
  start() {
  checkconfig || return 1
  ebegin Loading ${iptables_name} state and starting firewall
  ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS}  ${iptables_save}
  eend $?
  }
  
  Can someone explain to me why this message is not printed?
  
  Do you have some other script starting your iptables, rather than the
  vanilla /etc/init.d/iptables?
 
 No.
 
  Does '/etc/init.d/iptables status' show that it is running?
 
 * status: started
 
 I recorded screen with my video-camera to be sure I did not miss
 some message. But I found no trace about iptables being started...

I have not set rc_logger in /etc/conf.d/iptables to know if it would make a 
difference and can confirm that I can clearly see it on my boxen at boot time:

  * Loading iptables state and starting firewall ...[ ok ]


Another thing to check is that it is in the default level:

$ eselect rc list | grep iptables
  iptables  default

I'm not sure if it would show up, or the message be suppressed if you add it 
to the boot level.

-- 
Regards,
Mick


signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] iptables (not) started?

[Mick]

On Friday 29 Mar 2013 19:34:39 Mick wrote:
 On Friday 29 Mar 2013 19:03:57 Jarry wrote:
  On 29-Mar-13 19:43, Mick wrote:
   On Friday 29 Mar 2013 18:25:11 Jarry wrote:
   Hi Gentoo-users,
   
   I noticed one thing on my server: during boot-up no message
   about firewall being started is printed on console. I always
   have to check manually if iptables-rules have been loaded.
   Strange thing, when doing shutdown, I see messages I expect:
   
   * Saving iptables state ...  [ ok ]
   * Stopping firewall ...  [ ok ]
   
   I checked also /etc/init.d/iptables and I think it should
   show some messages at start:
   
   start() {
   checkconfig || return 1
   ebegin Loading ${iptables_name} state and starting firewall
   ${iptables_bin}-restore ${SAVE_RESTORE_OPTIONS}  ${iptables_save}
   eend $?
   }
   
   Can someone explain to me why this message is not printed?
   
   Do you have some other script starting your iptables, rather than the
   vanilla /etc/init.d/iptables?
  
  No.
  
   Does '/etc/init.d/iptables status' show that it is running?
  
  * status: started
  
  I recorded screen with my video-camera to be sure I did not miss
  some message. But I found no trace about iptables being started...
 
 I have not set rc_logger in /etc/conf.d/iptables to know if it would make a
 difference and can confirm that I can clearly see it on my boxen at boot
 time:
 
   * Loading iptables state and starting firewall ...  [ ok ]
 
 
 Another thing to check is that it is in the default level:
 
 $ eselect rc list | grep iptables
   iptablesdefault
 
 I'm not sure if it would show up, or the message be suppressed if you add
 it to the boot level.

Just tested this - it does not suppress it in my machine if I set it to boot 
level.  Which makes me think ...

Why do wikis and the like suggest that iptables should be in default rather 
than boot runlevel?
-- 
Regards,
Mick


signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] iptables (not) started?

[Neil Bothwick]

On Fri, 29 Mar 2013 19:44:14 +, Mick wrote:

 Why do wikis and the like suggest that iptables should be in default
 rather than boot runlevel?

Why not? There's no need to start it especially early, as long as it is
running before the network comes up, and the init script takes care of
that.


-- 
Neil Bothwick

Vuja De: the feeling that you've never been here before.


signature.asc
Description: PGP signature

Re: [gentoo-user] iptables (not) started?

[Mick]

On Friday 29 Mar 2013 20:37:20 Neil Bothwick wrote:
 On Fri, 29 Mar 2013 19:44:14 +, Mick wrote:
  Why do wikis and the like suggest that iptables should be in default
  rather than boot runlevel?
 
 Why not? There's no need to start it especially early, as long as it is
 running before the network comes up, and the init script takes care of
 that.

I haven't seen anything in net.lo that waits for iptables and I seem to recall 
that the network interfaces are started before iptables is run, unless I start 
iptables at boot level.
-- 
Regards,
Mick


signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] iptables (not) started?

[Neil Bothwick]

On Fri, 29 Mar 2013 23:29:39 +, Mick wrote:

   Why do wikis and the like suggest that iptables should be in default
   rather than boot runlevel?  
  
  Why not? There's no need to start it especially early, as long as it
  is running before the network comes up, and the init script takes
  care of that.  
 
 I haven't seen anything in net.lo that waits for iptables and I seem to
 recall that the network interfaces are started before iptables is run,
 unless I start iptables at boot level.

The iptables init script contains before net.


-- 
Neil Bothwick

Advanced: (adj.) doesn't work yet, but it's pretty close. See: bug,
glitch.


signature.asc
Description: PGP signature

Re: [gentoo-user] IPTABLES syntax change?

[Walter Dnes]

On Sat, Jan 05, 2013 at 11:57:10AM +, Mick wrote
 
 It will, but only partially.  It seems that the list is long and it
 is getting longer and longer!  Check this out:
 
 whois -h whois.radb.net -- '-i origin AS32934' | grep ^route
 
 (as advised by https://developers.facebook.com/docs/ApplicationSecurity/)

ELVIS Thank you, Thank you, Thank you verrry verrry much /ELVIS

  It's not as bad as it looks, because...
a) there's a lot of duplication
b) many of the blocks are subsets with a bigger Facebook block

31.13.24.0/21
inetnum:31.13.24.0 - 31.13.31.255
netname:IE-FACEBOOK-20110418
descr:  Facebook Ireland Ltd
country:IE

31.13.64.0/18
31.13.64.0/19
31.13.64.0/24
31.13.65.0/24
31.13.66.0/24
31.13.67.0/24
31.13.68.0/24
31.13.69.0/24
31.13.70.0/24
31.13.71.0/24
31.13.72.0/24
31.13.73.0/24
31.13.74.0/24
31.13.75.0/24
31.13.76.0/24
31.13.77.0/24
31.13.78.0/24
31.13.79.0/24
31.13.80.0/24
31.13.82.0/24
31.13.83.0/24
31.13.84.0/24
31.13.85.0/24
31.13.86.0/24
31.13.87.0/24
31.13.88.0/24
31.13.89.0/24
31.13.90.0/24
31.13.91.0/24
31.13.92.0/24
31.13.93.0/24
31.13.94.0/24
31.13.95.0/24
31.13.96.0/19
inetnum:31.13.64.0 - 31.13.127.255
netname:IE-FACEBOOK-20110418
descr:  Facebook Ireland Ltd
country:IE

66.220.144.0/20
66.220.144.0/20
66.220.144.0/21
66.220.152.0/21
66.220.159.0/24
NetRange:   66.220.144.0 - 66.220.159.255
CIDR:   66.220.144.0/20
OrgName:Facebook, Inc.
OrgId:  THEFA-3

69.63.176.0/20
69.63.176.0/20
69.63.176.0/20
69.63.176.0/21
69.63.176.0/21
69.63.176.0/24
69.63.178.0/24
69.63.184.0/21
69.63.184.0/21
69.63.186.0/24
NetRange:   69.63.176.0 - 69.63.191.255
CIDR:   69.63.176.0/20
OrgName:Facebook, Inc.
OrgId:  THEFA-3

69.171.224.0/19
69.171.224.0/20
69.171.239.0/24
69.171.240.0/20
69.171.253.0/24
69.171.255.0/24
NetRange:   69.171.224.0 - 69.171.255.255
CIDR:   69.171.224.0/19
OrgName:Facebook, Inc.
OrgId:  THEFA-3

74.119.76.0/22
NetRange:   74.119.76.0 - 74.119.79.255
CIDR:   74.119.76.0/22
OrgName:Facebook, Inc.
OrgId:  THEFA-3

103.4.96.0/22
inetnum:103.4.96.0 - 103.4.99.255
netname:FACEBOOK-SG

173.252.64.0/18
173.252.64.0/19
173.252.70.0/24
173.252.96.0/19
NetRange:   173.252.64.0 - 173.252.127.255
CIDR:   173.252.64.0/18
OriginAS:   AS32934
NetName:FACEBOOK-INC

204.15.20.0/22
204.15.20.0/22
NetRange:   204.15.20.0 - 204.15.23.255
CIDR:   204.15.20.0/22
OrgName:Facebook, Inc.
OrgId:  THEFA-3

  A grand total of 9 IPV4 ranges, of which I already have 6.  Time for a
minor update.  Thanks again for the whois lookup command.

 BTW, websites may break if you block all these ip ranges.

LENNART It's their fault that they're broken, not mine /LENNART

-- 
Walter Dnes waltd...@waltdnes.org
I don't run desktop environments; I run useful applications

Re: [gentoo-user] IPTABLES syntax change?

[Walter Dnes]

On Wed, Jan 02, 2013 at 11:32:58PM -0500, Michael Orlitzky wrote
 On 12/30/2012 10:21 PM, Walter Dnes wrote:
  [0:0] -A FECESBOOK -j LOG --log-prefix FECESBOOK: --log-level 6
  [0:0] -A FECESBOOK -j DROP
  [0:0] -A INPUT -s 192.168.123.248/29 -i eth0 -j ACCEPT
  [0:0] -A INPUT -s 169.254.0.0/16 -i eth0 -j ACCEPT
  [0:0] -A INPUT -i lo -j ACCEPT
  [0:0] -A INPUT -m conntrack --ctstate INVALID,NEW -j UNSOLICITED
 
 In fact, since you're blocking all outgoing packets to facebook, the
 only state that a packet from facebook can have here is INVALID or NEW.
 So traffic from facebook will be sent to the UNSOLICITED chain and DROPped.
 
 
  [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK
  [0:0] -A INPUT -s 69.220.144.0/20 -j FECESBOOK
  [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK
  [0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK
  [0:0] -A INPUT -s 200.58.112.0/20 -j FECESBOOK
  [0:0] -A INPUT -s 213.155.64.0/19 -j FECESBOOK
 
 ...making these pointless =)


  I've run into at least one newspaper website (I forget which,
it's occasionally used for links on Slashdot) which ends up trying to
redirect me to a Facebook site even though the URL does not mention
Facebook at all.  There is other integration as well.  See the first
post in
http://www.dslreports.com/forum/r26618459-Increasing-integration-of-facebook-into-many-web-sites
I believe this may have been straightened out since then, but 13 months
ago that post was correct.  And then there's the LIKE button which
shows up all over the web.

  The mere fact that you haven't manually typed in...
http://www.facebook.com/blah_blah_blah does not mean you're not
connecting to it.

-- 
Walter Dnes waltd...@waltdnes.org
I don't run desktop environments; I run useful applications

Re: [gentoo-user] IPTABLES syntax change?

[Michael Mol]

On Fri, Jan 4, 2013 at 3:17 PM, Walter Dnes waltd...@waltdnes.org wrote:
 On Wed, Jan 02, 2013 at 11:32:58PM -0500, Michael Orlitzky wrote
 On 12/30/2012 10:21 PM, Walter Dnes wrote:
  [0:0] -A FECESBOOK -j LOG --log-prefix FECESBOOK: --log-level 6
  [0:0] -A FECESBOOK -j DROP
  [0:0] -A INPUT -s 192.168.123.248/29 -i eth0 -j ACCEPT
  [0:0] -A INPUT -s 169.254.0.0/16 -i eth0 -j ACCEPT
  [0:0] -A INPUT -i lo -j ACCEPT
  [0:0] -A INPUT -m conntrack --ctstate INVALID,NEW -j UNSOLICITED

 In fact, since you're blocking all outgoing packets to facebook, the
 only state that a packet from facebook can have here is INVALID or NEW.
 So traffic from facebook will be sent to the UNSOLICITED chain and DROPped.


  [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK
  [0:0] -A INPUT -s 69.220.144.0/20 -j FECESBOOK
  [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK
  [0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK
  [0:0] -A INPUT -s 200.58.112.0/20 -j FECESBOOK
  [0:0] -A INPUT -s 213.155.64.0/19 -j FECESBOOK

 ...making these pointless =)


   I've run into at least one newspaper website (I forget which,
 it's occasionally used for links on Slashdot) which ends up trying to
 redirect me to a Facebook site even though the URL does not mention
 Facebook at all.  There is other integration as well.  See the first
 post in
 http://www.dslreports.com/forum/r26618459-Increasing-integration-of-facebook-into-many-web-sites
 I believe this may have been straightened out since then, but 13 months
 ago that post was correct.  And then there's the LIKE button which
 shows up all over the web.

   The mere fact that you haven't manually typed in...
 http://www.facebook.com/blah_blah_blah does not mean you're not
 connecting to it.

But all that's above layer 3, since it's an HTTP redirect, or a page
transclusion which necessitates a new GET request. Michael's point
stands.

--
:wq

Re: [gentoo-user] IPTABLES syntax change?

[Walter Dnes]

On Fri, Jan 04, 2013 at 03:27:59PM -0500, Michael Mol wrote
 On Fri, Jan 4, 2013 at 3:17 PM, Walter Dnes waltd...@waltdnes.org wrote:
 
The mere fact that you haven't manually typed in...
  http://www.facebook.com/blah_blah_blah does not mean you're not
  connecting to it.
 
 But all that's above layer 3, since it's an HTTP redirect, or a page
 transclusion which necessitates a new GET request. Michael's point
 stands.

  And I want to make sure that new GET request is blocked coming and
going.

-- 
Walter Dnes waltd...@waltdnes.org
I don't run desktop environments; I run useful applications

Re: [gentoo-user] IPTABLES syntax change?

[Michael Mol]

On Jan 4, 2013 8:33 PM, Walter Dnes waltd...@waltdnes.org wrote:

 On Fri, Jan 04, 2013 at 03:27:59PM -0500, Michael Mol wrote
  On Fri, Jan 4, 2013 at 3:17 PM, Walter Dnes waltd...@waltdnes.org
wrote:
  
 The mere fact that you haven't manually typed in...
   http://www.facebook.com/blah_blah_blah does not mean you're not
   connecting to it.
 
  But all that's above layer 3, since it's an HTTP redirect, or a page
  transclusion which necessitates a new GET request. Michael's point
  stands.

   And I want to make sure that new GET request is blocked coming and
 going.

 --
 Walter Dnes waltd...@waltdnes.org
 I don't run desktop environments; I run useful applications


And it will, for the simple reason that outbound psckets are dropped, so
inbound packets are nevrr valid. That was Michael's point.

Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)?

[Tanstaafl]

On 2013-01-02 7:14 PM, Mick michaelkintz...@gmail.com wrote:

On Wednesday 02 Jan 2013 19:47:11 Tanstaafl wrote:

Oh, ok - so, if I don't have any rules that use the 'mangle' command,
then I can safely remove mangle support from my kernel and lose the
mangle table altogether?



Yes, I would think so.  You can build it as a module anyway and un/not load it
to see if iptables starts up without errors.


This is a server, so no modules support at all...

But no worries, I always keep my previous kernel when upgrading, so if 
something doesn't work right, I just reboot back to the previous one... 
it has saved me more than a few times...


Thanks again

[gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)?

[Tanstaafl]

Hi all,

This has been bugging me for a while...

I've googled, and can't seem to find a definitive answer to this question...

Lots of references to the Mangle table, but nothing that really explains 
what this table is or does, and when or why I would want/need it.


Currently, I have this in my rules (since forever, honestly don't even 
remember where it came from):


*mangle
:PREROUTING ACCEPT [1378800222:449528056411]
:INPUT ACCEPT [1363738727:447358082301]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1221121261:1103241097263]
:POSTROUTING ACCEPT [1221116979:1103240864155]
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG 
FIN,PSH,URG -j DROP

-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
COMMIT
# Completed on Sun Dec 11 14:11:01 2011

This is on a mail/web server with a static IP, it does not do any NAT 
and does not act as a perimeter firewall, it only protects itself...


Thanks for any pointers to tfm that explains this if there is one, or 
just for a simple explanation if not...

Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)?

[Michael Orlitzky]

On 01/02/13 08:38, Tanstaafl wrote:
 Hi all,
 
 This has been bugging me for a while...
 
 I've googled, and can't seem to find a definitive answer to this
 question...
 
 Lots of references to the Mangle table, but nothing that really explains
 what this table is or does, and when or why I would want/need it.
 

It allows you to mangle the low level bits of a packet. You only need it
for routing gymnastics.


 Currently, I have this in my rules (since forever, honestly don't even
 remember where it came from):
 
 *mangle
 :PREROUTING ACCEPT [1378800222:449528056411]
 :INPUT ACCEPT [1363738727:447358082301]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [1221121261:1103241097263]
 :POSTROUTING ACCEPT [1221116979:1103240864155]
 -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
 FIN,PSH,URG -j DROP
 -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j
 DROP
 -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
 -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
 COMMIT
 # Completed on Sun Dec 11 14:11:01 2011
 

The PREROUTING table happens before the routing decision is made. So
those rules happen before the network stack decides what to do with a
packet.

Suppose, for example, that you forward all packets from your LAN to
wherever they're supposed to go. You might want to alter the source IP
of VPN traffic (which a priori is not from the LAN interface) so that it
appears to come from the LAN before you decide whether or not to forward it.

The POSTROUTING table is similar, only it happens after the packet's
destination is set in stone. So you can, say, change the source IP
address in the packet and still have it routed wherever it was going to
go originally.


 This is on a mail/web server with a static IP, it does not do any NAT
 and does not act as a perimeter firewall, it only protects itself...
 
 Thanks for any pointers to tfm that explains this if there is one, or
 just for a simple explanation if not...
 

I don't know what you were trying to do there, but it doesn't sound like
you need it. You might have been trying to block packets in an invalid
state. If so, consider using conntrack's --ctstate INVALID to drop them
instead.

Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)?

[Mick]

On Wednesday 02 Jan 2013 13:38:27 Tanstaafl wrote:
 Hi all,
 
 This has been bugging me for a while...
 
 I've googled, and can't seem to find a definitive answer to this
 question...
 
 Lots of references to the Mangle table, but nothing that really explains
 what this table is or does, and when or why I would want/need it.
 
 Currently, I have this in my rules (since forever, honestly don't even
 remember where it came from):
 
 *mangle
 
 :PREROUTING ACCEPT [1378800222:449528056411]
 :INPUT ACCEPT [1363738727:447358082301]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [1221121261:1103241097263]
 :POSTROUTING ACCEPT [1221116979:1103240864155]
 
 -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
 FIN,PSH,URG -j DROP
 -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j
 DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
 -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
 COMMIT
 # Completed on Sun Dec 11 14:11:01 2011
 
 This is on a mail/web server with a static IP, it does not do any NAT
 and does not act as a perimeter firewall, it only protects itself...
 
 Thanks for any pointers to tfm that explains this if there is one, or
 just for a simple explanation if not...

The rules you show above do not do any mangling.  They just filter out packets 
during prerouting with certain tcp flags.  You would mangle packets if you 
needed to change some headers, e.g. ToS field and TTL.  You could also set a 
MARK value so that you can thereafter process the MARK'ed packet accordingly 
(e.g. limit bandwidth for such packets, or do some fancy routing for them)

If you have a look at 'man iptables-extensions' it gives some examples of 
using -t mangle.

I haven't looked in Google recently, but there should be some examples there 
too.
-- 
Regards,
Mick


smime.p7s
Description: S/MIME cryptographic signature

Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)?

[Tanstaafl]

On 2013-01-02 2:01 PM, Mick michaelkintz...@gmail.com wrote:

If you have a look at 'man iptables-extensions' it gives some examples of
using -t mangle.

I haven't looked in Google recently, but there should be some examples there
too.


Oh, ok - so, if I don't have any rules that use the 'mangle' command, 
then I can safely remove mangle support from my kernel and lose the 
mangle table altogether?


Thanks guys...

Re: [gentoo-user] IPTABLES syntax change?

[Michael Orlitzky]

On 12/30/12 22:21, Walter Dnes wrote:
   OK, here is version 2.  I had an excellent adventure along the way.
 

I'm doing the upgrade on our servers right now, and there's another
possible gotcha: the newer iptables (requiring conntrack) requires
NETFILTER_XT_MATCH_CONNTRACK support in the kernel. This is in contrast
to the state matches which used NETFILTER_XT_MATCH_STATE.

To minimize downtime during the switch, I'm doing,

  1. Rebuild the kernel, enable conntrack and disable state.

  2. Fix my iptables-config script to use the conntrack stuff

  3. Create a dummy set of rules that allows me to SSH in (without
 state matching)

  4. Run and save those rules

  5. Reboot to new kernel

  6. SSH in and run iptables-config

  7. Save the rules


 [0:0] -A INPUT -s 192.168.123.248/29 -i eth0 -j ACCEPT
 [0:0] -A INPUT -s 169.254.0.0/16 -i eth0 -j ACCEPT
 [0:0] -A INPUT -i lo -j ACCEPT
 [0:0] -A INPUT -m conntrack --ctstate INVALID,NEW -j UNSOLICITED
 [0:0] -A INPUT -p tcp -m multiport --dports 0:1023,6000:6063 -j BAD_DPORT
 [0:0] -A INPUT -p udp -m multiport --dports 0:1023,6000:6063 -j BAD_DPORT
 [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK
 [0:0] -A INPUT -s 69.220.144.0/20 -j FECESBOOK
 [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK
 [0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK
 [0:0] -A INPUT -s 200.58.112.0/20 -j FECESBOOK
 [0:0] -A INPUT -s 213.155.64.0/19 -j FECESBOOK
 [0:0] -A INPUT -s 10.0.0.0/8 -j PRIVATE_LOG
 [0:0] -A INPUT -s 127.0.0.0/8 -j PRIVATE_LOG
 [0:0] -A INPUT -s 172.16.0.0/12 -j PRIVATE_LOG
 [0:0] -A INPUT -s 192.168.0.0/16 -j PRIVATE_LOG
 [0:0] -A INPUT -p icmp -j ICMP_IN
 [0:0] -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

These rules will be evaluated in order. I have no evidence for this, but
I suspect you're better off accepting the ESTABLISHED,RELATED stuff
earlier in the chain so you don't slow down the packets that you want.

Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)?

[Mick]

On Wednesday 02 Jan 2013 19:47:11 Tanstaafl wrote:
 On 2013-01-02 2:01 PM, Mick michaelkintz...@gmail.com wrote:
  If you have a look at 'man iptables-extensions' it gives some examples of
  using -t mangle.
  
  I haven't looked in Google recently, but there should be some examples
  there too.
 
 Oh, ok - so, if I don't have any rules that use the 'mangle' command,
 then I can safely remove mangle support from my kernel and lose the
 mangle table altogether?
 
 Thanks guys...

Yes, I would think so.  You can build it as a module anyway and un/not load it 
to see if iptables starts up without errors.
-- 
Regards,
Mick


signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)?

[Pandu Poluan]

On Jan 3, 2013 1:57 AM, Michael Orlitzky mich...@orlitzky.com wrote:

 On 01/02/13 08:38, Tanstaafl wrote:
  Hi all,
 
  This has been bugging me for a while...
 
  I've googled, and can't seem to find a definitive answer to this
  question...
 
  Lots of references to the Mangle table, but nothing that really explains
  what this table is or does, and when or why I would want/need it.
 

 It allows you to mangle the low level bits of a packet. You only need it
 for routing gymnastics.


  Currently, I have this in my rules (since forever, honestly don't even
  remember where it came from):
 
  *mangle
  :PREROUTING ACCEPT [1378800222:449528056411]
  :INPUT ACCEPT [1363738727:447358082301]
  :FORWARD ACCEPT [0:0]
  :OUTPUT ACCEPT [1221121261:1103241097263]
  :POSTROUTING ACCEPT [1221116979:1103240864155]
  -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
  FIN,PSH,URG -j DROP
  -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j
  DROP
  -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
  -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
  COMMIT
  # Completed on Sun Dec 11 14:11:01 2011
 

 The PREROUTING table happens before the routing decision is made. So
 those rules happen before the network stack decides what to do with a
 packet.

 Suppose, for example, that you forward all packets from your LAN to
 wherever they're supposed to go. You might want to alter the source IP
 of VPN traffic (which a priori is not from the LAN interface) so that it
 appears to come from the LAN before you decide whether or not to forward
it.

 The POSTROUTING table is similar, only it happens after the packet's
 destination is set in stone. So you can, say, change the source IP
 address in the packet and still have it routed wherever it was going to
 go originally.


  This is on a mail/web server with a static IP, it does not do any NAT
  and does not act as a perimeter firewall, it only protects itself...
 
  Thanks for any pointers to tfm that explains this if there is one, or
  just for a simple explanation if not...
 

 I don't know what you were trying to do there, but it doesn't sound like
 you need it. You might have been trying to block packets in an invalid
 state. If so, consider using conntrack's --ctstate INVALID to drop them
 instead.


Just to add some references...

When dealing with iptables (and its kissing cousin, ebtables), I always
find these diagrams to be most helpful:

Definitive: http://www.wenzk.net/bbs/attachments/PacketFlow_BTgdX6im2Scu.png

Complementary: http://linux-ip.net/nf/nfk-traversal.png

Rgds,
--

Re: [gentoo-user] IPTABLES syntax change?

[Pandu Poluan]

On Jan 3, 2013 4:40 AM, Michael Orlitzky mich...@orlitzky.com wrote:

 On 12/30/12 22:21, Walter Dnes wrote:
OK, here is version 2.  I had an excellent adventure along the way.
 

 I'm doing the upgrade on our servers right now, and there's another
 possible gotcha: the newer iptables (requiring conntrack) requires
 NETFILTER_XT_MATCH_CONNTRACK support in the kernel. This is in contrast
 to the state matches which used NETFILTER_XT_MATCH_STATE.

 To minimize downtime during the switch, I'm doing,

   1. Rebuild the kernel, enable conntrack and disable state.

   2. Fix my iptables-config script to use the conntrack stuff

   3. Create a dummy set of rules that allows me to SSH in (without
  state matching)

   4. Run and save those rules

   5. Reboot to new kernel

   6. SSH in and run iptables-config

   7. Save the rules


  [0:0] -A INPUT -s 192.168.123.248/29 -i eth0 -j ACCEPT
  [0:0] -A INPUT -s 169.254.0.0/16 -i eth0 -j ACCEPT
  [0:0] -A INPUT -i lo -j ACCEPT
  [0:0] -A INPUT -m conntrack --ctstate INVALID,NEW -j UNSOLICITED
  [0:0] -A INPUT -p tcp -m multiport --dports 0:1023,6000:6063 -j
BAD_DPORT
  [0:0] -A INPUT -p udp -m multiport --dports 0:1023,6000:6063 -j
BAD_DPORT
  [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK
  [0:0] -A INPUT -s 69.220.144.0/20 -j FECESBOOK
  [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK
  [0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK
  [0:0] -A INPUT -s 200.58.112.0/20 -j FECESBOOK
  [0:0] -A INPUT -s 213.155.64.0/19 -j FECESBOOK
  [0:0] -A INPUT -s 10.0.0.0/8 -j PRIVATE_LOG
  [0:0] -A INPUT -s 127.0.0.0/8 -j PRIVATE_LOG
  [0:0] -A INPUT -s 172.16.0.0/12 -j PRIVATE_LOG
  [0:0] -A INPUT -s 192.168.0.0/16 -j PRIVATE_LOG
  [0:0] -A INPUT -p icmp -j ICMP_IN
  [0:0] -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

 These rules will be evaluated in order. I have no evidence for this, but
 I suspect you're better off accepting the ESTABLISHED,RELATED stuff
 earlier in the chain so you don't slow down the packets that you want.


True. But you will want to filter out 'suspicious' packets beforehand.

In my previous employment, I had a Gentoo-based firewall with more than 100
lines of rules. Plus I also employ 'ipset' to allow on-the-fly manipulation
of blocking/routing.

If you want to see the whole nine yards, I can try asking my replacement to
send me the whole deal.

Rgds,
--

Re: [gentoo-user] IPTABLES syntax change?

[Michael Orlitzky]

On 12/30/2012 10:21 PM, Walter Dnes wrote:
 [0:0] -A FECESBOOK -j LOG --log-prefix FECESBOOK: --log-level 6
 [0:0] -A FECESBOOK -j DROP
 [0:0] -A INPUT -s 192.168.123.248/29 -i eth0 -j ACCEPT
 [0:0] -A INPUT -s 169.254.0.0/16 -i eth0 -j ACCEPT
 [0:0] -A INPUT -i lo -j ACCEPT
 [0:0] -A INPUT -m conntrack --ctstate INVALID,NEW -j UNSOLICITED

In fact, since you're blocking all outgoing packets to facebook, the
only state that a packet from facebook can have here is INVALID or NEW.
So traffic from facebook will be sent to the UNSOLICITED chain and DROPped.


 [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK
 [0:0] -A INPUT -s 69.220.144.0/20 -j FECESBOOK
 [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK
 [0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK
 [0:0] -A INPUT -s 200.58.112.0/20 -j FECESBOOK
 [0:0] -A INPUT -s 213.155.64.0/19 -j FECESBOOK

...making these pointless =)


 [0:0] -A INPUT -s 10.0.0.0/8 -j PRIVATE_LOG
 [0:0] -A INPUT -s 127.0.0.0/8 -j PRIVATE_LOG
 [0:0] -A INPUT -s 172.16.0.0/12 -j PRIVATE_LOG
 [0:0] -A INPUT -s 192.168.0.0/16 -j PRIVATE_LOG

I believe the same applies here, since you already accepted your
legitimate LAN traffic above. For this to catch anything, you'd first
have to send a packet to one of those subnets and something would have
to respond to it.


 [0:0] -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

So it makes even more sense to move this above the rest. If you still
want to log facebook and other private traffic, the INVALID,NEW rule
should come after those, otherwise the facebook/private stuff will just
be dropped as UNSOLICITED.

Re: [gentoo-user] IPTABLES syntax change?

[Michael Orlitzky]

On 12/29/2012 01:32 PM, Walter Dnes wrote:
   Two questions I'm not sure about.
 
 1) I run a desktop, and use passive ftp.  Is there any need for me to
 accept RELATED packets?
 

Probably not, I think the server needs it though.


 2) Does a -j LOG return to the chain it was called from, or does it do
 an implicit DROP?
 

It returns to spot where it was called from.

Re: [gentoo-user] IPTABLES syntax change?

[Adam Carter]

  2) Does a -j LOG return to the chain it was called from, or does it do
  an implicit DROP?
 

 It returns to spot where it was called from.


Yep, so you could create a new chain to drop and log;
/sbin/iptables -N logdrop
/sbin/iptables -A logdrop -j LOG --log-prefix 'DROP '
/sbin/iptables -A logdrop -j DROP

Then call that one
/sbin/iptables -A tcp_packets -p TCP --dport 80 -j ACCEPT
/sbin/iptables -A tcp_packets -p TCP -j logdrop

Re: [gentoo-user] IPTABLES syntax change?

[Walter Dnes]

  OK, here is version 2.  I had an excellent adventure along the way.

* At the very last line (COMMIT), iptables-restore said it failed, but
  no clue whatsoever as to why.

* I copied the rules file to a scratch-file, and converted it to a bash
  script that called iptables each time.

* This method showed errors when using -m multiport

* multiport is apparently not part of the core of iptables.  It's an
  extra kernel option that has to be invoked explicity.

* cd /usr/src/linux
  make menuconfig
  [*] Networking support  ---
  Networking options  ---
  [*] Network packet filtering framework (Netfilter)  ---

  Here's where it gets tricky.  You *MUST* first enable...

  [*]   Advanced netfilter configuration

...and then go into...

Core Netfilter Configuration  ---
...and select...

*   multiport Multiple port match support

  Rebuild kernel and reboot.  Now for the iptables rules, version 2

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:BAD_DPORT - [0:0]
:BAD_SPORT - [0:0]
:DROP_LOG - [0:0]
:FECESBOOK - [0:0]
:ICMP_IN - [0:0]
:ICMP_OUT - [0:0]
:PRIVATE_LOG - [0:0]
:UNSOLICITED - [0:0]
[0:0] -A BAD_DPORT -j LOG --log-prefix BAD_DPORT: --log-level 6
[0:0] -A BAD_DPORT -j DROP
[0:0] -A BAD_SPORT -j LOG --log-prefix BAD_SPORT: --log-level 6
[0:0] -A BAD_SPORT -j DROP
[0:0] -A DROP_LOG -j LOG --log-level 6
[0:0] -A DROP_LOG -j DROP
[0:0] -A FECESBOOK -j LOG --log-prefix FECESBOOK: --log-level 6
[0:0] -A FECESBOOK -j DROP
[0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 0 -j ACCEPT
[0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 3 -j ACCEPT
[0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 4 -j ACCEPT
[0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 11 -j ACCEPT
[0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 12 -j ACCEPT
[0:0] -A ICMP_IN -j LOG --log-prefix IN_BAD_ICMP: --log-level 6
[0:0] -A ICMP_IN -j DROP
[0:0] -A ICMP_OUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
[0:0] -A ICMP_OUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
[0:0] -A ICMP_OUT -p icmp -m icmp --icmp-type 30 -j ACCEPT
[0:0] -A ICMP_OUT -j LOG --log-prefix OUT_BAD_ICMP: --log-level 6
[0:0] -A ICMP_OUT -j DROP
[0:0] -A INPUT -s 192.168.123.248/29 -i eth0 -j ACCEPT
[0:0] -A INPUT -s 169.254.0.0/16 -i eth0 -j ACCEPT
[0:0] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -m conntrack --ctstate INVALID,NEW -j UNSOLICITED
[0:0] -A INPUT -p tcp -m multiport --dports 0:1023,6000:6063 -j BAD_DPORT
[0:0] -A INPUT -p udp -m multiport --dports 0:1023,6000:6063 -j BAD_DPORT
[0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK
[0:0] -A INPUT -s 69.220.144.0/20 -j FECESBOOK
[0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK
[0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK
[0:0] -A INPUT -s 200.58.112.0/20 -j FECESBOOK
[0:0] -A INPUT -s 213.155.64.0/19 -j FECESBOOK
[0:0] -A INPUT -s 10.0.0.0/8 -j PRIVATE_LOG
[0:0] -A INPUT -s 127.0.0.0/8 -j PRIVATE_LOG
[0:0] -A INPUT -s 172.16.0.0/12 -j PRIVATE_LOG
[0:0] -A INPUT -s 192.168.0.0/16 -j PRIVATE_LOG
[0:0] -A INPUT -p icmp -j ICMP_IN
[0:0] -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
[0:0] -A OUTPUT -d 192.168.123.248/29 -o eth0 -j ACCEPT
[0:0] -A OUTPUT -o lo -j ACCEPT
[0:0] -A OUTPUT -p tcp -m multiport --sports 0:1023,6000:6063 -j BAD_SPORT
[0:0] -A OUTPUT -p udp -m multiport --sports 0:1023,6000:6063 -j BAD_SPORT
[0:0] -A OUTPUT -d 69.63.176.0/20 -j FECESBOOK
[0:0] -A OUTPUT -d 69.220.144.0/20 -j FECESBOOK
[0:0] -A OUTPUT -d 69.63.176.0/20 -j FECESBOOK
[0:0] -A OUTPUT -d 69.171.224.0/19 -j FECESBOOK
[0:0] -A OUTPUT -d 200.58.112.0/20 -j FECESBOOK
[0:0] -A OUTPUT -d 213.155.64.0/19 -j FECESBOOK
[0:0] -A PRIVATE_LOG -j LOG --log-prefix IN_BAD_ADDR: --log-level 6
[0:0] -A PRIVATE_LOG -j DROP
[0:0] -A UNSOLICITED -j LOG --log-prefix UNSOLICITED: --log-level 6
[0:0] -A UNSOLICITED -j DROP
COMMIT

-- 
Walter Dnes waltd...@waltdnes.org
I don't run desktop environments; I run useful applications

Re: [gentoo-user] IPTABLES syntax change?

[Walter Dnes]

  Two questions I'm not sure about.

1) I run a desktop, and use passive ftp.  Is there any need for me to
accept RELATED packets?

2) Does a -j LOG return to the chain it was called from, or does it do
an implicit DROP?

-- 
Walter Dnes waltd...@waltdnes.org
I don't run desktop environments; I run useful applications

Re: [gentoo-user] IPTABLES syntax change?

[Jarry]

On 29-Dec-12 19:32, Walter Dnes wrote:


1) I run a desktop, and use passive ftp.  Is there any need for me to
accept RELATED packets?


No, but you must take care of related connections. Even passive
ftp opens command (1023 - 21) and data (1023 - 1023) channel.
BTW, icmp-error (i.e. host unreachable) can also be connection
related to some other one...

Jarry

--
___
This mailbox accepts e-mails only from selected mailing-lists!
Everything else is considered to be spam and therefore deleted.

Re: [gentoo-user] IPTABLES syntax change?

[Walter Dnes]

On Fri, Dec 28, 2012 at 01:07:11AM -0500, Michael Orlitzky wrote
 On 12/27/2012 10:59 PM, Walter Dnes wrote:
  
Here's my revised Paranoia Plus ruleset.  Any comments?  Because I'm
  behind a NAT-ing ADSL router/modem, many of my rules rarely see hits.
  However, I do have a backup dialup connection in case of problems, so
  most of my rules don't specify the network interface.  A couple of
  notes...
  
 
 I did a bunch of inline comments below as I was trying to understand the
 rules. At the end I give the tl;dr, but maybe the inline comments are
 useful too.

  Thanks.  My ruleset has accumulated years of cruft.  I should really
sit down and rewrite the thing from square 1.  I have one comment.  You
show what appears to be a bash script for setting up the rules.  I work
with the contents of file /var/lib/iptables/rules-save instead.  

-- 
Walter Dnes waltd...@waltdnes.org
I don't run desktop environments; I run useful applications

Re: [gentoo-user] IPTABLES syntax change?

[Kerin Millar]

Walter Dnes wrote:

On Fri, Dec 28, 2012 at 01:07:11AM -0500, Michael Orlitzky wrote

On 12/27/2012 10:59 PM, Walter Dnes wrote:

   Here's my revised Paranoia Plus ruleset.  Any comments?  Because I'm
behind a NAT-ing ADSL router/modem, many of my rules rarely see hits.
However, I do have a backup dialup connection in case of problems, so
most of my rules don't specify the network interface.  A couple of
notes...


I did a bunch of inline comments below as I was trying to understand the
rules. At the end I give the tl;dr, but maybe the inline comments are
useful too.


   Thanks.  My ruleset has accumulated years of cruft.  I should really
sit down and rewrite the thing from square 1.  I have one comment.  You
show what appears to be a bash script for setting up the rules.  I work
with the contents of file /var/lib/iptables/rules-save instead.



Calling iptables repeatedly from a shell script is not advisable. A 
better approach is described by Jan Engelhardt in his Towards the 
perfect ruleset document:


http://inai.de/documents/Perfect_Ruleset.pdf

The method of working with /var/lib/iptables/rules-save is very similar 
to that which he describes.


Cheers,

--Kerin

Re: [gentoo-user] IPTABLES syntax change?

[Graham Murray]

Michael Orlitzky mich...@orlitzky.com writes:

 The 'conntrack' module is supposed to be a superset of 'state', so most
 things should be compatible. You really have two warnings there; the
 first is for the state - conntrack switch, and the second is because
 you're missing the --state flag in your rules.

 In your example, you turn on the state matching,

   iptables -A TCP_IN -p tcp -m state -m tcp -j UNSOLICITED

 but you don't specify *which* state(s) you want to match. It wants you
 to specify --state SOMETHING. I'd guess that it used to interpret no
 state as any state.

The problem is not really the OP's fault. The problem is that if you
have tables with the form -m state --state XXX at the point you
upgrade, iptables-save (quite possibly called automatically by
/etc/init.d/iptables stop) will save it as -m state --state - ie
'forgetting' which state(s) the rule applies to. 

The solution is to either change all your rules to use -m conntrack
--ctstate XXX before upgrading or editing /var/lib/iptables/rules-save
to globally replace '-m state' by '-m conntrack' and '--state' by
'--ctstate' prior to the upgrade and (at least temporarily) edit
/etc/conf.d/iptables to set SAVE_ON_STOP=no. The same will also need
to be done with ip6tables if you use that.

I think that this is a serious enough change in behaviour that an elog
warning should have been issued.

Re: [gentoo-user] IPTABLES syntax change?

[Michael Orlitzky]

On 12/27/12 06:28, Graham Murray wrote:
 Michael Orlitzky mich...@orlitzky.com writes:
 
 The 'conntrack' module is supposed to be a superset of 'state', so most
 things should be compatible. You really have two warnings there; the
 first is for the state - conntrack switch, and the second is because
 you're missing the --state flag in your rules.

 In your example, you turn on the state matching,

   iptables -A TCP_IN -p tcp -m state -m tcp -j UNSOLICITED

 but you don't specify *which* state(s) you want to match. It wants you
 to specify --state SOMETHING. I'd guess that it used to interpret no
 state as any state.
 
 The problem is not really the OP's fault. The problem is that if you
 have tables with the form -m state --state XXX at the point you
 upgrade, iptables-save (quite possibly called automatically by
 /etc/init.d/iptables stop) will save it as -m state --state - ie
 'forgetting' which state(s) the rule applies to. 
 

Youch, thanks, I'll keep an eye out for this when iptables wants a bump.
I already keep the rules in a script, but it sounds like this will
clobber the running rules after e.g. a reboot.

My first -m state rule is,

  iptables -A INPUT -p ALL -m state \
--state ESTABLISHED,RELATED -j ACCEPT

And if what you say is true, I'd be in deep shit if it reset to,

  iptables -A INPUT -p ALL -m state -j ACCEPT

without a warning.


 
 I think that this is a serious enough change in behaviour that an elog
 warning should have been issued.

It's not stable yet, right? File a bug (and CC me, please).

Re: [gentoo-user] IPTABLES syntax change?

[Matthias Hanft]

Michael Orlitzky wrote:


My first -m state rule is,
   iptables -A INPUT -p ALL -m state \
 --state ESTABLISHED,RELATED -j ACCEPT


That was mine, too (you can omit -p in this case, can't you?).


And if what you say is true, I'd be in deep shit if it reset to,
   iptables -A INPUT -p ALL -m state -j ACCEPT
without a warning.


It *was* resetted here.  I just noticed it reading this discussion.

Don't exactly know what the stateless rule did (perhaps just
nothing?), but since I didn't notice it for a pretty long time,
it can't have been all to bad?!  At least, it didn't crash the
whole system :-)

But I would have appreciated at least an update notice, too!

-Matt

Re: [gentoo-user] IPTABLES syntax change?

[Michael Orlitzky]

On 12/27/12 12:52, Matthias Hanft wrote:
 Michael Orlitzky wrote:

 My first -m state rule is,
iptables -A INPUT -p ALL -m state \
  --state ESTABLISHED,RELATED -j ACCEPT
 
 That was mine, too (you can omit -p in this case, can't you?).

Yeah, it just makes the indentation line up in my case.


 
 And if what you say is true, I'd be in deep shit if it reset to,
iptables -A INPUT -p ALL -m state -j ACCEPT
 without a warning.
 
 It *was* resetted here.  I just noticed it reading this discussion.
 
 Don't exactly know what the stateless rule did (perhaps just
 nothing?), but since I didn't notice it for a pretty long time,
 it can't have been all to bad?!  At least, it didn't crash the
 whole system :-)
 
 But I would have appreciated at least an update notice, too!
 

I confirmed and opened a bug:

  https://bugs.gentoo.org/show_bug.cgi?id=448906

Thanks again to Graham for pointing this out.

Re: [gentoo-user] IPTABLES syntax change?

[Walter Dnes]

On Thu, Dec 27, 2012 at 11:28:15AM +, Graham Murray wrote

 The problem is not really the OP's fault. The problem is that if you
 have tables with the form -m state --state XXX at the point you
 upgrade, iptables-save (quite possibly called automatically by
 /etc/init.d/iptables stop) will save it as -m state --state - ie
 'forgetting' which state(s) the rule applies to.

  Thanks for pointing that out.  I looked back at an archived version,
and it had stuff like...

-A ICMP_IN -p icmp -m state --state NEW -j UNSOLICITED
-A TCP_IN -p tcp -m state --state NEW -m tcp -j UNSOLICITED
-A UDP_IN -p udp -m state --state NEW -j UNSOLICITED

  I.e. new external connection attempts were rejected, except for my
lan which bypasses this rule so I can scp/ssh etc between my machines.
No wonder I was puzzled by what I saw.

-- 
Walter Dnes waltd...@waltdnes.org
I don't run desktop environments; I run useful applications

Re: [gentoo-user] IPTABLES syntax change?

[Michael Orlitzky]

On 12/27/2012 06:11 PM, Walter Dnes wrote:
 On Thu, Dec 27, 2012 at 11:28:15AM +, Graham Murray wrote
 
 The problem is not really the OP's fault. The problem is that if you
 have tables with the form -m state --state XXX at the point you
 upgrade, iptables-save (quite possibly called automatically by
 /etc/init.d/iptables stop) will save it as -m state --state - ie
 'forgetting' which state(s) the rule applies to.
 
   Thanks for pointing that out.  I looked back at an archived version,
 and it had stuff like...
 
 -A ICMP_IN -p icmp -m state --state NEW -j UNSOLICITED
 -A TCP_IN -p tcp -m state --state NEW -m tcp -j UNSOLICITED
 -A UDP_IN -p udp -m state --state NEW -j UNSOLICITED
 
   I.e. new external connection attempts were rejected, except for my
 lan which bypasses this rule so I can scp/ssh etc between my machines.
 No wonder I was puzzled by what I saw.
 

Ah, yes, the original problem.

Once you've upgraded, you should be able to add all of your old --state
rules normally, albeit with a warning. The new iptables will translate
them to conntrack rules, and you can `/etc/init.d/iptables save` the result.

The upgrade just fails in a horrible way.

Re: [gentoo-user] IPTABLES syntax change?

[Walter Dnes]

On Thu, Dec 27, 2012 at 06:50:07PM -0500, Michael Orlitzky wrote

 Once you've upgraded, you should be able to add all of your old --state
 rules normally, albeit with a warning. The new iptables will translate
 them to conntrack rules, and you can `/etc/init.d/iptables save` the result.
 
 The upgrade just fails in a horrible way.

  Here's my revised Paranoia Plus ruleset.  Any comments?  Because I'm
behind a NAT-ing ADSL router/modem, many of my rules rarely see hits.
However, I do have a backup dialup connection in case of problems, so
most of my rules don't specify the network interface.  A couple of
notes...

* My little lan is 192.168.123.248/29
* I have a TV tuner box that comes up in the zero-config space, so I
  have to allow 169.254.0.0/16 
* I dislike a certain button following me.

# Generated by iptables-save v1.4.16.3 on Thu Dec 27 22:43:12 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:DROP_LOG - [0:0]
:FECESBOOK - [0:0]
:ICMP_IN - [0:0]
:PRIVATE - [0:0]
:PRIVATE_LOG - [0:0]
:TCP_IN - [0:0]
:UDP_IN - [0:0]
:UNSOLICITED - [0:0]
[0:0] -A INPUT -s 192.168.123.248/29 -i eth0 -j ACCEPT
[0:0] -A INPUT -s 169.254.0.0/16 -i eth0 -j ACCEPT
[0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK
[0:0] -A INPUT -s 69.220.144.0/20 -j FECESBOOK
[0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK
[0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK
[0:0] -A INPUT -s 200.58.112.0/20 -j FECESBOOK
[0:0] -A INPUT -s 213.155.64.0/19 -j FECESBOOK
[0:0] -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
[0:0] -A INPUT -p udp -m udp --sport 53 -j ACCEPT
[0:0] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -f -j LOG --log-prefix FRAGMENTS: --log-level 6
[0:0] -A INPUT -f -j DROP
[0:0] -A INPUT -p tcp -j TCP_IN
[0:0] -A INPUT -p udp -j UDP_IN
[0:0] -A INPUT -p icmp -j ICMP_IN
[0:0] -A INPUT -j LOG --log-prefix BAD_PROTOCOL: --log-level 6
[0:0] -A INPUT -j DROP
[0:0] -A OUTPUT -d 192.168.123.248/29 -o eth0 -j ACCEPT
[0:0] -A OUTPUT -o lo -j ACCEPT
[0:0] -A OUTPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
[0:0] -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
[0:0] -A OUTPUT -p icmp -m icmp --icmp-type 30 -j ACCEPT
[0:0] -A OUTPUT -p tcp -m tcp --sport 0:1023 -j DROP_LOG
[0:0] -A OUTPUT -p udp -m udp --sport 0:1023 -j DROP_LOG
[0:0] -A OUTPUT -p tcp -m tcp --sport 6000:6063 -j DROP_LOG
[0:0] -A OUTPUT -p udp -m udp --sport 6000:6063 -j DROP_LOG
[0:0] -A OUTPUT -j ACCEPT
[0:0] -A DROP_LOG -j LOG --log-level 6
[0:0] -A DROP_LOG -j DROP
[0:0] -A FECESBOOK -j LOG --log-prefix FECESBOOK: --log-level 6
[0:0] -A FECESBOOK -j DROP
[0:0] -A ICMP_IN -p icmp -m conntrack --ctstate NEW -j UNSOLICITED
[0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 0 -j PRIVATE
[0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 3 -j PRIVATE
[0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 4 -j PRIVATE
[0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 11 -j PRIVATE
[0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 12 -j PRIVATE
[0:0] -A ICMP_IN -j LOG --log-prefix IN_BAD_ICMP: --log-level 6
[0:0] -A ICMP_IN -j DROP
[0:0] -A PRIVATE -s 10.0.0.0/8 -j PRIVATE_LOG
[0:0] -A PRIVATE -s 127.0.0.0/8 -j PRIVATE_LOG
[0:0] -A PRIVATE -s 172.16.0.0/12 -j PRIVATE_LOG
[0:0] -A PRIVATE -s 192.168.0.0/16 -j PRIVATE_LOG
[0:0] -A PRIVATE -j ACCEPT
[0:0] -A PRIVATE_LOG -j LOG --log-prefix IN_BAD_ADDR: --log-level 6
[0:0] -A PRIVATE_LOG -j DROP
[0:0] -A TCP_IN -p tcp -m tcp --dport 0:1023 -j DROP_LOG
[0:0] -A TCP_IN -p tcp -m tcp --dport 6000:6063 -j DROP_LOG
[0:0] -A TCP_IN -p tcp -m tcp --sport 53 -j PRIVATE
[0:0] -A TCP_IN -p tcp -m tcp --sport 80 -j PRIVATE
[0:0] -A TCP_IN -p tcp -m conntrack --ctstate NEW -m tcp -j UNSOLICITED
[0:0] -A TCP_IN -p tcp -j PRIVATE
[0:0] -A UDP_IN -p udp -m udp --dport 0:1023 -j DROP_LOG
[0:0] -A UDP_IN -p udp -m udp --dport 6000:6063 -j DROP_LOG
[0:0] -A UDP_IN -p udp -m udp --sport 53 -j PRIVATE
[0:0] -A UDP_IN -p udp -m udp --sport 80 -j PRIVATE
[0:0] -A UDP_IN -p udp -m conntrack --ctstate NEW -j UNSOLICITED
[0:0] -A UDP_IN -p udp -j PRIVATE
[0:0] -A UNSOLICITED -j LOG --log-prefix UNSOLICITED: --log-level 6
[0:0] -A UNSOLICITED -j DROP
COMMIT
# Completed on Thu Dec 27 22:43:12 2012

-- 
Walter Dnes waltd...@waltdnes.org
I don't run desktop environments; I run useful applications

Re: [gentoo-user] IPTABLES syntax change?

[Michael Orlitzky]

On 12/27/2012 10:59 PM, Walter Dnes wrote:
 
   Here's my revised Paranoia Plus ruleset.  Any comments?  Because I'm
 behind a NAT-ing ADSL router/modem, many of my rules rarely see hits.
 However, I do have a backup dialup connection in case of problems, so
 most of my rules don't specify the network interface.  A couple of
 notes...
 

I did a bunch of inline comments below as I was trying to understand the
rules. At the end I give the tl;dr, but maybe the inline comments are
useful too.


 * My little lan is 192.168.123.248/29
 * I have a TV tuner box that comes up in the zero-config space, so I
   have to allow 169.254.0.0/16 
 * I dislike a certain button following me.
 
 # Generated by iptables-save v1.4.16.3 on Thu Dec 27 22:43:12 2012
 *filter
 :INPUT DROP [0:0]
 :FORWARD DROP [0:0]
 :OUTPUT DROP [0:0]

You can save yourself some complexity by allowing outbound traffic by
default. I see that your INPUT policy is set to DROP, but you override
this in a few places: at the end of all the chains, you jump to the
PRIVATE table, which ends with a -j ACCEPT. So you'll accept anything
that isn't rejected by a previous rule.

I'd suggesting flipping that: get rid of the -j ACCEPT at the end of the
private table, and allow unmatched traffic to be dropped.



 :DROP_LOG - [0:0]
 :FECESBOOK - [0:0]
 :ICMP_IN - [0:0]
 :PRIVATE - [0:0]
 :PRIVATE_LOG - [0:0]
 :TCP_IN - [0:0]
 :UDP_IN - [0:0]
 :UNSOLICITED - [0:0]

 [0:0] -A INPUT -s 192.168.123.248/29 -i eth0 -j ACCEPT

Since you've self-proclaimed as paranoid, I don't feel bad suggesting
that you choose which ports to allow incoming, even to the LAN. If
somebody brings (or creates!) a compromised machine onto your LAN,
they're going to be able to hit any ports that you've got open and
available through the firewall. Not much you can do about that.

But you might as well prevent them from reaching everything. If you
expect to SSH from the LAN, sure, let that in. But if you're not serving
e.g. web pages, you might as well block port 80 from the LAN. This
allows you the freedom to play with apache without worrying about
whether or not you've secured it.


 [0:0] -A INPUT -s 169.254.0.0/16 -i eth0 -j ACCEPT

I don't know anything about zeroconf, not qualified to comment.


 [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK
 [0:0] -A INPUT -s 69.220.144.0/20 -j FECESBOOK
 [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK
 [0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK
 [0:0] -A INPUT -s 200.58.112.0/20 -j FECESBOOK
 [0:0] -A INPUT -s 213.155.64.0/19 -j FECESBOOK
 [0:0] -A FECESBOOK -j LOG --log-prefix FECESBOOK: --log-level 6
 [0:0] -A FECESBOOK -j DROP

Cute =) That final DROP is only needed since you -j PRIVATE (which
defaults to ACCEPT) at the end of everything.


 [0:0] -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
 [0:0] -A INPUT -p udp -m udp --sport 53 -j ACCEPT

Ok, in the INPUT chain you're accepting DNS traffic early. You do it
again below, so I think the later one is redundant.


 [0:0] -A INPUT -i lo -j ACCEPT
 [0:0] -A INPUT -f -j LOG --log-prefix FRAGMENTS: --log-level 6
 [0:0] -A INPUT -f -j DROP
 [0:0] -A INPUT -p tcp -j TCP_IN
 [0:0] -A INPUT -p udp -j UDP_IN
 [0:0] -A INPUT -p icmp -j ICMP_IN
 [0:0] -A INPUT -j LOG --log-prefix BAD_PROTOCOL: --log-level 6
 [0:0] -A INPUT -j DROP

DROP is redundant, since the INPUT policy is DROP.


 [0:0] -A OUTPUT -d 192.168.123.248/29 -o eth0 -j ACCEPT
 [0:0] -A OUTPUT -o lo -j ACCEPT
 [0:0] -A OUTPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
 [0:0] -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
 [0:0] -A OUTPUT -p icmp -m icmp --icmp-type 30 -j ACCEPT
 [0:0] -A OUTPUT -p tcp -m tcp --sport 0:1023 -j DROP_LOG
 [0:0] -A OUTPUT -p udp -m udp --sport 0:1023 -j DROP_LOG
 [0:0] -A OUTPUT -p tcp -m tcp --sport 6000:6063 -j DROP_LOG
 [0:0] -A OUTPUT -p udp -m udp --sport 6000:6063 -j DROP_LOG
 [0:0] -A OUTPUT -j ACCEPT

Aha, you're overriding the OUTPUT policy of DROP here with an ACCEPT.
You might as well set the policy to ACCEPT, and get rid of the trailing
-j ACCEPT. Anything that is explicitly ACCEPTed above but not otherwise
DROPped is also redundant, since traffic will be accepted by default if
not dropped. I see that you want to log-before-drop specific traffic;
that would still work with a policy of ACCEPT. You would add only those
rules to the OUTPUT chain.


 [0:0] -A DROP_LOG -j LOG --log-level 6
 [0:0] -A DROP_LOG -j DROP

DROP would be redundant without the -j ACCEPT at the end of the PRIVATE
TABLE.


 [0:0] -A ICMP_IN -p icmp -m conntrack --ctstate NEW -j UNSOLICITED
 [0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 0 -j PRIVATE
 [0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 3 -j PRIVATE
 [0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 4 -j PRIVATE
 [0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 11 -j PRIVATE
 [0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 12 -j PRIVATE
 [0:0] -A ICMP_IN -j LOG --log-prefix IN_BAD_ICMP: --log-level 6
 [0:0] -A ICMP_IN -j DROP

DROP would be redundant without the -j ACCEPT at the end of the 

Re: [gentoo-user] IPTABLES syntax change?

[Michael Orlitzky]

I'm sure I made more than one typo, but the ALLOWED_ICMP below
definitely needs a dollar sign.


 
 for ok_icmp in ALLOWED_ICMP; do
   iptables -A ICMP_IN -p icmp --icmp-type ${ok_icmp} -j ACCEPT
 done
 

[gentoo-user] IPTABLES syntax change?

[Walter Dnes]

  Many years ago, I understood IPCHAINS, and the first versions of
IPTABLES.  However, IPTABLES has followed the example of Larry Wall's
Practical Extraction and Reporting Language
and turned into a pseudo-OS that I barely comprehend.  Some rules
that I added many years ago were designed to reject unsolicited
connection attempts (after whitelisting my small LAN)...

-A ICMP_IN -p icmp -m state -j UNSOLICITED
-A TCP_IN -p tcp -m state -m tcp -j UNSOLICITED
-A UDP_IN -p udp -m state -j UNSOLICITED

  Now these all give me the error message...

WARNING: The state match is obsolete. Use conntrack instead.
iptables-restore v1.4.16.3: state: option --state must be specified

  man iptables suggested man iptables-extensions.  As near as I can
tell, the new and improved way is...

-A ICMP_IN -p icmp -m conntrack --ctstate INVALID -j UNSOLICITED
-A TCP_IN -p tcp -m conntrack --ctstate INVALID -m tcp -j UNSOLICITED
-A UDP_IN -p udp -m conntrack --ctstate INVALID -j UNSOLICITED

  This appears to work, i.e. it doesn't cause iptables to fail.  Does
this do what I think it does (reject unsolicited connections)?  The
reason that I'm asking is because I'm simply not sure.

-- 
Walter Dnes waltd...@waltdnes.org
I don't run desktop environments; I run useful applications

Re: [gentoo-user] IPTABLES syntax change?

[Michael Orlitzky]

On 12/26/2012 07:47 PM, Walter Dnes wrote:
   Many years ago, I understood IPCHAINS, and the first versions of
 IPTABLES.  However, IPTABLES has followed the example of Larry Wall's
 Practical Extraction and Reporting Language
 and turned into a pseudo-OS that I barely comprehend.  Some rules
 that I added many years ago were designed to reject unsolicited
 connection attempts (after whitelisting my small LAN)...
 
 -A ICMP_IN -p icmp -m state -j UNSOLICITED
 -A TCP_IN -p tcp -m state -m tcp -j UNSOLICITED
 -A UDP_IN -p udp -m state -j UNSOLICITED
 
   Now these all give me the error message...
 
 WARNING: The state match is obsolete. Use conntrack instead.
 iptables-restore v1.4.16.3: state: option --state must be specified
 

The 'conntrack' module is supposed to be a superset of 'state', so most
things should be compatible. You really have two warnings there; the
first is for the state - conntrack switch, and the second is because
you're missing the --state flag in your rules.

In your example, you turn on the state matching,

  iptables -A TCP_IN -p tcp -m state -m tcp -j UNSOLICITED

but you don't specify *which* state(s) you want to match. It wants you
to specify --state SOMETHING. I'd guess that it used to interpret no
state as any state.

You said that you whitelisted your LAN prior to that rule, so you're
probably just rejecting every {ICMP, TCP, UDP} packet with those three
rules.

If so, the equivalent rules are just,

  iptables -A ICMP_IN -p icmp -j DROP
  iptables -A TCP_IN  -p tcp  -j DROP
  iptables -A UDP_IN  -p udp  -j DROP

In other words, you only really need the connection tracking to /accept/
related connections. You don't want to deny related or established
connections, usually. And once you have accepted those two types, you
can just reject the rest, because they're necessarily new (or in rare
cases, invalid).

I would be wary of this:

  -A ICMP_IN -p icmp -m conntrack --ctstate INVALID -j UNSOLICITED

since if the old rule works like I think it does (reject everything) the
new one might allow some things that the old one didn't.

Re: [gentoo-user] iptables question...

[Hari Purnama]

On 12/16/11 22:17, Tanstaafl wrote:
 Hi all,

 I was reading up on some iptables rules in the gentoo security handbook:

 http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1chap=12style=printable


 It mentions DROPing packets with an INVALID state.

 It sounded/sounds like a good idea, so I added the following rule:

 -A INPUT -i eth0 -m state --state INVALID -j LOG

 As suggested, I addd this rule just ABOVE this one:

 -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

 I also changed the DROP action to LOG so I could see what it did if
 anything.

 Right after adding this rule, I started seeing lines like this in the
 log:

 Dec 16 10:15:31 myhost kernel: IN=eth0 OUT=
 MAC=00:e0:81:54:9c:8a:00:90:7f:86:a8:c0:08:00 SRC=208.87.137.233
 DST=192.168.1.252 LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP
 SPT=50113 DPT=25 WINDOW=0 RES=0x00 RST URGP=0

 What I don't understand is why it isn't using my LOG prefix that is
 used for everything else:

 -A INPUT -j LOG --log-prefix (fw-drop):  --log-level 7

 Anyone?

Did you put the log-prefix rule before or after the LOG rule?
Or why didn't you put it in a 1liner, say:

-A INPUT -i eth0 -m state --state INVALID -j LOG --log-level 7
--log-prefix (fw-drop):  --log-ip-options --log-tcp-options


-- 
Regards,

Re: [gentoo-user] iptables question...

[Tanstaafl]

On 2011-12-17 11:34 AM, Hari Purnama h...@mapits.com wrote:

Did you put the log-prefix rule before or after the LOG rule?


After - the log prefix rule is last...


Or why didn't you put it in a 1liner, say:

-A INPUT -i eth0 -m state --state INVALID -j LOG --log-level 7
--log-prefix (fw-drop):  --log-ip-options --log-tcp-options


Well, because I thought the log prefix rule applied to everything that 
comes before it...?

[gentoo-user] iptables question...

[Tanstaafl]

Hi all,

I was reading up on some iptables rules in the gentoo security handbook:

http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1chap=12style=printable

It mentions DROPing packets with an INVALID state.

It sounded/sounds like a good idea, so I added the following rule:

-A INPUT -i eth0 -m state --state INVALID -j LOG

As suggested, I addd this rule just ABOVE this one:

-A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

I also changed the DROP action to LOG so I could see what it did if 
anything.


Right after adding this rule, I started seeing lines like this in the log:

Dec 16 10:15:31 myhost kernel: IN=eth0 OUT= 
MAC=00:e0:81:54:9c:8a:00:90:7f:86:a8:c0:08:00 SRC=208.87.137.233 
DST=192.168.1.252 LEN=40 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=TCP 
SPT=50113 DPT=25 WINDOW=0 RES=0x00 RST URGP=0


What I don't understand is why it isn't using my LOG prefix that is used 
for everything else:


-A INPUT -j LOG --log-prefix (fw-drop):  --log-level 7

Anyone?

[gentoo-user] iptables - do I need the nat table?

[Tanstaafl]

Hello,

This is on a server box, and I am *not* doing NAT on it...

Do I even need the nat table? If not, I'd like to build the kernel
without NAT support, but if there's a good reason not to do that, I won't...

Thanks

-- 

Charles

Re: [gentoo-user] iptables: how can I include multiple hosts/IPs in -s and -d?

[Stefan Schulte]

Hi,


you can define a rule like that:

iptables -A FORWARD -s 192.168.235.43,192.168.235.46 -d
10.0.0.1,192.168.0.1 -j ACCEPT

it will create 4 rules.

be sure to activate Networking support-Networking options-Network
packet filtering framework-Core Netfilter Configuration-iprange
address range match support

Now you can do something like

iptables -A FORWARD -m iprange --src-range '10.0.0.1-10.0.0.44' -j
ACCEPT

hope it helps

-Stefan

On Mon, Apr 05, 2010 at 07:32:17PM +0200, Jarry wrote:
 Hi
 
 I'd like to ask if there is some way to include multiple discrete
 hosts/IP's in --source and --destination options of iptables.
 
 I'm trying to write firewall rules for my server, but it has
 12 IP's from different segments (and maybe it gets a few more
 later), and the script grows up as I have to write nearly
 identical rules with difference only in -s/-d IP's.
 
 What I'm looking for is a way to define some variable at the
 beginning of my script, like MY_IP=IP1 IP2 IP3 IP4... and
 later to use is in rules (iptables -A INPUT -s $MY_IP...).
 But I do not know how to use it. As far as I understand it,
 --source/--destination accepts only single IP's or continuous
 IP-segments...
 
 Jarry
 
 -- 
 ___
 This mailbox accepts e-mails only from selected mailing-lists!
 Everything else is considered to be spam and therefore deleted.
 


pgp8CBCXDQtso.pgp
Description: PGP signature

Re: [gentoo-user] iptables: how can I include multiple hosts/IPs in -s and -d?

[Kostyantyn]

On Mon, 2010-04-05 at 19:32 +0200, Jarry wrote:
 Hi
 
 I'd like to ask if there is some way to include multiple discrete
 hosts/IP's in --source and --destination options of iptables.
 
 I'm trying to write firewall rules for my server, but it has
 12 IP's from different segments (and maybe it gets a few more
 later), and the script grows up as I have to write nearly
 identical rules with difference only in -s/-d IP's.
 
 What I'm looking for is a way to define some variable at the
 beginning of my script, like MY_IP=IP1 IP2 IP3 IP4... and
 later to use is in rules (iptables -A INPUT -s $MY_IP...).
 But I do not know how to use it. As far as I understand it,
 --source/--destination accepts only single IP's or continuous
 IP-segments...

You can do something like:
(100) iptables -N IP_SET_CHECK
(110) iptables -A IP_SET_CHECK -s $IP1 -j RETURN
(120) iptables -A IP_SET_CHECK -s $IP2 -j RETURN
(130) iptables -A IP_SET_CHECK -s $IP3/16 -j RETURN
(140) iptables -A IP_SET_CHECK -s $IP4 -j RETURN
(150) iptables -A IP_SET_CHECK -j DROP
 
(210) iptables -A INPUT -j IP_SET_CHECK
(220) iptables -A INPUT some other rules
(230) iptables -A INPUT some other rules

So, when it comes to the the line 210, it will start checking newly
created chain IP_SET_CHECK. If it won't find appropriate rule it will be
dropped at the line (150), but if manages to find one, it will return to
the line 220 and will continue looking for -j ACCEPT or -j DROP.

The same applies for the OUTPUT chain.

 Jarry
 

Re: [gentoo-user] iptables: how can I include multiple hosts/IPs in -s and -d?

[Alex Schuster]

Jarry writes:

 I'd like to ask if there is some way to include multiple discrete
 hosts/IP's in --source and --destination options of iptables.
 
 I'm trying to write firewall rules for my server, but it has
 12 IP's from different segments (and maybe it gets a few more
 later), and the script grows up as I have to write nearly
 identical rules with difference only in -s/-d IP's.
 
 What I'm looking for is a way to define some variable at the
 beginning of my script, like MY_IP=IP1 IP2 IP3 IP4... and
 later to use is in rules (iptables -A INPUT -s $MY_IP...).
 But I do not know how to use it. As far as I understand it,
 --source/--destination accepts only single IP's or continuous
 IP-segments...

Well, as your iptables script is probably written in bash, you can do 
loops as you like:

myIPs=IP1 IP2 IP3 IP4 ...
for ip in $myIPs do   # use $myIPs here, not $myIPs!
iptables -A INPUT -s $ip ...
done

Wonko

[gentoo-user] iptables: how can I include multiple hosts/IPs in -s and -d?

[Jarry]

Hi

I'd like to ask if there is some way to include multiple discrete
hosts/IP's in --source and --destination options of iptables.

I'm trying to write firewall rules for my server, but it has
12 IP's from different segments (and maybe it gets a few more
later), and the script grows up as I have to write nearly
identical rules with difference only in -s/-d IP's.

What I'm looking for is a way to define some variable at the
beginning of my script, like MY_IP=IP1 IP2 IP3 IP4... and
later to use is in rules (iptables -A INPUT -s $MY_IP...).
But I do not know how to use it. As far as I understand it,
--source/--destination accepts only single IP's or continuous
IP-segments...

Jarry

--
___
This mailbox accepts e-mails only from selected mailing-lists!
Everything else is considered to be spam and therefore deleted.

[gentoo-user] iptables firewall script

[Dave]

Hello,
Can anyone good with iptables give this script a once over? It is
working, but in a very inconsistent manner, sometimes it lets traffic in,
other times not. Two things it does not have are dhcp rules as this box gets
it's address via dhcp and cifs rules, this machine mounts cifs shares, if
anyone has those i'd appreciate them. This is a single nic box, not a router
just an internal client i'd like to protect.
Adapted from:

http://www.novell.com/coolsolutions/feature/18139.html

Thanks.
Dave.

#!/bin/bash
#
# Script for iptables firewall

# define variables
IF_PUB=eth0
IP_PUB=192.168.0.106
NET_PRV=192.168.0.0/24
ANYWHERE=0.0.0.0/0

# set up default policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# remove any existing rules
iptables -F -t nat
iptables -F -t mangle
iptables -F -t filter
# Removes any user-defined chains
iptables -X

# If the machine is a router enable the next line
#echo 1  /proc/sys/net/ipv4/ip_forward

# forward from the public interface
#iptables -A FORWARD -i $IF_PUB -m state --state ESTABLISHED,RELATED -j
ACCEPT

# allow everything to and from the loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# allow communications on the local network
# This allows unrestricted communications
#iptables -A INPUT -i $IF_PUB -s $NET_PRV -j ACCEPT
# This allows only established or forwarded connections
iptables -A INPUT -i $IF_PUB -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $IF_PUB -d $NET_PRV -j ACCEPT

# If your doing nat
#iptables -t nat -A POSTROUTING -s $NET_PRV -o $IP_PUB -j SNAT --to $IP_PUB

# allow various types of ICMP
# 8 for echo request, echo response, destination unreachable, and time
exceeded
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT

# allow ssh
iptables -A INPUT -i $IF_PUB -p tcp -d $IP_PUB -m limit --limit 1/minute
--limit-burst 1 -j ACCEPT

# mail and web server on a different host
#iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport smtp -j
DNAT --to 192.168.1.254
#iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport http -j
DNAT --to 192.168.1.253
#iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p
tcp --dport http -j ACCEPT

# send a tcp reject
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset

# block irc
#iptables -A INPUT -p tcp --dport irc -j DROP
#iptables -A INPUT -p udp --dport irc -j DROP
#iptables -A INPUT -p tcp --dport irc-serv -j DROP
#iptables -A INPUT -p udp --dport irc-serv -j DROP
#iptables -A INPUT -p tcp --dport ircs -j DROP
#iptables -A INPUT -p udp --dport ircs -j DROPThese discard TCP and UDP IRC,
IRC server and Secure IRC traffic.

# block a specific host
#iptables -A INPUT -i $IF_PUB -s 10.220.231.236 -j REJECT --reject-with
icmp-host-prohibited

# traffic from one port to another
#iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport 444 -j
DNAT --to 192.168.1.254:443
#iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -o $IF_PRV -p
tcp --dport 443 -j ACCEPT

Re: [gentoo-user] iptables firewall script

[Mick]

2009/7/17 Dave dave.meh...@gmail.com:
 Hello,
        Can anyone good with iptables give this script a once over? It is
 working, but in a very inconsistent manner, sometimes it lets traffic in,
 other times not. Two things it does not have are dhcp rules as this box gets
 it's address via dhcp and cifs rules, this machine mounts cifs shares, if
 anyone has those i'd appreciate them. This is a single nic box, not a router
 just an internal client i'd like to protect.
 Adapted from:

 http://www.novell.com/coolsolutions/feature/18139.html

 Thanks.
 Dave.

 #!/bin/bash
 #
 # Script for iptables firewall

 # define variables
 IF_PUB=eth0
 IP_PUB=192.168.0.106
 NET_PRV=192.168.0.0/24
 ANYWHERE=0.0.0.0/0

 # set up default policies
 iptables -P INPUT DROP
 iptables -P OUTPUT DROP
 iptables -P FORWARD DROP

 # remove any existing rules
 iptables -F -t nat
 iptables -F -t mangle
 iptables -F -t filter
 # Removes any user-defined chains
 iptables -X

 # If the machine is a router enable the next line
 #echo 1  /proc/sys/net/ipv4/ip_forward

If you don't want to forward then echo 0, instead of 1, or instead of
just commenting it out.

 # forward from the public interface
 #iptables -A FORWARD -i $IF_PUB -m state --state ESTABLISHED,RELATED -j
 ACCEPT

 # allow everything to and from the loopback
 iptables -A INPUT -i lo -j ACCEPT
 iptables -A OUTPUT -o lo -j ACCEPT

 # allow communications on the local network
 # This allows unrestricted communications
 #iptables -A INPUT -i $IF_PUB -s $NET_PRV -j ACCEPT
 # This allows only established or forwarded connections
 iptables -A INPUT -i $IF_PUB -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A OUTPUT -o $IF_PUB -d $NET_PRV -j ACCEPT

Not sure that this is necessary.

 # If your doing nat
 #iptables -t nat -A POSTROUTING -s $NET_PRV -o $IP_PUB -j SNAT --to $IP_PUB

 # allow various types of ICMP
 # 8 for echo request, echo response, destination unreachable, and time
 exceeded
 iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
 iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
 iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
 iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT

 # allow ssh
 iptables -A INPUT -i $IF_PUB -p tcp -d $IP_PUB -m limit --limit 1/minute
 --limit-burst 1 -j ACCEPT

This opens *all* tcp ports and throttles the connection (you'll be
dropping packets and get an unreliable connection).  I suggest that
you only open the port you need; e.g. -m tcp --dport 10201, also if
you only access this box via ssh from your LAN, then restrict access
to it from your private subnet: -s NET_PRV and remove the --limit
match completely.  If you're worried about brute force attacks on your
sshd, then perhaps use something like fail2ban, or better use public
key authentication only (no passwd), or construct a set of rules to
limit the amount of accepted attempts:
=
Name it something:

blah-blah   -m state --state NEW --dport 22 -m recent --name ssh_crackers --set

Log the persistent attacks:

blah-blah   -m state --state NEW --dport 22 -m recent --name
ssh_crackers --rcheck --seconds 60 --hitcount 4 -j LOG -m limit
--limit 3/minute --limit-burst 3 --log-level 4 --log-prefix 'SSH
REJECT: '

Block them:

blah-blah  -m state --state NEW --dport 22 -m recent --name
ssh_crackers --rcheck --seconds 60 --hitcount 4 -j REJECT
--reject-with tcp-reset
=

 # mail and web server on a different host
 #iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport smtp -j
 DNAT --to 192.168.1.254
 #iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport http -j
 DNAT --to 192.168.1.253
 #iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -i $IF_PUB -p
 tcp --dport http -j ACCEPT

 # send a tcp reject
 iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset

 # block irc
 #iptables -A INPUT -p tcp --dport irc -j DROP
 #iptables -A INPUT -p udp --dport irc -j DROP
 #iptables -A INPUT -p tcp --dport irc-serv -j DROP
 #iptables -A INPUT -p udp --dport irc-serv -j DROP
 #iptables -A INPUT -p tcp --dport ircs -j DROP
 #iptables -A INPUT -p udp --dport ircs -j DROPThese discard TCP and UDP IRC,
 IRC server and Secure IRC traffic.

 # block a specific host
 #iptables -A INPUT -i $IF_PUB -s 10.220.231.236 -j REJECT --reject-with
 icmp-host-prohibited

 # traffic from one port to another
 #iptables -t nat -A PREROUTING -i $IF_PUB -d $IP_PUB -p tcp --dport 444 -j
 DNAT --to 192.168.1.254:443
 #iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -o $IF_PRV -p
 tcp --dport 443 -j ACCEPT

Then block anything else:

iptables -A INPUT -p all -i any -j DROP


Finally, run nmap from within/out your LAN on all ports and see what you get.

HTH.
-- 
Regards,
Mick

Re: [gentoo-user] iptables

[Marco]

Hi Dave,

this one is rather informative:

http://www.novell.com/coolsolutions/feature/18139.html

Also, this one from gentoo (although for 2.4) is worth reading:

http://www.gentoo.org/doc/en/articles/linux-24-stateful-fw-design.xml

HTH!

--
Regards,
 Marco



On Thu, Jul 16, 2009 at 5:32 AM, Davedave.meh...@gmail.com wrote:
 Hello,
        I'm looking for a guide for iptables specifically for gentoo 2.6.
        I was also wondering if anyone was using apf Advanced Policy
 Firewall on a gentoo 2008.0 2.6 machine?
 Thanks.
 Dave.

Re: [gentoo-user] iptables

[Marco]

Maybe this thread could be helpful as well:

http://marc.info/?l=gentoo-userm=124058693215810w=2

--
Regards,
 Marco


On Thu, Jul 16, 2009 at 10:41 AM, Marcolistwo...@gmail.com wrote:
 Hi Dave,

 this one is rather informative:

 http://www.novell.com/coolsolutions/feature/18139.html

 Also, this one from gentoo (although for 2.4) is worth reading:

 http://www.gentoo.org/doc/en/articles/linux-24-stateful-fw-design.xml

 HTH!

 --
 Regards,
  Marco



 On Thu, Jul 16, 2009 at 5:32 AM, Davedave.meh...@gmail.com wrote:
 Hello,
        I'm looking for a guide for iptables specifically for gentoo 2.6.
        I was also wondering if anyone was using apf Advanced Policy
 Firewall on a gentoo 2008.0 2.6 machine?
 Thanks.
 Dave.

Re: [gentoo-user] iptables

[Alejandro]

2009/7/16 Marco listwo...@gmail.com

 Maybe this thread could be helpful as well:

 http://marc.info/?l=gentoo-userm=124058693215810w=2

 --
 Regards,
  Marco


 On Thu, Jul 16, 2009 at 10:41 AM, Marcolistwo...@gmail.com wrote:
  Hi Dave,
 
  this one is rather informative:
 
  http://www.novell.com/coolsolutions/feature/18139.html
 
  Also, this one from gentoo (although for 2.4) is worth reading:
 
  http://www.gentoo.org/doc/en/articles/linux-24-stateful-fw-design.xml
 
  HTH!
 
  --
  Regards,
   Marco
 
 
 
  On Thu, Jul 16, 2009 at 5:32 AM, Davedave.meh...@gmail.com wrote:
  Hello,
 I'm looking for a guide for iptables specifically for gentoo 2.6.
 I was also wondering if anyone was using apf Advanced Policy
  Firewall on a gentoo 2008.0 2.6 machine?
  Thanks.
  Dave.
 
 
 
 

   I use APF, for all my desktop/servers with debian and gentoo, is quite
easy and works great. In 10' you have iptables running.

Re: [gentoo-user] iptables

[Nevynxxx]

Alejandro wrote:

  On Thu, Jul 16, 2009 at 5:32 AM, Davedave.meh...@gmail.com
 mailto:dave.meh...@gmail.com wrote:
  Hello,
 I'm looking for a guide for iptables specifically for
 gentoo 2.6.
 I was also wondering if anyone was using apf Advanced
 Policy
  Firewall on a gentoo 2008.0 2.6 machine?
  Thanks.
  Dave.
 
 
 
 

   I use APF, for all my desktop/servers with debian and gentoo, is
 quite easy and works great. In 10' you have iptables running.

I tend to just use webmin. Emerge iptables, emerge webmin, and get a
nice easy to follow GUI that sets up the iptables.



signature.asc
Description: OpenPGP digital signature

[gentoo-user] iptables

[Dave]

Hello,
I'm looking for a guide for iptables specifically for gentoo 2.6.
I was also wondering if anyone was using apf Advanced Policy
Firewall on a gentoo 2008.0 2.6 machine?
Thanks.
Dave.

[gentoo-user] iptables + dansguardian + squid

[Joseph]

I was following this guide to set it up home filter: iptables, DansGuardian, 
and Squid.
http://www.linux.com/articles/113733
in the past it worked but when I try it now eg:

iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
iptables: No chain/target/match by that name

Apparently filtering in the nat table is no longer supported. But I'm not good 
in iptables so I need some help here.
Anybody has a good link showing basics how to do it?

--
Joseph

Re: [gentoo-user] iptables configuration problem

[Norberto Bensa]

Chuanwen Wu wrote:
 I have tried set all the gw in my subnet to 192.168.1.254 or 192.168.1.1.
 Is't all right?

I don't know, it depends on what's your gw's IP is. 

Let's say you have this setup:


GW: 192.168.1.1

Other PCs are: 192.168.1.2... 192.168.1.3... and so on.


On the GW you need:

echo 1  /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -o ethX -j MASQUERADE
(note: change ethX by the NIC your internet connection is on. If your 
cablemodem/adsl/whatever is on eth3 -for example- change ethX to eth3)


On the others PC you need to set GW to 192.168.1.1


I hope this helps.

Best regards,
Norberto
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] iptables configuration problem

[Chuanwen Wu]

2007/5/14, Norberto Bensa [EMAIL PROTECTED]:

Chuanwen Wu wrote:
 I have tried set all the gw in my subnet to 192.168.1.254 or 192.168.1.1.
 Is't all right?

I don't know, it depends on what's your gw's IP is.

Let's say you have this setup:


GW: 192.168.1.1

Other PCs are: 192.168.1.2... 192.168.1.3... and so on.


On the GW you need:

echo 1  /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -o ethX -j MASQUERADE
(note: change ethX by the NIC your internet connection is on. If your
cablemodem/adsl/whatever is on eth3 -for example- change ethX to eth3)


On the others PC you need to set GW to 192.168.1.1


I hope this helps.

Best regards,
Norberto


Thank you!I think i have done what you meant.
Here is the information:

/etc/conf.d/net in the server
config_eth0=( 202.114.10.134 netmask 255.255.255.0 brd 202.114.10.255 )
routes_eth0=( default gw 202.114.10.129 )

config_eth1=( 192.168.1.63 netmask 255.255.255.0 brd 192.168.1.255 )
routes_eth1=( default gw 192.168.1.1 )


/etc/conf.d/net in one PC
config_eth0=( 192.168.1.35 netmask 255.255.255.0 brd 192.168.1.255 )
routes_eth0=( default gw 192.168.1.1 )

--
wcw
--
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] iptables configuration problem

[Norberto Bensa]

On Mon, May 14, 2007 8:23 am, Chuanwen Wu wrote:
 Thank you!I think i have done what you meant.
 Here is the information:


 /etc/conf.d/net in the server
 config_eth0=( 202.114.10.134 netmask 255.255.255.0 brd 202.114.10.255 )
 routes_eth0=( default gw 202.114.10.129 )

OK


 config_eth1=( 192.168.1.63 netmask 255.255.255.0 brd 192.168.1.255 )
 routes_eth1=( default gw 192.168.1.1 )

You don't need a route here.


 /etc/conf.d/net in one PC
 config_eth0=( 192.168.1.35 netmask 255.255.255.0 brd 192.168.1.255 )
 routes_eth0=( default gw 192.168.1.1 )

No. GW should be 192.168.1.63, which is the IP address of your gateway.


HTH,
Norberto

-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] iptables configuration problem

[Dan Farrell]

Greetings all.  Hope the weather in bejing is pleasant, Mr Wu.  

On Mon, 14 May 2007 11:58:34 -0300 (ART)
Norberto Bensa [EMAIL PROTECTED] wrote:

 On Mon, May 14, 2007 8:23 am, Chuanwen Wu wrote:
  Thank you!I think i have done what you meant.
  Here is the information:
 
 
  /etc/conf.d/net in the server
  config_eth0=( 202.114.10.134 netmask 255.255.255.0 brd
  202.114.10.255 ) routes_eth0=( default gw 202.114.10.129 )
 
 OK

 
  config_eth1=( 192.168.1.63 netmask 255.255.255.0 brd
  192.168.1.255 ) routes_eth1=( default gw 192.168.1.1 )
 
 You don't need a route here.
More exactly, a route to the subnet 192.168.1.0/24 will automatically
be created through eth1.  A _gateway_ in this case is not necessary
because eth1 lives on that subnet.  
 
  /etc/conf.d/net in one PC
  config_eth0=( 192.168.1.35 netmask 255.255.255.0 brd
  192.168.1.255 ) routes_eth0=( default gw 192.168.1.1 )
 
 No. GW should be 192.168.1.63, which is the IP address of your
 gateway.
 HTH,
 Norberto
 
First, the firewall configuration.  Your first message said:
 The eth0 here has the real ip,and the eth1 have a subnet
 ip:192.168.1.21.
But here you show that you set it to .63, as Norberto pointed out.  I
assume that was just a typographical error in the first email. Moving
on, the default route for the firewall is probably to the outside
world, and if you can ping google.com, it works.  

Second, the client configuration.  The route for the subnet it's on
(192.168.1/24) is automatically created, as before.  The default route
is the IP of the firewall/gateway it's behind, namely 192.168.1.63 as
Norberto said.  The machine that's forwarding packets to the internet
for these hosts now provides the route to the outside world for these
hosts.

Third, you must tell your client PCs nameservers, so that they can
resolve domain names.  If you fail to do so, even though a ping of
google.com, for example, fails, a ping of its ip address
(64.233.167.99, in my case) will work.

Fourth, you must check your firewall (that is, iptables) configuration
to be sure your iptables all refer to the correct subnet.  
 iptables --table nat -A POSTROUTING -s 192.168.8.0/24 -j MASQUERADE
that wasn't right -- obviously the subnet should be your own.  

Since the firewall you're building knows all the information the hosts
need to know (subnet information, routes, etc) you may wish to set up a
rudimentary DHCP server on it, so that additional hosts can be added
without configuration by the user.  You may also wish to  impliment a
caching, recursive nameserver for enhanced efficiency.  DNSMasq can do
both.  

-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] iptables configuration problem

[Chuanwen Wu]

Thank Norberto and Dan Farrell!I think i had a misunderstand and made
some mistakes.I hope I have correct it now.

/etc/conf.d/net in the server
config_eth0=( 202.114.10.134 netmask 255.255.255.0 brd 202.114.10.255 )
routes_eth0=( default gw 202.114.10.129 )

config_eth1=( 192.168.1.1 netmask 255.255.255.0 brd 192.168.1.255 )

/etc/conf.d/net in a PC
config_eth0=( 192.168.1.35 netmask 255.255.255.0 brd 192.168.1.255 )
routes_eth0=( default gw 192.168.1.1 )

2007/5/15, Dan Farrell [EMAIL PROTECTED]:

Greetings all.  Hope the weather in bejing is pleasant, Mr Wu.

On Mon, 14 May 2007 11:58:34 -0300 (ART)
Norberto Bensa [EMAIL PROTECTED] wrote:

 On Mon, May 14, 2007 8:23 am, Chuanwen Wu wrote:
  Thank you!I think i have done what you meant.
  Here is the information:
 
 
  /etc/conf.d/net in the server
  config_eth0=( 202.114.10.134 netmask 255.255.255.0 brd
  202.114.10.255 ) routes_eth0=( default gw 202.114.10.129 )

 OK

 
  config_eth1=( 192.168.1.63 netmask 255.255.255.0 brd
  192.168.1.255 ) routes_eth1=( default gw 192.168.1.1 )

 You don't need a route here.
More exactly, a route to the subnet 192.168.1.0/24 will automatically
be created through eth1.  A _gateway_ in this case is not necessary
because eth1 lives on that subnet.

  /etc/conf.d/net in one PC
  config_eth0=( 192.168.1.35 netmask 255.255.255.0 brd
  192.168.1.255 ) routes_eth0=( default gw 192.168.1.1 )

 No. GW should be 192.168.1.63, which is the IP address of your
 gateway.
 HTH,
 Norberto

First, the firewall configuration.  Your first message said:
 The eth0 here has the real ip,and the eth1 have a subnet
 ip:192.168.1.21.
But here you show that you set it to .63, as Norberto pointed out.  I
assume that was just a typographical error in the first email. Moving
on, the default route for the firewall is probably to the outside
world, and if you can ping google.com, it works.

Second, the client configuration.  The route for the subnet it's on
(192.168.1/24) is automatically created, as before.  The default route
is the IP of the firewall/gateway it's behind, namely 192.168.1.63 as
Norberto said.  The machine that's forwarding packets to the internet
for these hosts now provides the route to the outside world for these
hosts.

Third, you must tell your client PCs nameservers, so that they can
resolve domain names.  If you fail to do so, even though a ping of
google.com, for example, fails, a ping of its ip address
(64.233.167.99, in my case) will work.


All my PCs have the same /etc/resove.conf file with the server.And now
the PC can't ping through 66.249.89.99(of course,the server can).



Fourth, you must check your firewall (that is, iptables) configuration
to be sure your iptables all refer to the correct subnet.
 iptables --table nat -A POSTROUTING -s 192.168.8.0/24 -j MASQUERADE
that wasn't right -- obviously the subnet should be your own.


I have already corrected it to iptables --table nat -A POSTROUTING -s
192.168.1.0/24 -j MASQUERADE from the first time.



Since the firewall you're building knows all the information the hosts
need to know (subnet information, routes, etc) you may wish to set up a
rudimentary DHCP server on it, so that additional hosts can be added
without configuration by the user.  You may also wish to  impliment a
caching, recursive nameserver for enhanced efficiency.  DNSMasq can do
both.

Thanks for your advice!

--
[EMAIL PROTECTED] mailing list



When a PC ping 66.249.89.99,I got these information from the server:

# tcpdump -n -i eth1 net 192.168.1.0/24 and port not 22 and not arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
10:01:08.214160 IP 192.168.1.35  66.249.89.99: ICMP echo request, id
35391, seq 599, length 64
10:01:09.214014 IP 192.168.1.35  66.249.89.99: ICMP echo request, id
35391, seq 600, length 64
10:01:10.213899 IP 192.168.1.35  66.249.89.99: ICMP echo request, id
35391, seq 601, length 64
10:01:11.213792 IP 192.168.1.35  66.249.89.99: ICMP echo request, id
35391, seq 602, length 64
10:01:12.213676 IP 192.168.1.35  66.249.89.99: ICMP echo request, id
35391, seq 603, length 64

5 packets captured
5 packets received by filter
0 packets dropped by kernel


And

# tcpdump -n -i eth0 net 202.114.10.134 and port not 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes


Does it mean that eth1(the interface in my subnet) receive the request
but don't post forward it?
--
wcw
--
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] iptables configuration problem

[Dan Farrell]

On Tue, 15 May 2007 10:35:38 +0800
Chuanwen Wu [EMAIL PROTECTED] wrote:

 Does it mean that eth1(the interface in my subnet) receive the request
 but don't post forward it?

Perhaps you should attach the output of iptables -t nat -L -v;
iptables -L -v; so I can see the rules... while you're at it,
edit /etc/sysctl.conf so that forwarding is enabled every time you
reboot, and make sure it's still enabled now.  
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] iptables configuration problem

[Chuanwen Wu]

2007/5/15, Dan Farrell [EMAIL PROTECTED]:

On Tue, 15 May 2007 10:35:38 +0800
Chuanwen Wu [EMAIL PROTECTED] wrote:

 Does it mean that eth1(the interface in my subnet) receive the request
 but don't post forward it?

Perhaps you should attach the output of iptables -t nat -L -v;
iptables -L -v; so I can see the rules... while you're at it,

# iptables -L -v
Chain INPUT (policy ACCEPT 24414 packets, 3853K bytes)
pkts bytes target prot opt in out source
destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination

Chain OUTPUT (policy ACCEPT 33323 packets, 7123K bytes)
pkts bytes target prot opt in out source
destination



# iptables -L -v -t nat
Chain PREROUTING (policy ACCEPT 7546 packets, 1103K bytes)
pkts bytes target prot opt in out source
destination

Chain POSTROUTING (policy ACCEPT 340 packets, 28034 bytes)
pkts bytes target prot opt in out source
destination
   0 0 MASQUERADE  all  --  anyany 192.168.1.0/24
anywhere

Chain OUTPUT (policy ACCEPT 350 packets, 28746 bytes)
pkts bytes target prot opt in out source
destination



edit /etc/sysctl.conf so that forwarding is enabled every time you
reboot, and make sure it's still enabled now.


Oh!God!My must forget to enabled forwarding after last night!
Now,the PCs in the subnet can connect internal!

By the way,do you mean to change   #net.ipv4.ip_forward = 0(default
in /etc/sysctl.conf) to net.ipv4.ip_forward = 1?

--
[EMAIL PROTECTED] mailing list





--
wcw
--
[EMAIL PROTECTED] mailing list

[gentoo-user] iptables configuration problem

[Chuanwen Wu]

Hi,guys!
I use iptables to let the PCs in the subnet to connect the internet outside.

And i write a simple script,but it doesn't work:

#!/bin/sh
iptables -F
#Define packets from Internet server to Intranet
iptables -A FORWARD -d 198.168.1.0/24 -i eth0 -j ACCEPT
#Define packets from Intranet to Internet
iptables -A FORWARD -s 198.168.1.0/24 -i eth1 -j ACCEPT


Here is the result of iptables -L:

# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source   destination

Chain FORWARD (policy DROP)
target prot opt source   destination
ACCEPT all  --  anywhere 198.168.1.0/24
ACCEPT all  --  198.168.1.0/24   anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source   destination


The eth0 here has the real ip,and the eth1 have a subnet ip:192.168.1.21.
How to fix this problem?All I need now is just to let my office
machine to use the internet!
Thanks in advanced!!
--
wcw
--
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] iptables configuration problem

[Fabio A Correa]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello Wu,

Instead of the commands you posted, you should use

echo 1  /proc/sys/net/ipv4/ip_forward
iptables --table nat -A POSTROUTING -s 192.168.8.0/24 -j MASQUERADE

Long explanation:

The first command enables the kernel to _forward_ packets from eth0 to eth1 and 
vice versa. To
do the actual forwarding, the second command is used:

- --table nat : Network address translation table.
- -A POSTROUTING for altering packets as they are about to go out, after it is 
determined that
they are to be forwarded by means of the first instruction.
- -j MASQUERADE Masquerade the addresses of computer in the subnet with the 
address of the routing
computer.

The kernel takes care of the subtle details on masquerading.

I hope this helps!!!

- --
Fabio A. Correa D.

Physics Dept, Universidad Nacional, Bogota, Colombia
[EMAIL PROTECTED]
[EMAIL PROTECTED] [EMAIL PROTECTED]
My webpage and OpenPGP key at http://facorread.150m.com
[EMAIL PROTECTED] is not working anymore!!!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGRyjPYOZCB4zf2uQRAp2eAJwIYrXAQqldgZjRN0u+uDOW8t/aTgCeOQOb
RTmVGHOHQQWUzVxkZomHhHo=
=xvIZ
-END PGP SIGNATURE-
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] iptables configuration problem

[Chuanwen Wu]

2007/5/13, Fabio A Correa [EMAIL PROTECTED]:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello Wu,

Instead of the commands you posted, you should use

echo 1  /proc/sys/net/ipv4/ip_forward
iptables --table nat -A POSTROUTING -s 192.168.8.0/24 -j MASQUERADE


I have tried.But still not work.
Here is the information after execute your advice:
-
[EMAIL PROTECTED] ~]# echo 1  /proc/sys/net/ipv4/ip_forward
[EMAIL PROTECTED] ~]# iptables --table nat -A POSTROUTING -s
192.168.1.0/24 -j MASQUERADE
[EMAIL PROTECTED] ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source   destination

Chain FORWARD (policy ACCEPT)
target prot opt source   destination

Chain OUTPUT (policy ACCEPT)
target prot opt source   destination
[EMAIL PROTECTED] ~]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source   destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source   destination
MASQUERADE  all  --  192.168.1.0/24   anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source   destination

--
Then in my other PCs,I still can't ping the website outside.
Why?



Long explanation:

The first command enables the kernel to _forward_ packets from eth0 to eth1 and 
vice versa. To
do the actual forwarding, the second command is used:

- --table nat : Network address translation table.
- -A POSTROUTING for altering packets as they are about to go out, after it is 
determined that
they are to be forwarded by means of the first instruction.
- -j MASQUERADE Masquerade the addresses of computer in the subnet with the 
address of the routing
computer.

The kernel takes care of the subtle details on masquerading.

I hope this helps!!!

- --
Fabio A. Correa D.

Physics Dept, Universidad Nacional, Bogota, Colombia
[EMAIL PROTECTED]
[EMAIL PROTECTED] [EMAIL PROTECTED]
My webpage and OpenPGP key at http://facorread.150m.com
[EMAIL PROTECTED] is not working anymore!!!
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGRyjPYOZCB4zf2uQRAp2eAJwIYrXAQqldgZjRN0u+uDOW8t/aTgCeOQOb
RTmVGHOHQQWUzVxkZomHhHo=
=xvIZ
-END PGP SIGNATURE-
--
[EMAIL PROTECTED] mailing list



Thank you for your details!!!

--
wcw
--
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] iptables configuration problem

[Norberto Bensa]

Chuanwen Wu wrote:
 Chain POSTROUTING (policy ACCEPT)
 target prot opt source   destination
 MASQUERADE  all  --  192.168.1.0/24   anywhere

 Chain OUTPUT (policy ACCEPT)
 target prot opt source   destination

 ---
--- Then in my other PCs,I still can't ping the website outside.
 Why?

Have setup a default gateway in those boxes?

-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] iptables will not load rule after kernel upgrade (2.6.19-r5 - 2.6.20-r6) SOLVED

[Dan Johansson]

On Saturday 21 April 2007 20:34, Mark Shields wrote:
 On 4/21/07, Dan Johansson [EMAIL PROTECTED] wrote:
  On Saturday 21 April 2007 15:53, Uwe Thiem wrote:
   On 21 April 2007, Dan Johansson wrote:
After upgrading gentoo-sources to 2.6.20-r6 from 2.6.19-r5 today my
firewall won't start (shorewall).
   
The here's the error:
iptables: Invalid argument
   ERROR: Command /sbin/iptables -A FORWARD -m state --state
ESTABLISHED,RELATED -j ACCEPT Failed
   
I'm getting the same errormessage when it try it by hand.
  
   When you generated the kernel, did you build all modules necessary. In
 
  this
 
   particlu case, ipt_state?
 
  If you meen CONFIG_NETFILTER_XT_MATCH_STATE=y then yes it's compiled in
  (not a
  module). You know of any other part that NEEDS to be activated other the
  the
  following?
 
  CONFIG_NETFILTER=y
  CONFIG_NF_CONNTRACK_ENABLED=y
  CONFIG_NF_CONNTRACK_SUPPORT=y
  CONFIG_NF_CONNTRACK=y
  CONFIG_NETFILTER_XTABLES=y
  CONFIG_NETFILTER_XT_MATCH_LIMIT=y
  CONFIG_NETFILTER_XT_MATCH_STATE=y
  CONFIG_IP_NF_QUEUE=y
  CONFIG_IP_NF_IPTABLES=y
  CONFIG_IP_NF_FILTER=y
  CONFIG_IP_NF_TARGET_REJECT=y
  CONFIG_IP_NF_TARGET_LOG=y
  CONFIG_IP_NF_MANGLE=y
 

 You found your problem, then.  When you use iptables -m state, it loads the
 state module.  Since it's not compiled as a module, it won't load.  Either
 change it to module in the kernel or remove the -m state (I think I tried
 once compiling into the kernel and dropping the -m state, but it didn't
 work).

I found the problem, CONFIG_NF_CONNTRACK_IPV4=y has to be set as well (no need 
to compile anything as modules).

-- 
Dan Johansson, http://www.dmj.nu
***
This message is printed on 100% recycled electrons!
***


pgp2ZERcHZE9y.pgp
Description: PGP signature

[gentoo-user] iptables will not load rule after kernel upgrade (2.6.19-r5 - 2.6.20-r6)

[Dan Johansson]

After upgrading gentoo-sources to 2.6.20-r6 from 2.6.19-r5 today my firewall 
won't start (shorewall).

The here's the error:
iptables: Invalid argument
   ERROR: Command /sbin/iptables -A FORWARD -m state --state 
ESTABLISHED,RELATED -j ACCEPT Failed

I'm getting the same errormessage when it try it by hand. I've reemerged my 
iptables (net-firewall/iptables-1.3.5-r4  
USE=-extensions -imq -ipv6 -l7filter -static) but that did not help.
Any suggestions?
-- 
Dan Johansson, http://www.dmj.nu
***
This message is printed on 100% recycled electrons!
***


pgpfjuLbnyR4Q.pgp
Description: PGP signature