[gentoo-user] iptables broken

Something recent (perhaps this update to libnftnl) broke iptables. Re-emerging it fixed the problem. Fri Feb 11 07:45:54 2022 >>> net-libs/libnftnl-1.2.1 iptables started giving errors such as this: /sbin/iptables -A BASE_INPUT_CHAIN -m conntrack --ctstate ESTABLISHED -j ACCEPT ERROR (2): ipta

Re: [gentoo-user] iptables wiki page questions

сб, 15 авг. 2020 г. в 01:34, tastytea : > Note that, if you set rc_depend_strict="NO" in /etc/rc.conf, the > dependency “net” is satisfied if only one net.* service is started. If I remember correctly, it happened sometimes that iptables loaded after net.eth0 service even with rc_depend_strict="Y

Re: [gentoo-user] iptables wiki page questions

On 2020-08-14 22:17- Grant Edwards wrote: > […] > ### "rc-service iptables" vs. "/etc/init.d/iptables" rc-service runs the same service scripts that are in /etc/init.d/, so it's the same. However the manpage of rc-service(8) mentions that “Service scripts could be in different places on diff

[gentoo-user] iptables wiki page questions

I read through the iptables wiki page this afternoon to refresh my memory on how you save rules so they get load on startup. https://wiki.gentoo.org/wiki/Iptables There are some inconsitencies which I'm curious about. ### "rc-service iptables" vs. "/etc/init.d/iptables" Most of the page's exa

Re: [gentoo-user] iptables-1.8.1 build failure

On Wednesday, 24 October 2018 15:30:06 BST Peter Humphrey wrote: > On Wednesday, 24 October 2018 12:52:24 BST Neil Bothwick wrote: > > On Wed, 24 Oct 2018 10:29:03 +0100, Peter Humphrey wrote: > > > Today's update of iptables to 1.8.1 failed here because I didn't have > > > USE=nftables set. After

Re: [gentoo-user] iptables-1.8.1 build failure

On Wednesday, 24 October 2018 12:52:24 BST Neil Bothwick wrote: > On Wed, 24 Oct 2018 10:29:03 +0100, Peter Humphrey wrote: > > Today's update of iptables to 1.8.1 failed here because I didn't have > > USE=nftables set. After setting that in package.use it was fine. Before > > I submit a bug report

Re: [gentoo-user] iptables-1.8.1 build failure

On Wed, 24 Oct 2018 10:29:03 +0100, Peter Humphrey wrote: > Today's update of iptables to 1.8.1 failed here because I didn't have > USE=nftables set. After setting that in package.use it was fine. Before > I submit a bug report, though, I'd like to understand one thing: > > $ grep nftables $(equ

[gentoo-user] iptables-1.8.1 build failure

Hello list, Today's update of iptables to 1.8.1 failed here because I didn't have USE=nftables set. After setting that in package.use it was fine. Before I submit a bug report, though, I'd like to understand one thing: $ grep nftables $(equery w iptables) IUSE="conntrack ipv6 netlink nftables p

Re: [gentoo-user] IPTABLES

"siefke_lis...@web.de" writes: > Hello, > > i try to run iptables, block bad ips and close the system. > > I want run firewall which block all INPUT, only ALLOW services i defined. > Ipset want to use to block spam ips, make it sure awesome as ever set rules > manuell. After reading a good ipt

Re: [gentoo-user] IPTABLES

Hello, On Thu, 24 Dec 2015 15:11:55 +0300 Andrew Savchenko wrote: > ... > It is a bit old and isn't an ultimate description of all > iptables features (you have manuals for that), but will give you a > good understanding of how packet flow works and how they should be > processed. > ... thank y

Re: [gentoo-user] IPTABLES

Hi, On Tue, 22 Dec 2015 22:45:12 +0100 siefke_lis...@web.de wrote: > i try to run iptables, block bad ips and close the system. > > I want run firewall which block all INPUT, only ALLOW services i defined. > Ipset want to use to block spam ips, make it sure awesome as ever set rules > manuell.

[gentoo-user] IPTABLES

Hello, i try to run iptables, block bad ips and close the system. I want run firewall which block all INPUT, only ALLOW services i defined. Ipset want to use to block spam ips, make it sure awesome as ever set rules manuell. Im not so sure is okay, i has try and read but at end often i kick me

Re: [gentoo-user] iptables tunneling a chrooted Linux?

On Sat, Aug 15, 2015 at 7:45 AM, wrote: > Last chance: Installing a fully functional chrooted Linux, setup > some handcrafted iptables/ipset/sidmat stuff (which I still have > to do) and...get a "Yes, network is shared on kernel level" as answer > from this thread. :) > And I got this answer...YE

Re: [gentoo-user] iptables tunneling a chrooted Linux?

Rich Freeman [15-08-15 13:04]: > On Sat, Aug 15, 2015 at 2:53 AM, Andrew Savchenko wrote: > > > > On Sat, 15 Aug 2015 06:53:30 +0200 meino.cra...@gmx.de wrote: > >> on my Android tablet I have installed a Gentoo rootfs. > >> I can start this by chgrooting it after Android has booted. > >> Via xvn

Re: [gentoo-user] iptables tunneling a chrooted Linux?

On Sat, Aug 15, 2015 at 2:53 AM, Andrew Savchenko wrote: > > On Sat, 15 Aug 2015 06:53:30 +0200 meino.cra...@gmx.de wrote: >> on my Android tablet I have installed a Gentoo rootfs. >> I can start this by chgrooting it after Android has booted. >> Via xvnc I can connect from a running Android to th

Re: [gentoo-user] iptables tunneling a chrooted Linux?

Hi, On Sat, 15 Aug 2015 06:53:30 +0200 meino.cra...@gmx.de wrote: > on my Android tablet I have installed a Gentoo rootfs. > I can start this by chgrooting it after Android has booted. > Via xvnc I can connect from a running Android to the also > running Gentoo Linux. > If I set up a firewall as r

[gentoo-user] iptables tunneling a chrooted Linux?

Hi, on my Android tablet I have installed a Gentoo rootfs. I can start this by chgrooting it after Android has booted. Via xvnc I can connect from a running Android to the also running Gentoo Linux. If I set up a firewall as root (the Android is rooted) while I am in the chrooted Linux this firewa

Re: [gentoo-user] IPTables question... simple as possible for starters

On Tue, Dec 31, 2013 at 9:08 AM, Pandu Poluan wrote: > > On Dec 30, 2013 7:31 PM, "shawn wilson" wrote: >> >> Minor additions to what Pandu said... >> >> On Mon, Dec 30, 2013 at 7:02 AM, Pandu Poluan wrote: >> > On Mon, Dec 30, 2013 at 6:07 PM, Tanstaafl >> > wrote: >> >> > The numbers within [

Re: [gentoo-user] IPTables question... simple as possible for starters

On Dec 30, 2013 7:31 PM, "shawn wilson" wrote: > > Minor additions to what Pandu said... > > On Mon, Dec 30, 2013 at 7:02 AM, Pandu Poluan wrote: > > On Mon, Dec 30, 2013 at 6:07 PM, Tanstaafl wrote: > > > The numbers within [brackets] are statistics/countes. Just replace > > them with [0:0], un

Re: [gentoo-user] IPTables question... simple as possible for starters

Minor additions to what Pandu said... On Mon, Dec 30, 2013 at 7:02 AM, Pandu Poluan wrote: > On Mon, Dec 30, 2013 at 6:07 PM, Tanstaafl wrote: > The numbers within [brackets] are statistics/countes. Just replace > them with [0:0], unless you really really really have a good reason to > not star

Re: [gentoo-user] IPTables question... simple as possible for starters

On Mon, Dec 30, 2013 at 6:07 PM, Tanstaafl wrote: > [-- LE SNIP --] > Ok, well, maybe I should have posted my entire ruleset... > > I have this above where I define my chains: > > # > *filter > :INPUT DROP [0:0] > :FORWARD DROP [0:0] > :OUTPUT DROP [0:0] > # > > Does it matter where this goes? >

Re: [gentoo-user] IPTables question... simple as possible for starters

On 2013-12-29 1:39 PM, shawn wilson wrote: On Sun, Dec 29, 2013 at 1:07 PM, Tanstaafl wrote: Hi all, Ok, I'm setting up a new server, and I'd like to rethink my iptables rules. I'd like to start with something fairly simple: 1. Allow connections from anywhere ONLY to certain ports ie, for

Re: [gentoo-user] IPTables question... simple as possible for starters

On Sun, Dec 29, 2013 at 1:07 PM, Tanstaafl wrote: > Hi all, > > Ok, I'm setting up a new server, and I'd like to rethink my iptables rules. > > I'd like to start with something fairly simple: > > 1. Allow connections from anywhere ONLY to certain ports > > ie, for encrypted IMAP/SMTP connections f

[gentoo-user] IPTables question... simple as possible for starters

Hi all, Ok, I'm setting up a new server, and I'd like to rethink my iptables rules. I'd like to start with something fairly simple: 1. Allow connections from anywhere ONLY to certain ports ie, for encrypted IMAP/SMTP connections from users 2. Allow connections from only certain IP addresses t

Re: [gentoo-user] IPTables - Going Stateless

Hello Everyone, Thank you so much for your responses. I agree Alan, total pain in the neck!!! But it's a ticket that was passed down to me. We moved the stateful firewalls inside the network, broken down to each department. But as a first on site defense on our BGP router running Quagga, we only

Re: [gentoo-user] IPTables - Going Stateless

On 21-May-13 17:07, Nick Khamis wrote: We recently moved our stateful firewall inside, and would like to strip down the firewall at our router connected to the outside world. The problem I am experiencing is getting things to work properly without connection tracking. I hope I am not in breach of

Re: [gentoo-user] IPTables - Going Stateless

On 21/05/2013 17:07, Nick Khamis wrote: > Hello Everyone, > > We recently moved our stateful firewall inside, and would like to > strip down the firewall at our router connected to the outside world. > The problem I am experiencing is getting things to work properly > without connection tracking.

Re: [gentoo-user] Re: [gentoo-user] IPTables - Going Stateless

>> Looks like the packet never gets to the tcp chain. what is --syn? It seems that way I am not sure what --syn is actually. But even if I comment it out it does not work. Also, for testing I changed the SSH rule to allow bidirectional traffic until this is fixed: -A TCP -p tcp -m tcp --dport

[gentoo-user] Re: [gentoo-user] IPTables - Going Stateless

Вторник, 21 мая 2013, 11:07 -04:00 от Nick Khamis : > Hello Everyone, > > We recently moved our stateful firewall inside, and would like to > strip down the firewall at our router connected to the outside world. > The problem I am experiencing is getting things to work properly > without connec

[gentoo-user] IPTables - Going Stateless

Hello Everyone, We recently moved our stateful firewall inside, and would like to strip down the firewall at our router connected to the outside world. The problem I am experiencing is getting things to work properly without connection tracking. I hope I am not in breach of mailing list rules howe

Re: [gentoo-user] iptables (not) started?

On Fri, 29 Mar 2013 23:29:39 +, Mick wrote: > > > Why do wikis and the like suggest that iptables should be in default > > > rather than boot runlevel? > > > > Why not? There's no need to start it especially early, as long as it > > is running before the network comes up, and the init scrip

Re: [gentoo-user] iptables (not) started?

On Friday 29 Mar 2013 20:37:20 Neil Bothwick wrote: > On Fri, 29 Mar 2013 19:44:14 +, Mick wrote: > > Why do wikis and the like suggest that iptables should be in default > > rather than boot runlevel? > > Why not? There's no need to start it especially early, as long as it is > running before

Re: [gentoo-user] iptables (not) started?

On Fri, 29 Mar 2013 19:44:14 +, Mick wrote: > Why do wikis and the like suggest that iptables should be in default > rather than boot runlevel? Why not? There's no need to start it especially early, as long as it is running before the network comes up, and the init script takes care of that.

Re: [gentoo-user] iptables (not) started?

On Friday 29 Mar 2013 19:34:39 Mick wrote: > On Friday 29 Mar 2013 19:03:57 Jarry wrote: > > On 29-Mar-13 19:43, Mick wrote: > > > On Friday 29 Mar 2013 18:25:11 Jarry wrote: > > >> Hi Gentoo-users, > > >> > > >> I noticed one thing on my server: during boot-up no message > > >> about firewall bei

Re: [gentoo-user] iptables (not) started?

On Friday 29 Mar 2013 19:03:57 Jarry wrote: > On 29-Mar-13 19:43, Mick wrote: > > On Friday 29 Mar 2013 18:25:11 Jarry wrote: > >> Hi Gentoo-users, > >> > >> I noticed one thing on my server: during boot-up no message > >> about firewall being started is printed on console. I always > >> have to c

Re: [gentoo-user] iptables (not) started?

On Mar 30, 2013 1:27 AM, "Jarry" wrote: > > Hi Gentoo-users, > > I noticed one thing on my server: during boot-up no message > about firewall being started is printed on console. I always > have to check manually if iptables-rules have been loaded. > Strange thing, when doing shutdown, I see messa

Re: [gentoo-user] iptables (not) started?

On 29-Mar-13 19:43, Mick wrote: On Friday 29 Mar 2013 18:25:11 Jarry wrote: Hi Gentoo-users, I noticed one thing on my server: during boot-up no message about firewall being started is printed on console. I always have to check manually if iptables-rules have been loaded. Strange thing, when do

Re: [gentoo-user] iptables (not) started?

On Friday 29 Mar 2013 18:25:11 Jarry wrote: > Hi Gentoo-users, > > I noticed one thing on my server: during boot-up no message > about firewall being started is printed on console. I always > have to check manually if iptables-rules have been loaded. > Strange thing, when doing shutdown, I see mes

[gentoo-user] iptables (not) started?

Hi Gentoo-users, I noticed one thing on my server: during boot-up no message about firewall being started is printed on console. I always have to check manually if iptables-rules have been loaded. Strange thing, when doing shutdown, I see messages I expect: * Saving iptables state ...

Re: [gentoo-user] IPTABLES syntax change?

On Sat, Jan 05, 2013 at 11:57:10AM +, Mick wrote > > It will, but only partially. It seems that the list is long and it > is getting longer and longer! Check this out: > > whois -h whois.radb.net -- '-i origin AS32934' | grep ^route > > (as advised by https://developers.facebook.com/docs/A

Re: [gentoo-user] IPTABLES syntax change?

On Jan 4, 2013 8:33 PM, "Walter Dnes" wrote: > > On Fri, Jan 04, 2013 at 03:27:59PM -0500, Michael Mol wrote > > On Fri, Jan 4, 2013 at 3:17 PM, Walter Dnes wrote: > > > > > > The mere fact that you haven't manually typed in... > > > http://www.facebook.com/blah_blah_blah does not mean you're n

Re: [gentoo-user] IPTABLES syntax change?

On Fri, Jan 04, 2013 at 03:27:59PM -0500, Michael Mol wrote > On Fri, Jan 4, 2013 at 3:17 PM, Walter Dnes wrote: > > > > The mere fact that you haven't manually typed in... > > http://www.facebook.com/blah_blah_blah does not mean you're not > > connecting to it. > > But all that's above layer 3

Re: [gentoo-user] IPTABLES syntax change?

On Fri, Jan 4, 2013 at 3:17 PM, Walter Dnes wrote: > On Wed, Jan 02, 2013 at 11:32:58PM -0500, Michael Orlitzky wrote >> On 12/30/2012 10:21 PM, Walter Dnes wrote: >> > [0:0] -A FECESBOOK -j LOG --log-prefix "FECESBOOK:" --log-level 6 >> > [0:0] -A FECESBOOK -j DROP >> > [0:0] -A INPUT -s 192.168.

Re: [gentoo-user] IPTABLES syntax change?

On Wed, Jan 02, 2013 at 11:32:58PM -0500, Michael Orlitzky wrote > On 12/30/2012 10:21 PM, Walter Dnes wrote: > > [0:0] -A FECESBOOK -j LOG --log-prefix "FECESBOOK:" --log-level 6 > > [0:0] -A FECESBOOK -j DROP > > [0:0] -A INPUT -s 192.168.123.248/29 -i eth0 -j ACCEPT > > [0:0] -A INPUT -s 169.254

Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)?

On 2013-01-02 7:14 PM, Mick wrote: On Wednesday 02 Jan 2013 19:47:11 Tanstaafl wrote: Oh, ok - so, if I don't have any rules that use the 'mangle' command, then I can safely remove mangle support from my kernel and lose the mangle table altogether? Yes, I would think so. You can build it as

Re: [gentoo-user] IPTABLES syntax change?

On 12/30/2012 10:21 PM, Walter Dnes wrote: > [0:0] -A FECESBOOK -j LOG --log-prefix "FECESBOOK:" --log-level 6 > [0:0] -A FECESBOOK -j DROP > [0:0] -A INPUT -s 192.168.123.248/29 -i eth0 -j ACCEPT > [0:0] -A INPUT -s 169.254.0.0/16 -i eth0 -j ACCEPT > [0:0] -A INPUT -i lo -j ACCEPT > [0:0] -A INPUT

Re: [gentoo-user] IPTABLES syntax change?

On Jan 3, 2013 4:40 AM, "Michael Orlitzky" wrote: > > On 12/30/12 22:21, Walter Dnes wrote: > > OK, here is version 2. I had "an excellent adventure" along the way. > > > > I'm doing the upgrade on our servers right now, and there's another > possible gotcha: the newer iptables (requiring connt

Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)?

On Jan 3, 2013 1:57 AM, "Michael Orlitzky" wrote: > > On 01/02/13 08:38, Tanstaafl wrote: > > Hi all, > > > > This has been bugging me for a while... > > > > I've googled, and can't seem to find a definitive answer to this > > question... > > > > Lots of references to the Mangle table, but nothing

Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)?

On Wednesday 02 Jan 2013 19:47:11 Tanstaafl wrote: > On 2013-01-02 2:01 PM, Mick wrote: > > If you have a look at 'man iptables-extensions' it gives some examples of > > using -t mangle. > > > > I haven't looked in Google recently, but there should be some examples > > there too. > > Oh, ok - so

Re: [gentoo-user] IPTABLES syntax change?

On 12/30/12 22:21, Walter Dnes wrote: > OK, here is version 2. I had "an excellent adventure" along the way. > I'm doing the upgrade on our servers right now, and there's another possible gotcha: the newer iptables (requiring conntrack) requires NETFILTER_XT_MATCH_CONNTRACK support in the kern

Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)?

On 2013-01-02 2:01 PM, Mick wrote: If you have a look at 'man iptables-extensions' it gives some examples of using -t mangle. I haven't looked in Google recently, but there should be some examples there too. Oh, ok - so, if I don't have any rules that use the 'mangle' command, then I can saf

Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)?

On Wednesday 02 Jan 2013 13:38:27 Tanstaafl wrote: > Hi all, > > This has been bugging me for a while... > > I've googled, and can't seem to find a definitive answer to this > question... > > Lots of references to the Mangle table, but nothing that really explains > what this table is or does, a

Re: [gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)?

On 01/02/13 08:38, Tanstaafl wrote: > Hi all, > > This has been bugging me for a while... > > I've googled, and can't seem to find a definitive answer to this > question... > > Lots of references to the Mangle table, but nothing that really explains > what this table is or does, and when or why

[gentoo-user] IPtables - Mangle table - when/why do I need it (or do I need it)?

Hi all, This has been bugging me for a while... I've googled, and can't seem to find a definitive answer to this question... Lots of references to the Mangle table, but nothing that really explains what this table is or does, and when or why I would want/need it. Currently, I have this in my

Re: [gentoo-user] IPTABLES syntax change?

OK, here is version 2. I had "an excellent adventure" along the way. * At the very last line (COMMIT), iptables-restore said it failed, but no clue whatsoever as to why. * I copied the rules file to a scratch-file, and converted it to a bash script that called iptables each time. * This m

Re: [gentoo-user] IPTABLES syntax change?

> > 2) Does a "-j LOG" return to the chain it was called from, or does it do > > an implicit DROP? > > > > It returns to spot where it was called from. > > Yep, so you could create a new chain to drop and log; /sbin/iptables -N logdrop /sbin/iptables -A logdrop -j LOG --log-prefix 'DROP ' /sbin/ipt

Re: [gentoo-user] IPTABLES syntax change?

On 12/29/2012 01:32 PM, Walter Dnes wrote: > Two questions I'm not sure about. > > 1) I run a desktop, and use passive ftp. Is there any need for me to > accept RELATED packets? > Probably not, I think the server needs it though. > 2) Does a "-j LOG" return to the chain it was called from,

Re: [gentoo-user] IPTABLES syntax change?

On 29-Dec-12 19:32, Walter Dnes wrote: 1) I run a desktop, and use passive ftp. Is there any need for me to accept RELATED packets? No, but you must take care of related connections. Even passive ftp opens command (>1023 -> 21) and data (>1023 -> >1023) channel. BTW, icmp-error (i.e. host unr

Re: [gentoo-user] IPTABLES syntax change?

Two questions I'm not sure about. 1) I run a desktop, and use passive ftp. Is there any need for me to accept RELATED packets? 2) Does a "-j LOG" return to the chain it was called from, or does it do an implicit DROP? -- Walter Dnes I don't run "desktop environments"; I run useful applicati

Re: [gentoo-user] IPTABLES syntax change?

Walter Dnes wrote: On Fri, Dec 28, 2012 at 01:07:11AM -0500, Michael Orlitzky wrote On 12/27/2012 10:59 PM, Walter Dnes wrote: Here's my revised "Paranoia Plus" ruleset. Any comments? Because I'm behind a NAT-ing ADSL router/modem, many of my rules rarely see hits. However, I do have a bac

Re: [gentoo-user] IPTABLES syntax change?

On Fri, Dec 28, 2012 at 01:07:11AM -0500, Michael Orlitzky wrote > On 12/27/2012 10:59 PM, Walter Dnes wrote: > > > > Here's my revised "Paranoia Plus" ruleset. Any comments? Because I'm > > behind a NAT-ing ADSL router/modem, many of my rules rarely see hits. > > However, I do have a backup d

Re: [gentoo-user] IPTABLES syntax change?

I'm sure I made more than one typo, but the ALLOWED_ICMP below definitely needs a dollar sign. > > for ok_icmp in ALLOWED_ICMP; do > iptables -A ICMP_IN -p icmp --icmp-type "${ok_icmp}" -j ACCEPT > done >

Re: [gentoo-user] IPTABLES syntax change?

On 12/27/2012 10:59 PM, Walter Dnes wrote: > > Here's my revised "Paranoia Plus" ruleset. Any comments? Because I'm > behind a NAT-ing ADSL router/modem, many of my rules rarely see hits. > However, I do have a backup dialup connection in case of problems, so > most of my rules don't specify t

Re: [gentoo-user] IPTABLES syntax change?

On Thu, Dec 27, 2012 at 06:50:07PM -0500, Michael Orlitzky wrote > Once you've upgraded, you should be able to add all of your old --state > rules normally, albeit with a warning. The new iptables will translate > them to conntrack rules, and you can `/etc/init.d/iptables save` the result. > > Th

Re: [gentoo-user] IPTABLES syntax change?

On 12/27/2012 06:11 PM, Walter Dnes wrote: > On Thu, Dec 27, 2012 at 11:28:15AM +, Graham Murray wrote > >> The problem is not really the OP's fault. The problem is that if you >> have tables with the form "-m state --state XXX" at the point you >> upgrade, iptables-save (quite possibly called

Re: [gentoo-user] IPTABLES syntax change?

On Thu, Dec 27, 2012 at 11:28:15AM +, Graham Murray wrote > The problem is not really the OP's fault. The problem is that if you > have tables with the form "-m state --state XXX" at the point you > upgrade, iptables-save (quite possibly called automatically by > /etc/init.d/iptables stop) wil

Re: [gentoo-user] IPTABLES syntax change?

On 12/27/12 12:52, Matthias Hanft wrote: > Michael Orlitzky wrote: >> >> My first -m state rule is, >>iptables -A INPUT -p ALL -m state \ >> --state ESTABLISHED,RELATED -j ACCEPT > > That was mine, too (you can omit -p in this case, can't you?). Yeah, it just makes the indentation line u

Re: [gentoo-user] IPTABLES syntax change?

Michael Orlitzky wrote: My first -m state rule is, iptables -A INPUT -p ALL -m state \ --state ESTABLISHED,RELATED -j ACCEPT That was mine, too (you can omit -p in this case, can't you?). And if what you say is true, I'd be in deep shit if it reset to, iptables -A INPUT -p ALL -m

Re: [gentoo-user] IPTABLES syntax change?

On 12/27/12 06:28, Graham Murray wrote: > Michael Orlitzky writes: > >> The 'conntrack' module is supposed to be a superset of 'state', so most >> things should be compatible. You really have two warnings there; the >> first is for the state -> conntrack switch, and the second is because >> you'r

Re: [gentoo-user] IPTABLES syntax change?

Michael Orlitzky writes: > The 'conntrack' module is supposed to be a superset of 'state', so most > things should be compatible. You really have two warnings there; the > first is for the state -> conntrack switch, and the second is because > you're missing the --state flag in your rules. > > In

Re: [gentoo-user] IPTABLES syntax change?

On 12/26/2012 07:47 PM, Walter Dnes wrote: > Many years ago, I understood IPCHAINS, and the first versions of > IPTABLES. However, IPTABLES has followed the example of Larry Wall's > Practical Extraction and Reporting Language > and turned into a pseudo-OS that I barely comprehend. Some rules >

[gentoo-user] IPTABLES syntax change?

Many years ago, I understood IPCHAINS, and the first versions of IPTABLES. However, IPTABLES has followed the example of Larry Wall's Practical Extraction and Reporting Language and turned into a pseudo-OS that I barely comprehend. Some rules that I added many years ago were designed to reject

Re: [gentoo-user] iptables question...

On 2011-12-17 11:34 AM, Hari Purnama wrote: Did you put the log-prefix rule before or after the LOG rule? After - the log prefix rule is last... Or why didn't you put it in a 1liner, say: -A INPUT -i eth0 -m state --state INVALID -j LOG --log-level 7 --log-prefix "(>fw-drop): " --log-ip-opt

Re: [gentoo-user] iptables question...

On 12/16/11 22:17, Tanstaafl wrote: > Hi all, > > I was reading up on some iptables rules in the gentoo security handbook: > > http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=12&style=printable > > > It mentions DROPing packets with an INVALID state. > > It sounded/sounds li

[gentoo-user] iptables question...

Hi all, I was reading up on some iptables rules in the gentoo security handbook: http://www.gentoo.org/doc/en/security/security-handbook.xml?part=1&chap=12&style=printable It mentions DROPing packets with an INVALID state. It sounded/sounds like a good idea, so I added the following rule: -A

[gentoo-user] iptables - do I need the nat table?

Hello, This is on a server box, and I am *not* doing NAT on it... Do I even need the nat table? If not, I'd like to build the kernel without NAT support, but if there's a good reason not to do that, I won't... Thanks -- Charles

Re: [gentoo-user] iptables: how can I include multiple hosts/IPs in "-s" and "-d"?

Hi, you can define a rule like that: iptables -A FORWARD -s 192.168.235.43,192.168.235.46 -d 10.0.0.1,192.168.0.1 -j ACCEPT it will create 4 rules. be sure to activate Networking support->Networking options->Network packet filtering framework->Core Netfilter Configuration->iprange address rang

Re: [gentoo-user] iptables: how can I include multiple hosts/IPs in "-s" and "-d"?

Jarry writes: > I'd like to ask if there is some way to include multiple discrete > hosts/IP's in --source and --destination options of iptables. > > I'm trying to write firewall rules for my server, but it has > 12 IP's from different segments (and maybe it gets a few more > later), and the scri

Re: [gentoo-user] iptables: how can I include multiple hosts/IPs in "-s" and "-d"?

On Mon, 2010-04-05 at 19:32 +0200, Jarry wrote: > Hi > > I'd like to ask if there is some way to include multiple discrete > hosts/IP's in --source and --destination options of iptables. > > I'm trying to write firewall rules for my server, but it has > 12 IP's from different segments (and maybe

[gentoo-user] iptables: how can I include multiple hosts/IPs in "-s" and "-d"?

Hi I'd like to ask if there is some way to include multiple discrete hosts/IP's in --source and --destination options of iptables. I'm trying to write firewall rules for my server, but it has 12 IP's from different segments (and maybe it gets a few more later), and the script grows up as I have

Re: [gentoo-user] iptables firewall script

2009/7/17 Dave : > Hello, >        Can anyone good with iptables give this script a once over? It is > working, but in a very inconsistent manner, sometimes it lets traffic in, > other times not. Two things it does not have are dhcp rules as this box gets > it's address via dhcp and cifs rules, thi

[gentoo-user] iptables firewall script

Hello, Can anyone good with iptables give this script a once over? It is working, but in a very inconsistent manner, sometimes it lets traffic in, other times not. Two things it does not have are dhcp rules as this box gets it's address via dhcp and cifs rules, this machine mounts cifs shar

Re: [gentoo-user] iptables

Alejandro wrote: > > > On Thu, Jul 16, 2009 at 5:32 AM, Dave > wrote: > >> Hello, > >>I'm looking for a guide for iptables specifically for > gentoo 2.6. > >>I was also wondering if anyone was using apf "Advanced > Policy >

Re: [gentoo-user] iptables

2009/7/16 Marco > Maybe this thread could be helpful as well: > > http://marc.info/?l=gentoo-user&m=124058693215810&w=2 > > -- > Regards, > Marco > > > On Thu, Jul 16, 2009 at 10:41 AM, Marco wrote: > > Hi Dave, > > > > this one is rather informative: > > > > http://www.novell.com/coolsolutions/

Re: [gentoo-user] iptables

Maybe this thread could be helpful as well: http://marc.info/?l=gentoo-user&m=124058693215810&w=2 -- Regards, Marco On Thu, Jul 16, 2009 at 10:41 AM, Marco wrote: > Hi Dave, > > this one is rather informative: > > http://www.novell.com/coolsolutions/feature/18139.html > > Also, this one from g

Re: [gentoo-user] iptables

Hi Dave, this one is rather informative: http://www.novell.com/coolsolutions/feature/18139.html Also, this one from gentoo (although for 2.4) is worth reading: http://www.gentoo.org/doc/en/articles/linux-24-stateful-fw-design.xml HTH! -- Regards, Marco On Thu, Jul 16, 2009 at 5:32 AM, Dav

[gentoo-user] iptables

Hello, I'm looking for a guide for iptables specifically for gentoo 2.6. I was also wondering if anyone was using apf "Advanced Policy Firewall" on a gentoo 2008.0 2.6 machine? Thanks. Dave.

[gentoo-user] iptables + dansguardian + squid

I was following this guide to set it up home filter: iptables, DansGuardian, and Squid. http://www.linux.com/articles/113733 in the past it worked but when I try it now eg: iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT iptables: No chain/target/match by that na

Re: [gentoo-user] iptables configuration problem

2007/5/15, Dan Farrell <[EMAIL PROTECTED]>: On Tue, 15 May 2007 10:35:38 +0800 "Chuanwen Wu" <[EMAIL PROTECTED]> wrote: > Does it mean that eth1(the interface in my subnet) receive the request > but don't post forward it? Perhaps you should attach the output of "iptables -t nat -L -v; iptables

Re: [gentoo-user] iptables configuration problem

On Tue, 15 May 2007 10:35:38 +0800 "Chuanwen Wu" <[EMAIL PROTECTED]> wrote: > Does it mean that eth1(the interface in my subnet) receive the request > but don't post forward it? Perhaps you should attach the output of "iptables -t nat -L -v; iptables -L -v;" so I can see the rules... while you're

Re: [gentoo-user] iptables configuration problem

Thank Norberto and Dan Farrell!I think i had a misunderstand and made some mistakes.I hope I have correct it now. /etc/conf.d/net in the server config_eth0=( "202.114.10.134 netmask 255.255.255.0 brd 202.114.10.255" ) routes_eth0=( "default gw 202.114.10.129" ) config_eth1=( "192.168.1.1 netmask

Re: [gentoo-user] iptables configuration problem

Greetings all. Hope the weather in bejing is pleasant, Mr Wu. On Mon, 14 May 2007 11:58:34 -0300 (ART) "Norberto Bensa" <[EMAIL PROTECTED]> wrote: > On Mon, May 14, 2007 8:23 am, Chuanwen Wu wrote: > > Thank you!I think i have done what you meant. > > Here is the information: > > > > > > /etc/

Re: [gentoo-user] iptables configuration problem

On Mon, May 14, 2007 8:23 am, Chuanwen Wu wrote: > Thank you!I think i have done what you meant. > Here is the information: > > > /etc/conf.d/net in the server > config_eth0=( "202.114.10.134 netmask 255.255.255.0 brd 202.114.10.255" ) > routes_eth0=( "default gw 202.114.10.129" ) OK > > config_e

Re: [gentoo-user] iptables configuration problem

2007/5/14, Norberto Bensa <[EMAIL PROTECTED]>: Chuanwen Wu wrote: > I have tried set all the gw in my subnet to 192.168.1.254 or 192.168.1.1. > Is't all right? I don't know, it depends on what's your gw's IP is. Let's say you have this setup: GW: 192.168.1.1 Other PCs are: 192.168.1.2... 192

Re: [gentoo-user] iptables configuration problem

Chuanwen Wu wrote: > I have tried set all the gw in my subnet to 192.168.1.254 or 192.168.1.1. > Is't all right? I don't know, it depends on what's your gw's IP is. Let's say you have this setup: GW: 192.168.1.1 Other PCs are: 192.168.1.2... 192.168.1.3... and so on. On the GW you need: ec

Re: [gentoo-user] iptables configuration problem

Chuanwen Wu wrote: > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination > MASQUERADE all -- 192.168.1.0/24 anywhere > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > >

Re: [gentoo-user] iptables configuration problem

2007/5/13, Fabio A Correa <[EMAIL PROTECTED]>: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Wu, Instead of the commands you posted, you should use echo 1 > /proc/sys/net/ipv4/ip_forward iptables --table nat -A POSTROUTING -s 192.168.8.0/24 -j MASQUERADE I have tried.But still not work

Re: [gentoo-user] iptables configuration problem

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Wu, Instead of the commands you posted, you should use echo 1 > /proc/sys/net/ipv4/ip_forward iptables --table nat -A POSTROUTING -s 192.168.8.0/24 -j MASQUERADE Long explanation: The first command enables the kernel to _forward_ packets from

[gentoo-user] iptables configuration problem

Hi,guys! I use iptables to let the PCs in the subnet to connect the internet outside. And i write a simple script,but it doesn't work: #!/bin/sh iptables -F #Define packets from Internet server to Intranet iptables -A FORWARD -d 198.168.1.0/24 -i eth0 -j ACCEPT #Define packets from Intranet to I

Re: [gentoo-user] iptables will not load rule after kernel upgrade (2.6.19-r5 -> 2.6.20-r6) SOLVED

On Saturday 21 April 2007 20:34, Mark Shields wrote: > On 4/21/07, Dan Johansson <[EMAIL PROTECTED]> wrote: > > On Saturday 21 April 2007 15:53, Uwe Thiem wrote: > > > On 21 April 2007, Dan Johansson wrote: > > > > After upgrading gentoo-sources to 2.6.20-r6 from 2.6.19-r5 today my > > > > firewall

  1   2   3   >