Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: Walter Dnes <waltdnes@××××××××.org>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] IPTABLES syntax change?
Date: Mon, 31 Dec 2012 03:23:28
Message-Id: 20121231032150.GA2032@waltdnes.org
In Reply to: Re: [gentoo-user] IPTABLES syntax change? by Michael Orlitzky
1 OK, here is version 2. I had "an excellent adventure" along the way.
2
3 * At the very last line (COMMIT), iptables-restore said it failed, but
4 no clue whatsoever as to why.
5
6 * I copied the rules file to a scratch-file, and converted it to a bash
7 script that called iptables each time.
8
9 * This method showed errors when using "-m multiport"
10
11 * "multiport" is apparently not part of the core of iptables. It's an
12 extra kernel option that has to be invoked explicity.
13
14 * cd /usr/src/linux
15 make menuconfig
16 [*] Networking support --->
17 Networking options --->
18 [*] Network packet filtering framework (Netfilter) --->
19
20 Here's where it gets tricky. You *MUST* first enable...
21
22 [*] Advanced netfilter configuration
23
24 ...and then go into...
25
26 Core Netfilter Configuration --->
27 ...and select...
28
29 <*> "multiport" Multiple port match support
30
31 Rebuild kernel and reboot. Now for the iptables rules, version 2
32
33 *filter
34 :INPUT DROP [0:0]
35 :FORWARD DROP [0:0]
36 :OUTPUT ACCEPT [0:0]
37 :BAD_DPORT - [0:0]
38 :BAD_SPORT - [0:0]
39 :DROP_LOG - [0:0]
40 :FECESBOOK - [0:0]
41 :ICMP_IN - [0:0]
42 :ICMP_OUT - [0:0]
43 :PRIVATE_LOG - [0:0]
44 :UNSOLICITED - [0:0]
45 [0:0] -A BAD_DPORT -j LOG --log-prefix "BAD_DPORT:" --log-level 6
46 [0:0] -A BAD_DPORT -j DROP
47 [0:0] -A BAD_SPORT -j LOG --log-prefix "BAD_SPORT:" --log-level 6
48 [0:0] -A BAD_SPORT -j DROP
49 [0:0] -A DROP_LOG -j LOG --log-level 6
50 [0:0] -A DROP_LOG -j DROP
51 [0:0] -A FECESBOOK -j LOG --log-prefix "FECESBOOK:" --log-level 6
52 [0:0] -A FECESBOOK -j DROP
53 [0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 0 -j ACCEPT
54 [0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 3 -j ACCEPT
55 [0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 4 -j ACCEPT
56 [0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 11 -j ACCEPT
57 [0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 12 -j ACCEPT
58 [0:0] -A ICMP_IN -j LOG --log-prefix "IN_BAD_ICMP:" --log-level 6
59 [0:0] -A ICMP_IN -j DROP
60 [0:0] -A ICMP_OUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
61 [0:0] -A ICMP_OUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
62 [0:0] -A ICMP_OUT -p icmp -m icmp --icmp-type 30 -j ACCEPT
63 [0:0] -A ICMP_OUT -j LOG --log-prefix "OUT_BAD_ICMP:" --log-level 6
64 [0:0] -A ICMP_OUT -j DROP
65 [0:0] -A INPUT -s 192.168.123.248/29 -i eth0 -j ACCEPT
66 [0:0] -A INPUT -s 169.254.0.0/16 -i eth0 -j ACCEPT
67 [0:0] -A INPUT -i lo -j ACCEPT
68 [0:0] -A INPUT -m conntrack --ctstate INVALID,NEW -j UNSOLICITED
69 [0:0] -A INPUT -p tcp -m multiport --dports 0:1023,6000:6063 -j BAD_DPORT
70 [0:0] -A INPUT -p udp -m multiport --dports 0:1023,6000:6063 -j BAD_DPORT
71 [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK
72 [0:0] -A INPUT -s 69.220.144.0/20 -j FECESBOOK
73 [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK
74 [0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK
75 [0:0] -A INPUT -s 200.58.112.0/20 -j FECESBOOK
76 [0:0] -A INPUT -s 213.155.64.0/19 -j FECESBOOK
77 [0:0] -A INPUT -s 10.0.0.0/8 -j PRIVATE_LOG
78 [0:0] -A INPUT -s 127.0.0.0/8 -j PRIVATE_LOG
79 [0:0] -A INPUT -s 172.16.0.0/12 -j PRIVATE_LOG
80 [0:0] -A INPUT -s 192.168.0.0/16 -j PRIVATE_LOG
81 [0:0] -A INPUT -p icmp -j ICMP_IN
82 [0:0] -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
83 [0:0] -A OUTPUT -d 192.168.123.248/29 -o eth0 -j ACCEPT
84 [0:0] -A OUTPUT -o lo -j ACCEPT
85 [0:0] -A OUTPUT -p tcp -m multiport --sports 0:1023,6000:6063 -j BAD_SPORT
86 [0:0] -A OUTPUT -p udp -m multiport --sports 0:1023,6000:6063 -j BAD_SPORT
87 [0:0] -A OUTPUT -d 69.63.176.0/20 -j FECESBOOK
88 [0:0] -A OUTPUT -d 69.220.144.0/20 -j FECESBOOK
89 [0:0] -A OUTPUT -d 69.63.176.0/20 -j FECESBOOK
90 [0:0] -A OUTPUT -d 69.171.224.0/19 -j FECESBOOK
91 [0:0] -A OUTPUT -d 200.58.112.0/20 -j FECESBOOK
92 [0:0] -A OUTPUT -d 213.155.64.0/19 -j FECESBOOK
93 [0:0] -A PRIVATE_LOG -j LOG --log-prefix "IN_BAD_ADDR:" --log-level 6
94 [0:0] -A PRIVATE_LOG -j DROP
95 [0:0] -A UNSOLICITED -j LOG --log-prefix "UNSOLICITED:" --log-level 6
96 [0:0] -A UNSOLICITED -j DROP
97 COMMIT
98
99 --
100 Walter Dnes <waltdnes@××××××××.org>
101 I don't run "desktop environments"; I run useful applications

Replies

Subject Author
Re: [gentoo-user] IPTABLES syntax change? Michael Orlitzky <michael@××××××××.com>
Re: [gentoo-user] IPTABLES syntax change? Michael Orlitzky <michael@××××××××.com>
Report Message
Find on MARC Find on Google Groups