Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: Walter Dnes <waltdnes@××××××××.org>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] IPTABLES syntax change?
Date: Fri, 28 Dec 2012 04:01:12
Message-Id: 20121228035937.GA2949@waltdnes.org
In Reply to: Re: [gentoo-user] IPTABLES syntax change? by Michael Orlitzky
1 On Thu, Dec 27, 2012 at 06:50:07PM -0500, Michael Orlitzky wrote
2
3 > Once you've upgraded, you should be able to add all of your old --state
4 > rules normally, albeit with a warning. The new iptables will translate
5 > them to conntrack rules, and you can `/etc/init.d/iptables save` the result.
6 >
7 > The upgrade just fails in a horrible way.
8
9 Here's my revised "Paranoia Plus" ruleset. Any comments? Because I'm
10 behind a NAT-ing ADSL router/modem, many of my rules rarely see hits.
11 However, I do have a backup dialup connection in case of problems, so
12 most of my rules don't specify the network interface. A couple of
13 notes...
14
15 * My little lan is 192.168.123.248/29
16 * I have a TV tuner box that comes up in the zero-config space, so I
17 have to allow 169.254.0.0/16
18 * I "dislike" a certain button following me.
19
20 # Generated by iptables-save v1.4.16.3 on Thu Dec 27 22:43:12 2012
21 *filter
22 :INPUT DROP [0:0]
23 :FORWARD DROP [0:0]
24 :OUTPUT DROP [0:0]
25 :DROP_LOG - [0:0]
26 :FECESBOOK - [0:0]
27 :ICMP_IN - [0:0]
28 :PRIVATE - [0:0]
29 :PRIVATE_LOG - [0:0]
30 :TCP_IN - [0:0]
31 :UDP_IN - [0:0]
32 :UNSOLICITED - [0:0]
33 [0:0] -A INPUT -s 192.168.123.248/29 -i eth0 -j ACCEPT
34 [0:0] -A INPUT -s 169.254.0.0/16 -i eth0 -j ACCEPT
35 [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK
36 [0:0] -A INPUT -s 69.220.144.0/20 -j FECESBOOK
37 [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK
38 [0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK
39 [0:0] -A INPUT -s 200.58.112.0/20 -j FECESBOOK
40 [0:0] -A INPUT -s 213.155.64.0/19 -j FECESBOOK
41 [0:0] -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
42 [0:0] -A INPUT -p udp -m udp --sport 53 -j ACCEPT
43 [0:0] -A INPUT -i lo -j ACCEPT
44 [0:0] -A INPUT -f -j LOG --log-prefix "FRAGMENTS:" --log-level 6
45 [0:0] -A INPUT -f -j DROP
46 [0:0] -A INPUT -p tcp -j TCP_IN
47 [0:0] -A INPUT -p udp -j UDP_IN
48 [0:0] -A INPUT -p icmp -j ICMP_IN
49 [0:0] -A INPUT -j LOG --log-prefix "BAD_PROTOCOL:" --log-level 6
50 [0:0] -A INPUT -j DROP
51 [0:0] -A OUTPUT -d 192.168.123.248/29 -o eth0 -j ACCEPT
52 [0:0] -A OUTPUT -o lo -j ACCEPT
53 [0:0] -A OUTPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
54 [0:0] -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
55 [0:0] -A OUTPUT -p icmp -m icmp --icmp-type 30 -j ACCEPT
56 [0:0] -A OUTPUT -p tcp -m tcp --sport 0:1023 -j DROP_LOG
57 [0:0] -A OUTPUT -p udp -m udp --sport 0:1023 -j DROP_LOG
58 [0:0] -A OUTPUT -p tcp -m tcp --sport 6000:6063 -j DROP_LOG
59 [0:0] -A OUTPUT -p udp -m udp --sport 6000:6063 -j DROP_LOG
60 [0:0] -A OUTPUT -j ACCEPT
61 [0:0] -A DROP_LOG -j LOG --log-level 6
62 [0:0] -A DROP_LOG -j DROP
63 [0:0] -A FECESBOOK -j LOG --log-prefix "FECESBOOK:" --log-level 6
64 [0:0] -A FECESBOOK -j DROP
65 [0:0] -A ICMP_IN -p icmp -m conntrack --ctstate NEW -j UNSOLICITED
66 [0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 0 -j PRIVATE
67 [0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 3 -j PRIVATE
68 [0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 4 -j PRIVATE
69 [0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 11 -j PRIVATE
70 [0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 12 -j PRIVATE
71 [0:0] -A ICMP_IN -j LOG --log-prefix "IN_BAD_ICMP:" --log-level 6
72 [0:0] -A ICMP_IN -j DROP
73 [0:0] -A PRIVATE -s 10.0.0.0/8 -j PRIVATE_LOG
74 [0:0] -A PRIVATE -s 127.0.0.0/8 -j PRIVATE_LOG
75 [0:0] -A PRIVATE -s 172.16.0.0/12 -j PRIVATE_LOG
76 [0:0] -A PRIVATE -s 192.168.0.0/16 -j PRIVATE_LOG
77 [0:0] -A PRIVATE -j ACCEPT
78 [0:0] -A PRIVATE_LOG -j LOG --log-prefix "IN_BAD_ADDR:" --log-level 6
79 [0:0] -A PRIVATE_LOG -j DROP
80 [0:0] -A TCP_IN -p tcp -m tcp --dport 0:1023 -j DROP_LOG
81 [0:0] -A TCP_IN -p tcp -m tcp --dport 6000:6063 -j DROP_LOG
82 [0:0] -A TCP_IN -p tcp -m tcp --sport 53 -j PRIVATE
83 [0:0] -A TCP_IN -p tcp -m tcp --sport 80 -j PRIVATE
84 [0:0] -A TCP_IN -p tcp -m conntrack --ctstate NEW -m tcp -j UNSOLICITED
85 [0:0] -A TCP_IN -p tcp -j PRIVATE
86 [0:0] -A UDP_IN -p udp -m udp --dport 0:1023 -j DROP_LOG
87 [0:0] -A UDP_IN -p udp -m udp --dport 6000:6063 -j DROP_LOG
88 [0:0] -A UDP_IN -p udp -m udp --sport 53 -j PRIVATE
89 [0:0] -A UDP_IN -p udp -m udp --sport 80 -j PRIVATE
90 [0:0] -A UDP_IN -p udp -m conntrack --ctstate NEW -j UNSOLICITED
91 [0:0] -A UDP_IN -p udp -j PRIVATE
92 [0:0] -A UNSOLICITED -j LOG --log-prefix "UNSOLICITED:" --log-level 6
93 [0:0] -A UNSOLICITED -j DROP
94 COMMIT
95 # Completed on Thu Dec 27 22:43:12 2012
96
97 --
98 Walter Dnes <waltdnes@××××××××.org>
99 I don't run "desktop environments"; I run useful applications

Replies

Subject Author
Re: [gentoo-user] IPTABLES syntax change? Michael Orlitzky <michael@××××××××.com>
Report Message
Find on MARC Find on Google Groups