Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: Michael Orlitzky <michael@××××××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] IPTABLES syntax change?
Date: Wed, 02 Jan 2013 21:37:54
Message-Id: 50E4A857.1090800@orlitzky.com
In Reply to: Re: [gentoo-user] IPTABLES syntax change? by Walter Dnes
1 On 12/30/12 22:21, Walter Dnes wrote:
2 > OK, here is version 2. I had "an excellent adventure" along the way.
3 >
4
5 I'm doing the upgrade on our servers right now, and there's another
6 possible gotcha: the newer iptables (requiring conntrack) requires
7 NETFILTER_XT_MATCH_CONNTRACK support in the kernel. This is in contrast
8 to the state matches which used NETFILTER_XT_MATCH_STATE.
9
10 To minimize downtime during the switch, I'm doing,
11
12 1. Rebuild the kernel, enable conntrack and disable state.
13
14 2. Fix my iptables-config script to use the conntrack stuff
15
16 3. Create a dummy set of rules that allows me to SSH in (without
17 state matching)
18
19 4. Run and save those rules
20
21 5. Reboot to new kernel
22
23 6. SSH in and run iptables-config
24
25 7. Save the rules
26
27
28 > [0:0] -A INPUT -s 192.168.123.248/29 -i eth0 -j ACCEPT
29 > [0:0] -A INPUT -s 169.254.0.0/16 -i eth0 -j ACCEPT
30 > [0:0] -A INPUT -i lo -j ACCEPT
31 > [0:0] -A INPUT -m conntrack --ctstate INVALID,NEW -j UNSOLICITED
32 > [0:0] -A INPUT -p tcp -m multiport --dports 0:1023,6000:6063 -j BAD_DPORT
33 > [0:0] -A INPUT -p udp -m multiport --dports 0:1023,6000:6063 -j BAD_DPORT
34 > [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK
35 > [0:0] -A INPUT -s 69.220.144.0/20 -j FECESBOOK
36 > [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK
37 > [0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK
38 > [0:0] -A INPUT -s 200.58.112.0/20 -j FECESBOOK
39 > [0:0] -A INPUT -s 213.155.64.0/19 -j FECESBOOK
40 > [0:0] -A INPUT -s 10.0.0.0/8 -j PRIVATE_LOG
41 > [0:0] -A INPUT -s 127.0.0.0/8 -j PRIVATE_LOG
42 > [0:0] -A INPUT -s 172.16.0.0/12 -j PRIVATE_LOG
43 > [0:0] -A INPUT -s 192.168.0.0/16 -j PRIVATE_LOG
44 > [0:0] -A INPUT -p icmp -j ICMP_IN
45 > [0:0] -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
46
47 These rules will be evaluated in order. I have no evidence for this, but
48 I suspect you're better off accepting the ESTABLISHED,RELATED stuff
49 earlier in the chain so you don't slow down the packets that you want.

Replies

Subject Author
Re: [gentoo-user] IPTABLES syntax change? Pandu Poluan <pandu@××××××.info>
Report Message
Find on MARC Find on Google Groups