From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 511691381FB for ; Fri, 28 Dec 2012 04:01:12 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A4BA321C01D; Fri, 28 Dec 2012 04:00:57 +0000 (UTC) Received: from ironport2-out.teksavvy.com (ironport2-out.teksavvy.com [206.248.154.182]) by pigeon.gentoo.org (Postfix) with ESMTP id 92A3A21C01D for ; Fri, 28 Dec 2012 03:59:48 +0000 (UTC) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgsKAG6Zu09MCqEB/2dsb2JhbABEsnYDgRiBCIIVAQEEATocKAsLNBIUJTeICQW6CYsIAiQ0hABiA4hChHyHXIVfiDqBWIMHgTo X-IronPort-AV: E=Sophos;i="4.75,637,1330923600"; d="scan'208";a="210802699" Received: from 76-10-161-1.dsl.teksavvy.com (HELO waltdnes.org) ([76.10.161.1]) by ironport2-out.teksavvy.com with SMTP; 27 Dec 2012 22:59:47 -0500 Received: by waltdnes.org (sSMTP sendmail emulation); Thu, 27 Dec 2012 22:59:37 -0500 From: "Walter Dnes" Date: Thu, 27 Dec 2012 22:59:37 -0500 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] IPTABLES syntax change? Message-ID: <20121228035937.GA2949@waltdnes.org> References: <20121227004732.GB5854@waltdnes.org> <50DBA7D0.4060800@orlitzky.com> <87zk0zivjk.fsf@einstein.gmurray.org.uk> <20121227231150.GA9864@waltdnes.org> <50DCDEAF.9020002@orlitzky.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <50DCDEAF.9020002@orlitzky.com> User-Agent: Mutt/1.5.21 (2010-09-15) X-Archives-Salt: 4dd244f5-56b5-42ab-9c8a-cf1b2cc06d0c X-Archives-Hash: ab14fbab7b0e035cde960b2004965f14 On Thu, Dec 27, 2012 at 06:50:07PM -0500, Michael Orlitzky wrote > Once you've upgraded, you should be able to add all of your old --state > rules normally, albeit with a warning. The new iptables will translate > them to conntrack rules, and you can `/etc/init.d/iptables save` the result. > > The upgrade just fails in a horrible way. Here's my revised "Paranoia Plus" ruleset. Any comments? Because I'm behind a NAT-ing ADSL router/modem, many of my rules rarely see hits. However, I do have a backup dialup connection in case of problems, so most of my rules don't specify the network interface. A couple of notes... * My little lan is 192.168.123.248/29 * I have a TV tuner box that comes up in the zero-config space, so I have to allow 169.254.0.0/16 * I "dislike" a certain button following me. # Generated by iptables-save v1.4.16.3 on Thu Dec 27 22:43:12 2012 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :DROP_LOG - [0:0] :FECESBOOK - [0:0] :ICMP_IN - [0:0] :PRIVATE - [0:0] :PRIVATE_LOG - [0:0] :TCP_IN - [0:0] :UDP_IN - [0:0] :UNSOLICITED - [0:0] [0:0] -A INPUT -s 192.168.123.248/29 -i eth0 -j ACCEPT [0:0] -A INPUT -s 169.254.0.0/16 -i eth0 -j ACCEPT [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK [0:0] -A INPUT -s 69.220.144.0/20 -j FECESBOOK [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK [0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK [0:0] -A INPUT -s 200.58.112.0/20 -j FECESBOOK [0:0] -A INPUT -s 213.155.64.0/19 -j FECESBOOK [0:0] -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT [0:0] -A INPUT -p udp -m udp --sport 53 -j ACCEPT [0:0] -A INPUT -i lo -j ACCEPT [0:0] -A INPUT -f -j LOG --log-prefix "FRAGMENTS:" --log-level 6 [0:0] -A INPUT -f -j DROP [0:0] -A INPUT -p tcp -j TCP_IN [0:0] -A INPUT -p udp -j UDP_IN [0:0] -A INPUT -p icmp -j ICMP_IN [0:0] -A INPUT -j LOG --log-prefix "BAD_PROTOCOL:" --log-level 6 [0:0] -A INPUT -j DROP [0:0] -A OUTPUT -d 192.168.123.248/29 -o eth0 -j ACCEPT [0:0] -A OUTPUT -o lo -j ACCEPT [0:0] -A OUTPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT [0:0] -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT [0:0] -A OUTPUT -p icmp -m icmp --icmp-type 30 -j ACCEPT [0:0] -A OUTPUT -p tcp -m tcp --sport 0:1023 -j DROP_LOG [0:0] -A OUTPUT -p udp -m udp --sport 0:1023 -j DROP_LOG [0:0] -A OUTPUT -p tcp -m tcp --sport 6000:6063 -j DROP_LOG [0:0] -A OUTPUT -p udp -m udp --sport 6000:6063 -j DROP_LOG [0:0] -A OUTPUT -j ACCEPT [0:0] -A DROP_LOG -j LOG --log-level 6 [0:0] -A DROP_LOG -j DROP [0:0] -A FECESBOOK -j LOG --log-prefix "FECESBOOK:" --log-level 6 [0:0] -A FECESBOOK -j DROP [0:0] -A ICMP_IN -p icmp -m conntrack --ctstate NEW -j UNSOLICITED [0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 0 -j PRIVATE [0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 3 -j PRIVATE [0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 4 -j PRIVATE [0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 11 -j PRIVATE [0:0] -A ICMP_IN -p icmp -m icmp --icmp-type 12 -j PRIVATE [0:0] -A ICMP_IN -j LOG --log-prefix "IN_BAD_ICMP:" --log-level 6 [0:0] -A ICMP_IN -j DROP [0:0] -A PRIVATE -s 10.0.0.0/8 -j PRIVATE_LOG [0:0] -A PRIVATE -s 127.0.0.0/8 -j PRIVATE_LOG [0:0] -A PRIVATE -s 172.16.0.0/12 -j PRIVATE_LOG [0:0] -A PRIVATE -s 192.168.0.0/16 -j PRIVATE_LOG [0:0] -A PRIVATE -j ACCEPT [0:0] -A PRIVATE_LOG -j LOG --log-prefix "IN_BAD_ADDR:" --log-level 6 [0:0] -A PRIVATE_LOG -j DROP [0:0] -A TCP_IN -p tcp -m tcp --dport 0:1023 -j DROP_LOG [0:0] -A TCP_IN -p tcp -m tcp --dport 6000:6063 -j DROP_LOG [0:0] -A TCP_IN -p tcp -m tcp --sport 53 -j PRIVATE [0:0] -A TCP_IN -p tcp -m tcp --sport 80 -j PRIVATE [0:0] -A TCP_IN -p tcp -m conntrack --ctstate NEW -m tcp -j UNSOLICITED [0:0] -A TCP_IN -p tcp -j PRIVATE [0:0] -A UDP_IN -p udp -m udp --dport 0:1023 -j DROP_LOG [0:0] -A UDP_IN -p udp -m udp --dport 6000:6063 -j DROP_LOG [0:0] -A UDP_IN -p udp -m udp --sport 53 -j PRIVATE [0:0] -A UDP_IN -p udp -m udp --sport 80 -j PRIVATE [0:0] -A UDP_IN -p udp -m conntrack --ctstate NEW -j UNSOLICITED [0:0] -A UDP_IN -p udp -j PRIVATE [0:0] -A UNSOLICITED -j LOG --log-prefix "UNSOLICITED:" --log-level 6 [0:0] -A UNSOLICITED -j DROP COMMIT # Completed on Thu Dec 27 22:43:12 2012 -- Walter Dnes I don't run "desktop environments"; I run useful applications