From: Michael Orlitzky <michael@orlitzky.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] IPTABLES syntax change?
Date: Wed, 02 Jan 2013 23:32:58 -0500 [thread overview]
Message-ID: <50E509FA.3060204@orlitzky.com> (raw)
In-Reply-To: <20121231032150.GA2032@waltdnes.org>
On 12/30/2012 10:21 PM, Walter Dnes wrote:
> [0:0] -A FECESBOOK -j LOG --log-prefix "FECESBOOK:" --log-level 6
> [0:0] -A FECESBOOK -j DROP
> [0:0] -A INPUT -s 192.168.123.248/29 -i eth0 -j ACCEPT
> [0:0] -A INPUT -s 169.254.0.0/16 -i eth0 -j ACCEPT
> [0:0] -A INPUT -i lo -j ACCEPT
> [0:0] -A INPUT -m conntrack --ctstate INVALID,NEW -j UNSOLICITED
In fact, since you're blocking all outgoing packets to facebook, the
only state that a packet from facebook can have here is INVALID or NEW.
So traffic from facebook will be sent to the UNSOLICITED chain and DROPped.
> [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK
> [0:0] -A INPUT -s 69.220.144.0/20 -j FECESBOOK
> [0:0] -A INPUT -s 69.63.176.0/20 -j FECESBOOK
> [0:0] -A INPUT -s 69.171.224.0/19 -j FECESBOOK
> [0:0] -A INPUT -s 200.58.112.0/20 -j FECESBOOK
> [0:0] -A INPUT -s 213.155.64.0/19 -j FECESBOOK
...making these pointless =)
> [0:0] -A INPUT -s 10.0.0.0/8 -j PRIVATE_LOG
> [0:0] -A INPUT -s 127.0.0.0/8 -j PRIVATE_LOG
> [0:0] -A INPUT -s 172.16.0.0/12 -j PRIVATE_LOG
> [0:0] -A INPUT -s 192.168.0.0/16 -j PRIVATE_LOG
I believe the same applies here, since you already accepted your
legitimate LAN traffic above. For this to catch anything, you'd first
have to send a packet to one of those subnets and something would have
to respond to it.
> [0:0] -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
So it makes even more sense to move this above the rest. If you still
want to log facebook and other private traffic, the INVALID,NEW rule
should come after those, otherwise the facebook/private stuff will just
be dropped as UNSOLICITED.
next prev parent reply other threads:[~2013-01-03 4:34 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-27 0:47 [gentoo-user] IPTABLES syntax change? Walter Dnes
2012-12-27 1:43 ` Michael Orlitzky
2012-12-27 11:28 ` Graham Murray
2012-12-27 16:36 ` Michael Orlitzky
2012-12-27 17:52 ` Matthias Hanft
2012-12-27 19:04 ` Michael Orlitzky
2012-12-27 23:11 ` Walter Dnes
2012-12-27 23:50 ` Michael Orlitzky
2012-12-28 3:59 ` Walter Dnes
2012-12-28 6:07 ` Michael Orlitzky
2012-12-28 6:15 ` Michael Orlitzky
2012-12-29 2:46 ` Walter Dnes
2012-12-29 3:59 ` Kerin Millar
2012-12-29 18:32 ` Walter Dnes
2012-12-29 18:49 ` Jarry
2012-12-30 22:42 ` Michael Orlitzky
2012-12-31 2:55 ` Adam Carter
2012-12-31 3:21 ` Walter Dnes
2013-01-02 21:36 ` Michael Orlitzky
2013-01-03 3:57 ` Pandu Poluan
2013-01-03 4:32 ` Michael Orlitzky [this message]
2013-01-04 20:17 ` Walter Dnes
2013-01-04 20:27 ` Michael Mol
2013-01-05 1:29 ` Walter Dnes
2013-01-05 3:26 ` Michael Mol
2013-01-05 11:57 ` Mick
2013-01-06 21:54 ` Walter Dnes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50E509FA.3060204@orlitzky.com \
--to=michael@orlitzky.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox