Nftables (-in place of Iptables)

Similar Messages

• [SOLVED] What is the best way to load iptables/nftables on boot?

  Hi -
  New arch user migrating from Ubuntu/debian.  I'm used to loading netfilter iptable rules using an /etc/network/interfaces file.  What is the best way to do this using netctl/systemd?
  An RTFM of the wiki and a Google search didn't provide an answer, but maybe I'm just looking in the wrong places.
  Last edited by pgoetz (2014-06-21 08:32:01)

  Ah, OK -- got it.  I can just blindly enable the iptables.service, and systemd will make sure the interfaces are up before running the service.  How cool.  I'm still getting used to the luxury of not having to worry about stuff like this myself.  The only minor issue is it looks like I'll have to get the systemd nftables service out of AUR.
  Last edited by pgoetz (2014-02-24 19:58:53)

• [Solved] Missing iptables modules

  In an attempt to secure my Arch machine, I've discovered that I am missing several iptables modules that are "supposed" to be there.
  Here is the list of available modules.
  $ sudo cat /proc/net/ip_tables_matches
  udplite
  udp
  tcp
  icmp
  As a major n00b in the iptables (and networking), this was the first place I've looked.
  Kernel: 3.19.2-1-ck
  Iptables: v1.4.21
  I can find more information if needed.
  Last edited by Jakkin (2015-03-23 03:07:44)

  iptables will load all required modules dynamically. I think in /proc/net/ip_tables_matches are only the currently required modules:
  # cat /proc/net/ip_tables_matches
  icmp
  # iptables -nvL
  Chain INPUT (policy ACCEPT 24 packets, 14898 bytes)
  pkts bytes target prot opt in out source destination
  Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target prot opt in out source destination
  Chain OUTPUT (policy ACCEPT 21 packets, 3257 bytes)
  pkts bytes target prot opt in out source destination
  # iptables -A INPUT -p tcp --dport 17500 -j REJECT --reject-with icmp-port-unreachable
  # iptables-save > /etc/iptables/iptables.rules
  # cat /proc/net/ip_tables_matches
  udplite
  udp
  tcp
  icmp
  # iptables -nvL --line-numbers
  Chain INPUT (policy ACCEPT 84 packets, 55360 bytes)
  num pkts bytes target prot opt in out source destination
  1 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:17500 reject-with icmp-port-unreachable
  Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  num pkts bytes target prot opt in out source destination
  Chain OUTPUT (policy ACCEPT 77 packets, 11364 bytes)
  num pkts bytes target prot opt in out source destination

• Iptables and tor, reroute all traffic for security... Help?

  I'm attempting to route all TCP traffic that does not go through polipo through port 9040, tor's default TransPort. My web browser uses polipo to cache stuff, so I'd like to keep it in place if possible. However, all non-http traffic needs to be sent through the transPort. My current config, which does not take into account rerouting, is below:
  # Generated by iptables-save v1.4.15 on Fri Oct 12 16:33:33 2012
  #*nat
  #:PREROUTING ACCEPT [12:3420]
  #:INPUT ACCEPT [1:261]
  #:OUTPUT ACCEPT [0:0]
  #:POSTROUTING ACCEPT [0:0]
  #-A OUTPUT ! -p tcp -m owner --owner-uid tor -j REDIRECT --to-ports 9040
  #-A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 9053
  #COMMIT
  # Completed on Fri Oct 12 16:33:33 2012
  # Generated by iptables-save v1.4.15 on Fri Oct 12 16:33:33 2012
  *filter
  :INPUT DROP [9:1175]
  :FORWARD ACCEPT [0:0]
  :OUTPUT DROP [8:488]
  # allow loopback
  -A INPUT -i lo -j ACCEPT
  -A OUTPUT -o lo -j ACCEPT
  # allow NTPD time syncs
  -A OUTPUT -p udp --dport 123 -j ACCEPT
  # allow tor
  -A OUTPUT -j ACCEPT -m owner --uid-owner tor
  -A OUTPUT -p tcp --dport 9040 -j ACCEPT
  -A OUTPUT -p udp --dport 53 -j ACCEPT
  # allow BitTorrent
  -A OUTPUT -p tcp --dport 6969 -j ACCEPT
  -A OUTPUT -p tcp --dport 51413 -j ACCEPT
  -A OUTPUT -p udp --dport 51413 -j ACCEPT
  # allow pings (still not working. fix?)
  -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
  -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
  # allow traffic on established connections
  -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  -A INPUT -m conntrack --ctstate INVALID -j DROP
  COMMIT
  # Completed on Fri Oct 12 16:33:33 2012
  as you can see, I've already tried to redirect traffic using the --uid-owner polipo rule. So far, it's just caused iptables to spit out errors. I'm stumped, so I thought I'd come to you wonderful people at the Archlinux forums for help.

  Using the command you gave me, I found that the polipo user is indeed executing /usr/bin/polipo. Other than that, polipo is executing no processes.
  I tried adding the following to my iptables rules nat section:
  -A OUTPUT -p tcp -m tcp -m owner ! --uid-owner polipo -j ACCEPT
  -A OUTPUT -p tcp -m tcp -m owner ! --uid-owner polipo -j REDIRECT --to-ports 9040
  polipo now works, but the rest of my traffic that should go to the TransPort gets blocked.
  [EDIT]
  I'm now trying the same thing, except that I've chained privoxy with polipo like so:
  browser > privoxy > polipo > tor > internet
  my iptables rules look like this:
  # Generated by iptables-save v2.4.15 on Fri Oct 12 16:33:33 2012
  *nat
  :PREROUTING ACCEPT [12:3420]
  :INPUT ACCEPT [1:261]
  :OUTPUT ACCEPT [0:0]
  :POSTROUTING ACCEPT [0:0]
  #-A OUTPUT -p tcp -m tcp -m owner ! --uid-owner tor -j REDIRECT --to-ports 9040
  -A OUTPUT -p tcp -m tcp -m owner ! --uid-owner tor -m owner ! --uid-owner polipo -m owner ! --uid-owner privoxy -j REDIRECT --to-ports 9040
  COMMIT
  # Completed on Fri Oct 12 16:33:33 2012
  # Generated by iptables-save v1.4.15 on Fri Oct 12 16:33:33 2012
  *filter
  :INPUT DROP [9:1175]
  :FORWARD ACCEPT [0:0]
  :OUTPUT DROP [8:488]
  # general
  -A OUTPUT -p tcp -m owner --uid-owner tor -j ACCEPT
  -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  # allow loopback
  -A INPUT -i lo -j ACCEPT
  -A OUTPUT -o lo -j ACCEPT
  -A INPUT -p all -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
  # allow NTPD time syncs
  -A OUTPUT -p udp --dport 123 -j ACCEPT
  # allow tor
  -A OUTPUT -p tcp --dport 9040 -j ACCEPT
  -A OUTPUT -p udp --dport 53 -j ACCEPT
  -A OUTPUT -p tcp --dport 8123 -j ACCEPT
  -A OUTPUT -p tcp --dport 8118 -j ACCEPT
  # allow pings
  -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
  COMMIT
  # Completed on Fri Oct 12 16:33:33 2012
  and it STILL won't route traffic right. iptables redirects to the TransPort, but any traffic passed through polipo or privoxy reveals "connection reset" error message. Help?
  Last edited by ParanoidAndroid (2013-03-12 01:50:51)

• Iptables -p tcp/udp --dport no longer working

  I had a simple firewall setup on my Arch router box. I'm trying to block some additional ports, and it looks like maybe a recent update has borked the tcp/udp extensions modules?
  Running anything with
  --dport
  or
  --destination-port
  (or the source port variants) returns a "No chain/target/match by that name."
  What is the module for the tcp/udp extensions? Is it one of these:
  krovisser /etc/iptables :( # lsmod | grep ip
  tulip 51905 0
  ipt_MASQUERADE 2154 5
  iptable_nat 3358 1
  nf_nat_ipv4 3568 1 iptable_nat
  nf_nat 15443 3 ipt_MASQUERADE,nf_nat_ipv4,iptable_nat
  ipt_REJECT 2313 1
  nf_conntrack_ipv4 9166 4
  nf_defrag_ipv4 1371 1 nf_conntrack_ipv4
  nf_conntrack 68370 6 ipt_MASQUERADE,nf_nat,nf_nat_ipv4,xt_conntrack,iptable_nat,nf_conntrack_ipv4
  iptable_filter 1488 1
  iptable_mangle 1584 0
  ip_tables 17218 3 iptable_filter,iptable_mangle,iptable_nat
  x_tables 17351 6 ip_tables,ipt_MASQUERADE,xt_conntrack,iptable_filter,ipt_REJECT,iptable_mangle
  krovisser /etc/iptables # lsmod | grep nf
  nf_nat_ipv4 3568 1 iptable_nat
  nf_nat 15443 3 ipt_MASQUERADE,nf_nat_ipv4,iptable_nat
  nf_conntrack_ipv4 9166 4
  nf_defrag_ipv4 1371 1 nf_conntrack_ipv4
  nf_conntrack 68370 6 ipt_MASQUERADE,nf_nat,nf_nat_ipv4,xt_conntrack,iptable_nat,nf_conntrack_ipv4
  Not sure what's going on, because using a bare `-p tcp` will work. So it should load the extension at that point.
  Last edited by krovisser (2013-05-07 23:29:19)

  In addtion to what fukawi2 said, if you are running systemd and you make a change to your iptables you can do:
  iptables-save > /etc/iptables/iptables.rules
  systemctl restart iptables
  The updates will then take place without having to restart the server.
  Hope this helps.
  R.
  edit: this also assumes that the modules you need are loaded.
  Last edited by ralvez (2013-05-08 02:12:26)

• Iptables ServerSocket problem

  hello all,
  I've also put this in general programming as didn't know where was the best place for it....
  I am having a problem getting iptables to accept an incoming port connection from java. I have a java program that creates a ServerSocket as follows:
  public NetworkServer()
  try
  InetAddress addr = java.net.InetAddress.getByName("localhost");
  server = new ServerSocket(1050,0,addr);
  System.out.println("server = " + server);
  System.out.println("connection successful");
  catch(Exception ioe)
  System.out.println("error connecting to port 1050 : " + ioe);
  I have set up iptables with the following commands to let allow this connection through:
  iptables -P INPUT DROP
  iptables -A INPUT -d localhost -p tcp --dport 1050 -j ACCEPT
  iptables -A INPUT -d localhost -p tcp --sport 1050 -j ACCEPT
  the forward and output tables have default accept policies with no other governing rules.
  The outcome of this is that the ServerSocket tries to connect to the address from InetAddress.getByName, which is retrieved as "localhost/127.0.0.1", and after 3 mins with the following output:
  server=[addr=localhost/127.0.0.1,port=0,localport=1050]
  I saw a previous post on this forum regarding iptables stating that packets are dropped after 3 minutes if no reply is received. But if this is true and this is what is happening, I don't see why the socket is being set up? No exception occurs.
  As the "port" number is 0, I tried adding entries in iptables for 0 also, but this doesn't make any difference. I understand that ServerSockets may make connections on different ports to clients, but the output says that it has (tried to) set up a connection on port 1050.....
  I was thinking it may have a problem with the inet address, as it has both the name and IP address of the localhost, and maybe iptables just needs one of these as an input parameter? However an InetAddress can only be constructed from one of the native methods provided so has to be in this format.
  any ideas gratefully appreciated, I am completely flummoxed!!!

  DO NOT set you server to start port addressing at 0. Zero (0) is used to specify "any" port. This however, is usually a sequential port number starting at the first open port on your system. However, I have no cluse as to what "iptable" is - is that a system utility used to edit filters on the machine? What system is that? Linux or Unix? I know of no such command for Windows-based machines.
  When developing network applications, it is best to use a non-secure machine to test the programming. This way you can systematically understand the affects of certain network security functions on your program.
  What is happening is that you are telling iptables to open a source port that is the same as incomming port requests, but fail to open the ports that '0' will address. If you know what the first available port number is on your system (these are after the Well-Known ports, and after all of the server and client ports already open). Also, depending on your system configuration, it may seek a open block of ports, about 10 and if none exists then looks for 5-blocks, then 2-blocks, and finally resorts to the first open port it sees start just after the WKP.

• LILA - Live Iptables Log Analyzer

  Hi,
  I'd like to present you a program I've written to analyze iptables firewall logs. Over more than one year has passed now and I finally released LILA 1.0. It is a command line application coded in python which uses a MySQL database.
  If everything is set up (mysql, syslog-ng, iptables rules and optionally pdnsd) it shows in an easy to read colored output, which packets are currently being sent or received. It can analyze older logs, too. Of course appropriate firewall rules must exist.
  For the moment, I'd like to highlight two particular features: It resolves IPs to hostnames (two different techniques) and detects duplicate (same destination IP and chain) packets, which have been sent in a freely configurable time interval. Thus you won't get "flooded" with hundreds of identical packets, which don't offer any additional information.
  It has a lot of other features, I can't list now, but I've created an extensive PDF documentation, which contains a feature overview a detailed description and a "demo part", where you can see LILA in action (screenshots). Of course installation notes and a changelog are also included. In short, it contains everything to say about LILA. You can find it inside the tarball.
  Perhaps some of you will find this tool useful, especially if you want to know what you PC is sending to the internet. In its current state it predominantly targets curious (and security interested?) people, who also have some linux knowledge. [Therefore I think the arch forums are a good place]. Personally I use it to monitor traffic on my external firewall. This way I instantly notice if a program wants to send packets unasked (specially useful if a computer in you LAN has Windows installed).
  Download: https://sourceforge.net/projects/lila/
  Direct link to the documentation: http://sourceforge.net/projects/lila/fi … f/download
  I'd be happy if some of you take the time to have a look at it and perhaps also give me some feedback. (Bugs, setup problems, ideas for improvement etc.)
  Thank you for your time!
  Thallium

  http://wiki.archlinux.org/index.php/DNS_with_bind -> Did you try it too ?

• TARPIT in iptables [SOLVED]

  i am curious does anyone use the TARPIT module with iptables from my understanding its not in the iptables that is packaged with Arch.  i seen one package in http://aur.archlinux.org/packages.php?ID=25716
  well i would like to use this useful feature in my firewall setup
  but cant get it to build
  Last edited by okplayer02 (2010-06-28 13:11:22)

  Wow, that's just rude... I hope you don't expect me to give up my time in future for free to help you.
  This isn't the Windows world -- we don't owe you anything, you haven't paid for the product you're using, and you having paid for us to support you. We don't want, nor expect, to be treated like idiots for trying to help you in the first place after you asked for help.
  Last edited by fukawi2 (2010-06-29 23:18:52)

• I am using Adobe Creative cloud enterprise version. I tried to download assets from newly launched Adobe Market place. It is saying that this feature is only available for premium paid customer. So Adobe CC enterprise is paid version. Why is it again aski

  Guys, Any idea why I am unable to download assets from Adobe Market Place. I am using Adobe CC enterprise.

  Cloud Market http://terrywhite.com/adobe-creative-cloud-market/ may help
  -and http://helpx.adobe.com/creative-cloud/help/market.html

• HT201272 I purchased songs from iTunes Radio on my iPhone, but now the only place they will show up is in the iTunes Store app on my phone, even after syncing to my computer a million times, the songs do not show up in my library or anywhere else.

  I purchased songs from iTunes Radio on my iPhone, but now the only place they will show up is in the iTunes Store app on my phone, even after syncing to my computer a million times, the songs do not show up in my library or anywhere else. My phone is not syncing properly, I wanted to add another playlist to it that I created on my Mac. I pluged in my phone and made sure the playlist I wanted to add was checked to be on my phone when I synced.
  The playlist I wanted to add was "Country." It is clearly checked. I also wanted to add the "Recently Added" playlist, which I also checked before sycing. Currently, my phone only has the "Purchased" playlist and my "All Songs" playlist on it. When I hit sync, iTunes added another playlist automatically added another playlist to the list above and checked it. It was titled "ALL SONGS 1" and had ten fewer songs in it than the playlist I had created, "ALL SONGS" had. This playlist, however does not show up on my phone after syncing, nor does "Country" or "Recently Added." (Every time I sync, another playlist is created as "ALL SONGS 2, 3, 4, etc.") One of the songs (I have not, yet checked the other songs) that I purchased from within iTunes Radio shows up in the "ALL SONGS 1" on this screen:
  But does not show up anywhere else. This playlist does not show up anywhere but the two screens above. The ALL SONGS 1 or 2 playlists do not show up here:
  When I search for those song in my library, it shows that I do not have them:
  But if I go to the iTunes store, I get the play button and not the price of the song:
  This is what things look like from my phone's side of things:
  "Summertime Sadness," one of the songs I bought from iTunes Radio, does not show up in the iTunes store under purchased "All" or "Not on This iPhone"
  But, it does show up under "Recent Purchases"
  Also, this is what playlists are on my phone after syncing a million times:
  Only what was on there before I started any of this. "Summertime Sadness" and the other songs I bought from inside iTunes Radio, do not show up in either of these playlists. Please, help me.

  Hi Petrafin,
  Welcome to the Support Communities!
  The article below may be able to help you with this.
  Click on the link to see more details and screenshots.
  You can download your purchases directly to your computer.
  Downloading past purchases from the iTunes Store, App Store, and iBooks Store
  http://support.apple.com/kb/HT2519
  Cheers,
  - Judy

• HT1423 I am adding more memory, should I replace the top two slots with the 4g memory modules, then place 2g memory modules on bottom slots. Does it even matter?

  I am adding more memory, should I replace the top two slots with the 4g memory modules, then place 2g memory modules on bottom slots. Does it even matter?

  I am adding more memory, should I replace the top two slots with the 4g memory modules, then place 2g memory modules on bottom slots. Does it even matter?

• How can I make sure my history doesn't expire and that I can transfer over places.sqlite?

  There's probably alot of questions on this subject asked already but I've gone over just about all of the possibly relevant ones that've been already asked and I still can't figure out what to do. I'm trying to move my complete history from an XP Firefox profile over to a Windows 7 profile on another computer. Do I just do it by copying the places.sqlite file within that XP profile over into my USB flash drive, then replacing the places.sqlite in the Winodws 7 profile with the one from the other one? And after the file's in the right profile will I be able to just view all the sites I viewed on the old computer on the new one's history dialog box? I only am transferring my XP history to my Windows 7 because I want to look at stuff several months back and it keeps expiring on me, even to the point of getting rid of a month of history a week or so ago. This brings me to my other point, I keep up fairly well with updating both of my Firefoxes but recently (and I think this was way, way after they updated the browser so the history isn't set to expire by days anymore) the history just isn't reliable anymore. My XP will not only expire older months of history faster and faster it seems, but individual websites at the end of each month will actually disappear as I view new ones, instead of it all staying in there and just expiring each old month as a whole. Also, random sites in every month scattered all over the list of URLs will just disappear, and random sites that I've only visited in the past couple days will insert themselves randomly into much older months of history, which makes it hard to figure out the URLs I've seen, this last one seems like a common problem from what I've read, and all of these problems seem to be slowly creeping into my Windows 7 as well when they were originally on only my XP. The thing is for a very long time my Windows 7 would keep every ounce of my history that I kept on it, unless of course I went through the Clear History process myself. Now it seems to be slowly deleting it and having all the other problems that I mentioned earlier. I've got 592 GB out of 931 GB that's free space on my Windows 7 that I want to transfer my XP history into, and my Control Panel System panel says I've got 8 gbs of RAM in total. If I need to get some other information on RAM mention how to do that if you could. So in total, how can I transfer my XP history over into my Windows 7 so I can view all the sites I viewed on my XP in my Windows 7 history panel, as well as view all the old expired and/or manually deleted history on my Windows 7, without worrying about whether it will expire itself while I'm viewing it and writing down the relevant URLs that I need to know about. If I can only keep all my history through installing an add-on, a link to a relevant legal add-on that'll work well on both operating systems would be appreciated. Thanks to all here. (:

  Hello Saethwyr99,
  ''Do I just do it by copying the places.sqlite file within that XP profile over into my USB flash drive, then replacing the places.sqlite in the Winodws 7 profile with the one from the other one?''
  you are correct : [https://support.mozilla.org/en-US/kb/Recovering%20important%20data%20from%20an%20old%20profile#w_your-important-data-and-their-files Your important data and their files]
  ''Also, random sites in every month scattered all over the list of URLs will just disappear, and random sites that I've only visited in the past couple days will insert themselves randomly into much older months of history, which makes it hard to figure out the URLs I've seen, this last one seems like a common problem from what I've read, and all of these problems seem to be slowly creeping into my Windows 7 as well when they were originally on only my XP.''
  from Firefox 4 and above versions there is not a time limit for the history.
  Firefox determines automatically how many pages can be kept '''without affecting the performance.'''
  ''as well as view all the old expired and/or manually deleted history on my Windows 7''
  i think this in not possible
  ''If I can only keep all my history through installing an add-on, a link to a relevant legal add-on that'll work well on both operating systems would be appreciated.''
  check the next add-on : [https://addons.mozilla.org/en-us/firefox/addon/expire-history-by-days/ Expire history by days]
  thank you

• [SOLVED] how to use diffrent iptables rules for different ppp account?

  x86 plantform run arch linux system , have two network interface etn1 eth0 .eth1 connect to internet. eth0 connect to other terminals through switch. want use different iptables rules for different pppoe account .also want to know how to forbidden more than one terminals established pppoe link use same account at the same time .
  Last edited by linuxsir (2013-09-26 06:48:01)

  (You establish PPPoE sessions over the local network to the Arch machine? Which then routes the traffic?)
  first question ,yes that is exactly what i am done. second question i also have a small  scripts on windows pc to solve routes traffic problem
  route -p delete 0.0.0.0
  route -p add 192.168.9.0 mask 255.255.255.0 192.168.9.1
  route -p add 0.0.0.0 mask 0.0.0.0 192.168.22.0
  but after a while i found scripts is not necessary because windows always attempt to use PPPoE sessions as default internet connection local connection is also ok
  and use  -i pppX in my iptables rules dose not  solve my problem , because same account start PPPoE session could be marked as ppp0 or ppp1. it is hard to identified which account start session.

• Will I be able to copy my music library from my PC to I pad and listen to it at a remote place without sync and without I tunes match?

  Will I b able to copy my music library from PC to I pad while sync and listen to it without sync at a remote place. Is it possible without iTunes Match?

  Yes. As long as all your songs you lost have been Matched or Uploaded to iTunes Match you can download your entire library from the cloud.
  It might take some time though

• Error while updating decimal places in general settings

  Hii All
           I have got an error while updating Decimal places in General Settings
  Cannot update while another user is connected to the company i have checked, there is no other user logged in, i could add other settings but the problem is only with Decimal Places
  Note : there are no postings yet, a fresh database for a new client
           what could be the possible reason
                                                               thanks
                                                                       RIYAZ

  Hiii All
        As a forum rule, i have initially gone through with the existing threads and then i was force to post a thread,
            would be helpfull if there is any other way..
                                              Thanks
                                                       RIYAZ