Hello Maurice!
14 Dec 2017 18:59, Maurice Kinal wrote to Benny Pedersen:
BP>> i cant get shorewall to play anymore on my fidobox, that was why
BP>> i liked to try move to nftables replament
MK> Okay. From what I've read thus far it looks like nftables will
MK> replace iptables soon so it seems like a good time to make the switch.
yes depending on kernel .config
BP>> only if you know more then i do
MK> In this case, probably not.
i just like to convert this below to nftable
----- rules-save begins -----
# Generated by iptables-save v1.4.21 on Sat Dec 16 10:02:33 2017
*mangle
:PREROUTING ACCEPT [62190:54783976]
:INPUT ACCEPT [62190:54783976]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [49555:3751838]
:POSTROUTING ACCEPT [49555:3751838]
[0:0] -A FORWARD -j MARK --set-xmark 0x0/0xff
COMMIT
# Completed on Sat Dec 16 10:02:33 2017
# Generated by iptables-save v1.4.21 on Sat Dec 16 10:02:33 2017
*nat
:PREROUTING ACCEPT [382:15480]
:INPUT ACCEPT [86:4696]
:OUTPUT ACCEPT [1545:124577]
:POSTROUTING ACCEPT [1545:124577]
COMMIT
# Completed on Sat Dec 16 10:02:33 2017
# Generated by iptables-save v1.4.21 on Sat Dec 16 10:02:33 2017
*raw
:PREROUTING ACCEPT [62190:54783976]
:OUTPUT ACCEPT [49555:3751838]
COMMIT
# Completed on Sat Dec 16 10:02:33 2017
# Generated by iptables-save v1.4.21 on Sat Dec 16 10:02:33 2017
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:NET-fw - [0:0]
:logflags - [0:0]
:reject - [0:0]
:sha-lh-ad7c3899204ae152301e - [0:0]
:sha-rh-20dc886819828aae726a - [0:0]
:shorewall - [0:0]
:tcpflags - [0:0]
[54566:54134736] -A INPUT -i eth1 -j NET-fw
[7624:649240] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -m addrtype --dst-type BROADCAST -j DROP
[0:0] -A INPUT -m addrtype --dst-type ANYCAST -j DROP
[0:0] -A INPUT -m addrtype --dst-type MULTICAST -j DROP
[0:0] -A INPUT -g reject
[0:0] -A FORWARD -m addrtype --dst-type BROADCAST -j DROP
[0:0] -A FORWARD -m addrtype --dst-type ANYCAST -j DROP
[0:0] -A FORWARD -m addrtype --dst-type MULTICAST -j DROP
[0:0] -A FORWARD -g reject
[41930:3102522] -A OUTPUT -o eth1 -j ACCEPT
[7624:649240] -A OUTPUT -o lo -j ACCEPT
[0:0] -A OUTPUT -m addrtype --dst-type BROADCAST -j DROP
[0:0] -A OUTPUT -m addrtype --dst-type ANYCAST -j DROP
[0:0] -A OUTPUT -m addrtype --dst-type MULTICAST -j DROP
[0:0] -A OUTPUT -g reject
[53442:53924218] -A NET-fw -p tcp -j tcpflags
[54181:54119136] -A NET-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[86:4696] -A NET-fw -p tcp -m tcp --dport 24554 -j ACCEPT
[299:10904] -A NET-fw -j DROP
[0:0] -A logflags -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10
--hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "logflags
DROP " --log-level 6 --log-ip-options
[0:0] -A logflags -j DROP
[0:0] -A reject -m addrtype --src-type BROADCAST -j DROP
[0:0] -A reject -s 224.0.0.0/4 -j DROP
[0:0] -A reject -p igmp -j DROP
[0:0] -A reject -p tcp -j REJECT --reject-with tcp-reset
[0:0] -A reject -p udp -j REJECT --reject-with icmp-port-unreachable
[0:0] -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable
[0:0] -A reject -j REJECT --reject-with icmp-host-prohibited
[0:0] -A shorewall -m recent --set --name %CURRENTTIME --mask 255.255.255.255
--rsource
[0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG
-g logflags
[0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g
logflags
[0:0] -A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g logflags
[0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -g logflags
[0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g logflags
[0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,PSH,ACK FIN,PSH -g logflags
[0:0] -A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g
logflags
COMMIT
# Completed on Sat Dec 16 10:02:33 2017
----- rules-save ends -----
very basic config for iptables
Regards Benny
... there can only be one way of life, and it works :)
--- Msged/LNX 6.2.0 (Linux/4.14.6-gentoo (i686))
* Origin: I will always keep a PC running CPM 3.0 (2:230/0)
|