Groups | Search | Server Info | Login | Register
Groups > comp.os.linux.networking > #8567
| From | Lew Pitcher <lew.pitcher@digitalfreehold.ca> |
|---|---|
| Newsgroups | comp.os.linux.networking |
| Subject | Re: Need advice solving problems with testing netfilter and ipsets |
| Date | 2026-02-18 19:52 +0000 |
| Organization | A noiseless patient Spider |
| Message-ID | <10n55ab$2p9q6$1@dont-email.me> (permalink) |
| References | <10md6rs$2ucqu$1@dont-email.me> <10mesld$3g28q$1@dont-email.me> |
On Tue, 10 Feb 2026 10:10:05 +0100, David Brown wrote: > On 09/02/2026 18:51, Lew Pitcher wrote: >> Question: Does anyone see a problem with the ipsets/iptables rules >> that I've built, below? [snip >> and the model iptables rule is >> iptables -t filter -P FORWARD DROP >> iptables -t filter -A FORWARD -i lo -j ACCEPT >> iptables -t filter -i eth1 \ >> -m set --match-set IMMURED src \ >> -m set ! --match-setset LOCALNETS dst \ >> -j LOG --log-level notice --log-prefix 'netfilter (immured debug)' >> iptables -t filter -A FORWARD -i eth1 -j ACCEPT >> iptables -t filter -A FORWARD -i eth0 -j ACCEPT >> [snip] > I don't see anything immediately wrong with your rules here (other than > the typo you found yourself). I think the rule forwarding packets from > "lo" is redundant (local packets go out on OUTPUT, not FORWARD), but I > don't imagine it is doing any harm. The key here is "local packets". I wrote these rules as bullet-proof as I could make them. One scenario that I considered was "process bind()s to localhost, sends packets to host on external network". If I understand the sequence of events properly, in this scenario, packets originating from the localhost address would traverse - the OUTPUT chain, - the POSTROUTING chain, - the lo interface - the PREROUTING chain, - the FORWARD chain (because the packets are destined for an external address), - the POSTROUTING chain (again), and - the interface that hosts the route to the next hop. and, thus I wanted a rule that overrode the default "DROP" rule I had imposed on the FORWARD chain. I know that "lo" and 127.0.0.1 are special cases that would preclude TCP (return routing wouldn't work properly), but I don't know if it also affects UDP or raw packets, were return routing isn't expected by the protocol. Was I mistaken in this? [snip] -- Lew Pitcher "In Skills We Trust" Not LLM output - I'm just like this.
Back to comp.os.linux.networking | Previous | Next — Previous in thread | Next in thread | Find similar
Need advice solving problems with testing netfilter and ipsets Lew Pitcher <lew.pitcher@digitalfreehold.ca> - 2026-02-09 17:51 +0000
Re: Need advice solving problems with testing netfilter and ipsets Lew Pitcher <lew.pitcher@digitalfreehold.ca> - 2026-02-09 17:54 +0000
Re: Need advice solving problems with testing netfilter and ipsets Lew Pitcher <lew.pitcher@digitalfreehold.ca> - 2026-02-09 18:39 +0000
Re: Need advice solving problems with testing netfilter and ipsets David Brown <david.brown@hesbynett.no> - 2026-02-10 10:10 +0100
Re: Need advice solving problems with testing netfilter and ipsets Lew Pitcher <lew.pitcher@digitalfreehold.ca> - 2026-02-10 15:20 +0000
Re: Need advice solving problems with testing netfilter and ipsets David Brown <david.brown@hesbynett.no> - 2026-02-10 21:13 +0100
Re: Need advice solving problems with testing netfilter and ipsets Lew Pitcher <lew.pitcher@digitalfreehold.ca> - 2026-02-18 19:52 +0000
Re: Need advice solving problems with testing netfilter and ipsets David Brown <david.brown@hesbynett.no> - 2026-02-18 21:12 +0100
csiph-web