Wednesday, June 24, 2009

NAT no longer supporting filtering?


The "nat" table is not intended for filtering, hence the use of DROP is deprecated and will permanently be disabled in the next iptables release. Please adjust your scripts.


This is something I don't understand. Currently you are able to do filtering on the NAT table so you can remove (DROP) packets in the PREROUTING chain that don't make sense. I use this for "Sanity" checks, meaning if the packet has a source ip of say 10.x.x.x and it's coming in from the outside (eth0), that's impossible and I would drop that before even attempting to use any rules on this packet. I'm not sure what the reason would be to remove this feature.
Posted by at No comments:

Tuesday, June 23, 2009

IPSets

I've discovered IPSets and I'm in love....

IPSets are a way of storing large amounts of ip,port, or ip ranges quickly in iptables. This allows you to do blocks on large ranges such as country blocks.

My humble example.
--Firewall Script---
ipset -N CN nethash
for i in $(< /etc/IPBLOCKLIST/firewall.cn); do
ipset -A CN $i
done
iptables -A BADIPS -m set --set CN src -j DROP
--firewall.cn---
58.14.0.0/15
58.16.0.0/16
58.17.0.0/17
58.17.128.0/17
etc........

Since this information is hashed in the set, the speed of this is greatly improved over the old method of individual blocks by CIDR ranges in iptables directly.
Posted by at No comments:

Friday, May 22, 2009

RSYNC Issue tonight

I decided to try to update some of my gentoo servers. Starting with the RSYNC server first. This did an emerge fine from the distribution servers. But when I attempted to sync the other internal servers to it, which has been done many times. I get the following error:

rsync: mkstemp "/tmp/.tmpsg0qoS.ndNomJ" failed: No space left on device (28)

This is very unusual because I have plenty of space on the drive....

babylon / # df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda3 4127108 2625776 1291684 68% /
udev 10240 168 10072 2% /dev
shm 60760 0 60760 0% /dev/shm

Currently, I'm attempting to check the other internal servers to see if this is an isolated problem for this particular server, although, all the servers are built similarly.
Posted by at 1 comment:
Subscribe to: Comments (Atom)