I'm kinda pissed that my arcane knowledge of iptables that was acquired decades ago now has to be replaced with an understanding of nftables.
-
Kev_Primereplied to Ryan Castellucci :nonbinary_flag: on last edited by [email protected]
@ryanc I recently spent some time learning about the history of iptables and the move to nftables. I also spent some time learning and playing with nftables enough to swap to using it directly the past few years instead of an iptables cli that converts it to nftables.
To my knowledge iptables is still completely valid and everything is converted automatically for you.
Is there some piece of news that I'm missing where iptables is being removed?
-
Ryan Castellucci :nonbinary_flag:replied to CyberFrog on last edited by
@froge I see the benefits of it, and it can do a lot of things iptables can't, but... Arg.
-
Ryan Castellucci :nonbinary_flag:replied to Ryan Castellucci :nonbinary_flag: on last edited by
@froge I've been using a firewall script on my home routers that I originally wrote at least 15 years ago...
-
CyberFrogreplied to Ryan Castellucci :nonbinary_flag: on last edited by
@[email protected] if the distro is new and uses nftables, like fedora or something, it might be doing strange things like that
-
Ryan Castellucci :nonbinary_flag:replied to Kev_Prime on last edited by
@Kev_Prime I've seen that iptables is deprecated. I use a lot of really esoteric functionality and have been avoiding dealing with it, but I need to replace my router now to handle the upgraded network at my house.
-
Ryan Castellucci :nonbinary_flag:replied to CyberFrog on last edited by
@froge I use Debian on my routers.
-
CyberFrogreplied to Ryan Castellucci :nonbinary_flag: on last edited by
@[email protected] I'm not sure if they've switched to nftables by default yet, they might have, maybe it's worth checking if they have any nftables rules defined or something weird
-
Ryan Castellucci :nonbinary_flag:replied to CyberFrog on last edited by
@froge I'd rather just learn nftables at this point.
-
Kev_Primereplied to Ryan Castellucci :nonbinary_flag: on last edited by
@froge @ryanc I see that doesn't seem like such an issue to me there's well documented ways to convert iptables configs over to nftables configs and then just use them with the new nf_tables subsystem.
So if you know iptables just still write your rules there convert it and deploy while enjoying a faster kernel.
-
dlgeekreplied to Ryan Castellucci :nonbinary_flag: on last edited by
@ryanc I'm still salty I had to migrate from ipchains.
-
DrScripttreplied to Ryan Castellucci :nonbinary_flag: last edited by
-
@Kev_Prime @froge @ryanc what’s the nftables counterpart to the iptables recent match & target?
I make extensive use of it for port knocking in kernel-space without a user-space dependency.
-
@drscriptt @froge @ryanc Here's some examples for you.
You can track recent traffic in nftables and use timeouts with set for port knocking.
-
@Kev_Prime @froge @ryanc from quick glance, it looks like the knock sequence is 123, 234, 345, 456.
It also looks like the 123 rule ads to a set (?nomenclature?) specifying what the next knock should be.
Subsequent rules check the set for pre-population of the current port, and then populates the next port.
Rense, lather, repeat.
Finally check set for prepopulated final port and populate a different set which is used as the final gating check?
Am I close, even if I have the wrong terms?
-
@drscriptt @froge @ryanc You got it!!!
-
@Kev_Prime @froge @ryanc thank you.
I’ll check sim man pages for syntax.
I’ll also compare the other extensions / targets that I’ve used in the past.
NETMAP and other nefarious packet mangling things are in my wheelhouse.
-
Ryan Castellucci :nonbinary_flag:replied to DrScriptt last edited by
@drscriptt @froge weighted load balancing is technically possible, but extremely painful to do with iptables.
-
Ryan Castellucci :nonbinary_flag:replied to DrScriptt last edited by
@drscriptt @Kev_Prime @froge One think I use is pam_recent to tie auth events to iptables recent matches, any idea if that'd still work or if it could be re-imlemented?