I'm kinda pissed that my arcane knowledge of iptables that was acquired decades ago now has to be replaced with an understanding of nftables.
-
Ryan Castellucci :nonbinary_flag:replied to Kev_Prime on last edited by
@Kev_Prime I've seen that iptables is deprecated. I use a lot of really esoteric functionality and have been avoiding dealing with it, but I need to replace my router now to handle the upgraded network at my house.
-
Ryan Castellucci :nonbinary_flag:replied to CyberFrog on last edited by
@froge I use Debian on my routers.
-
CyberFrogreplied to Ryan Castellucci :nonbinary_flag: on last edited by
@[email protected] I'm not sure if they've switched to nftables by default yet, they might have, maybe it's worth checking if they have any nftables rules defined or something weird
-
Ryan Castellucci :nonbinary_flag:replied to CyberFrog on last edited by
@froge I'd rather just learn nftables at this point.
-
Kev_Primereplied to Ryan Castellucci :nonbinary_flag: on last edited by
@froge @ryanc I see that doesn't seem like such an issue to me there's well documented ways to convert iptables configs over to nftables configs and then just use them with the new nf_tables subsystem.
So if you know iptables just still write your rules there convert it and deploy while enjoying a faster kernel.
-
dlgeekreplied to Ryan Castellucci :nonbinary_flag: on last edited by
@ryanc I'm still salty I had to migrate from ipchains.
-
DrScripttreplied to Ryan Castellucci :nonbinary_flag: last edited by
-
@Kev_Prime @froge @ryanc what’s the nftables counterpart to the iptables recent match & target?
I make extensive use of it for port knocking in kernel-space without a user-space dependency.
-
@drscriptt @froge @ryanc Here's some examples for you.
You can track recent traffic in nftables and use timeouts with set for port knocking.
-
@Kev_Prime @froge @ryanc from quick glance, it looks like the knock sequence is 123, 234, 345, 456.
It also looks like the 123 rule ads to a set (?nomenclature?) specifying what the next knock should be.
Subsequent rules check the set for pre-population of the current port, and then populates the next port.
Rense, lather, repeat.
Finally check set for prepopulated final port and populate a different set which is used as the final gating check?
Am I close, even if I have the wrong terms?
-
@drscriptt @froge @ryanc You got it!!!
-
@Kev_Prime @froge @ryanc thank you.
I’ll check sim man pages for syntax.
I’ll also compare the other extensions / targets that I’ve used in the past.
NETMAP and other nefarious packet mangling things are in my wheelhouse.
-
Ryan Castellucci :nonbinary_flag:replied to DrScriptt last edited by
@drscriptt @froge weighted load balancing is technically possible, but extremely painful to do with iptables.
-
Ryan Castellucci :nonbinary_flag:replied to DrScriptt last edited by
@drscriptt @Kev_Prime @froge One think I use is pam_recent to tie auth events to iptables recent matches, any idea if that'd still work or if it could be re-imlemented?