Observations from a new user

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I recently tried to install the ipset routines on my system and had a number of unnecessary 
problems.  They are likely things that most readers of this list have already figured out and no 
longer cause you problems and thus they don't get fixed, but can be very frustrating to a first 
time user. 

Background:

I have been using iptables for a number of years.  In the past I used patch-o-matic to add 
features missing from my distribution.  However, for the last couple of years everything I have 
needed has already been in the SuSE distribution, and I stopped using patch-o-matic and 
compiling my own kernel.

Recently, one of my filter tables became rather large, and I decided to try ipset.  It turned out 
that SuSE 11.2 provided the -m set and -j SET features, but not the ipset program needed to 
load the sets. (reported as a problem to SuSE) I dusted off my old patch-o-matic scripts.  They 
not longer worked, so I headed over to netfilter.org.

I found a patch-o-matic tab over to the left and select that and found a familiar blurb on patch-o-
matic.  I hit the 'lists' option at the top to check the recent postings and get:

Not Found
The requested URL /projects/patch-o-matic/mailing lists.html was not found on this server.
 --> This should  be fixed.

Hmm.  The footer of the page lists 'pablo@xxxxxxxxxxxxx' as the webmaster, so I e-mail him a 
question about the mailing lists, but wait, he is no longer the webmaster.  --> This should be 
fixed.

I then read the extensions HOWTO referenced on the site at: 
http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO-2.html#ss2.2
and find that the address of the cvs server has changed.  I update my scripts and rerun them 
only to have the server reject my connection.  I  spend quite a bit of time verifying the 
addresses, the scripts, and doing various pings and traceroutes.

I find that the list tab from the HOWTO page works and browse the mailing list and find a 
number of postings with similar complaints.  And then find the following: ... and patch-o-matic is 
replaced by xtables (http://xtables-addons.sourceforge.net/).  Well, why isn't it mentioned on the 
website?  --> The references on the site to patch-o-matic should be removed and replaced with 
xtables.  The cvs server should supply a better error message other than just connection 
refused.

I get a copy of xtables, and get it installed after correcting some interesting errors caused by my 
having multiples versions of the kernel sources installed, while not having the iptables sources 
installed.

I liked the way that patch-o-matic would run through the available uninstalled patches, give a 
brief description, and ask if I wanted to apply it.  I assumed that the replacement would work 
similarly ( I don't need no stinkin documentation).  I try to run the xtables 'command' and can't 
seem to find it.  A little digging, and oops, the make install has already installed ALL of the 
extensions.  Not what I expected.  The use of mconfig is documented in the INSTALL file, but ...
--> I would suggest that this be made a little more prominent and that a section for people 
converting from patch-o-match be added.

Well anyway, ipset is installed and I give it a try only to find the iptables can't find the module.
Ah, SuSE has the extensions in /usr/lib/xtables, not the default.  Changed the ./configure options 
and got it working.

I also support a website that is used by a local neighborhood association that is constantly 
getting bombarded by out of country spam.  The steps to block that have also made it much less 
user friendly for the legitimate users.  I have had some success by blocking out of region ips, but 
that is high maintenance, and the large iptables chains slow down the system.  The geoip 
module looked interesting, and I decided to give it a try.  I clicked on the HOWTO link and got:
Not Found
The requested URL /acidfu/geoip/howto/geoip-HOWTO.html was not found on this server.
--> This should be fixed

A little searching turns up:
http://people.netfilter.org/peejix/geoip/howto/geoip-HOWTO.html

Which again refers to patch-o-matic.  I skip that part, and follow that rest of the steps to 
download and install the database.  I add a couple of sample rules, which fail lookinig for .iv0 
files.  I can not find any reference to these in the documentation.  I spend some time examining 
the source, and find that the format of the database has changed from what was in the 
documentation.  A little googling and I find:

The extra files you will need is the binary database files. They are generated from a country-
subnet database with the geoip_csv_iv0.pl tool, available at http://jengelh.hopto.org/files/geoip/ .

Well, that's different, but seems to match the code.  So, I download those files and give it a go, 
The .pl tools has a lot of prerequisites that are not documented, but a bit of trial-and-error gets it 
going, .. and it works.  --> The HOWTO should be updated, and there should be a little more 
documentation on the requirements.

Since I am messing with my iptables rules, I decied to give -m recent a try.  However, I get 
unexpected results, and after a lot of work with tcpdump and -j TRACE I find that the rules

iptables -A dummy -o net1 -m recent --name testip --rdest --rcheck   --seconds 60 -j LOG
and
iptables -A dummy -o net1 -m recent --name testip --rdest --rcheck ! --seconds 60 -j LOG

both match the same packets ( on SuSE 11.2 with iptables v 1.4.4) --> This was reported to 
SuSE as a bug.

I also found:
iptables -A dummy -m limit ! --limit 3/second -j LOG
generates:
iptables v1.4.4: limit does not support invert
Try `iptables -h' or 'iptables --help' for more information.
However, the man page indicates that it does (also on SuSE 11.2).  --> This was reported to 
SuSE as a bug.

I also tried:
iptables -A dummy -m set --match-set testip src -o net1 -m recent --name testip --set -j LOG
generates                              
option conflict
iptables v1.4.4: --match-set can be specified only once
Try `iptables -h' or 'iptables --help' for more information.

--> -m recent should provide an alternative to --set, say --rset.

I must mention that the whole issue of re-examining my iptables rules came about when I was 
doing a carefull examination of my logs while testing the SuSE 11.2 beta.  I found that 

iptables -A FORWARD -m time --timestart 08:00 --timestop 08:30 --days Mon,Tue -d 10.168 -j 
DROP
generated
unknown option '--days'

I reported this as a bug to SuSE and was told that:

BTW, it also was --weekdays in openSUSE 11.1/iptables 1.4.1. In fact, it has
been "--weekdays" ever since xt_time was added to iptables 1.4.x.

BUT, your documentation at
http://netfilter.org/projects/patch-o-matic/pom-external.html referenced above, and also by 
xtables still shows:

[ --days listofdays ]
    Match only if today is one of the given days. (format: Mon,Tue,Wed,Thu,Fri,Sat,Sun ; default 
everyday)

As well as almost every google referenced article.

--> This should be fixed.

SuSE pointed me to an updated iptables man page which had several other changes over what I 
had been using, so I decided to review everything.


OK, as some of the documentation says - 'it works for me'.  I have worked out the issues and 
gotten things working on my system, and don't expect to be messing with iptables again for 
many months, and I provide this diary only in an effort to save a future newbie some grief.  

...don

support (at) microtechniques.com

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux