Subj : gentoo profile 17 :=) To : Maurice Kinal From : Benny Pedersen Date : Sat Dec 16 2017 10:03:40 Hello Maurice! 14 Dec 2017 18:59, Maurice Kinal wrote to Benny Pedersen: BP>> i cant get shorewall to play anymore on my fidobox, that was why BP>> i liked to try move to nftables replament MK> Okay. From what I've read thus far it looks like nftables will MK> replace iptables soon so it seems like a good time to make the switch. yes depending on kernel .config BP>> only if you know more then i do MK> In this case, probably not. i just like to convert this below to nftable ----- rules-save begins ----- # Generated by iptables-save v1.4.21 on Sat Dec 16 10:02:33 2017 *mangle :PREROUTING ACCEPT [62190:54783976] :INPUT ACCEPT [62190:54783976] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [49555:3751838] :POSTROUTING ACCEPT [49555:3751838] [0:0] -A FORWARD -j MARK --set-xmark 0x0/0xff COMMIT # Completed on Sat Dec 16 10:02:33 2017 # Generated by iptables-save v1.4.21 on Sat Dec 16 10:02:33 2017 *nat :PREROUTING ACCEPT [382:15480] :INPUT ACCEPT [86:4696] :OUTPUT ACCEPT [1545:124577] :POSTROUTING ACCEPT [1545:124577] COMMIT # Completed on Sat Dec 16 10:02:33 2017 # Generated by iptables-save v1.4.21 on Sat Dec 16 10:02:33 2017 *raw :PREROUTING ACCEPT [62190:54783976] :OUTPUT ACCEPT [49555:3751838] COMMIT # Completed on Sat Dec 16 10:02:33 2017 # Generated by iptables-save v1.4.21 on Sat Dec 16 10:02:33 2017 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :NET-fw - [0:0] :logflags - [0:0] :reject - [0:0] :sha-lh-ad7c3899204ae152301e - [0:0] :sha-rh-20dc886819828aae726a - [0:0] :shorewall - [0:0] :tcpflags - [0:0] [54566:54134736] -A INPUT -i eth1 -j NET-fw [7624:649240] -A INPUT -i lo -j ACCEPT [0:0] -A INPUT -m addrtype --dst-type BROADCAST -j DROP [0:0] -A INPUT -m addrtype --dst-type ANYCAST -j DROP [0:0] -A INPUT -m addrtype --dst-type MULTICAST -j DROP [0:0] -A INPUT -g reject [0:0] -A FORWARD -m addrtype --dst-type BROADCAST -j DROP [0:0] -A FORWARD -m addrtype --dst-type ANYCAST -j DROP [0:0] -A FORWARD -m addrtype --dst-type MULTICAST -j DROP [0:0] -A FORWARD -g reject [41930:3102522] -A OUTPUT -o eth1 -j ACCEPT [7624:649240] -A OUTPUT -o lo -j ACCEPT [0:0] -A OUTPUT -m addrtype --dst-type BROADCAST -j DROP [0:0] -A OUTPUT -m addrtype --dst-type ANYCAST -j DROP [0:0] -A OUTPUT -m addrtype --dst-type MULTICAST -j DROP [0:0] -A OUTPUT -g reject [53442:53924218] -A NET-fw -p tcp -j tcpflags [54181:54119136] -A NET-fw -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT [86:4696] -A NET-fw -p tcp -m tcp --dport 24554 -j ACCEPT [299:10904] -A NET-fw -j DROP [0:0] -A logflags -m hashlimit --hashlimit-upto 1/sec --hashlimit-burst 10 --hashlimit-mode srcip --hashlimit-name lograte -j LOG --log-prefix "logflags DROP " --log-level 6 --log-ip-options [0:0] -A logflags -j DROP [0:0] -A reject -m addrtype --src-type BROADCAST -j DROP [0:0] -A reject -s 224.0.0.0/4 -j DROP [0:0] -A reject -p igmp -j DROP [0:0] -A reject -p tcp -j REJECT --reject-with tcp-reset [0:0] -A reject -p udp -j REJECT --reject-with icmp-port-unreachable [0:0] -A reject -p icmp -j REJECT --reject-with icmp-host-unreachable [0:0] -A reject -j REJECT --reject-with icmp-host-prohibited [0:0] -A shorewall -m recent --set --name %CURRENTTIME --mask 255.255.255.255 --rsource [0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -g logflags [0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -g logflags [0:0] -A tcpflags -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -g logflags [0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -g logflags [0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -g logflags [0:0] -A tcpflags -p tcp -m tcp --tcp-flags FIN,PSH,ACK FIN,PSH -g logflags [0:0] -A tcpflags -p tcp -m tcp --sport 0 --tcp-flags FIN,SYN,RST,ACK SYN -g logflags COMMIT # Completed on Sat Dec 16 10:02:33 2017 ----- rules-save ends ----- very basic config for iptables Regards Benny .... there can only be one way of life, and it works :) --- Msged/LNX 6.2.0 (Linux/4.14.6-gentoo (i686)) * Origin: I will always keep a PC running CPM 3.0 (2:230/0) .