Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
med-mastodon.com is one of the many independent Mastodon servers you can use to participate in the fediverse.
Medical community on Mastodon

Administered by:

Server stats:

348
active users

med-mastodon.com: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.8

#iptables

0 posts0 participants0 posts today
Public
albi always there

konec #IPTables je v dohlednu, částecně už i na dosah
za poslední rok jsem investoval čas a z předchozích #UFW a mrtvého #Shorewall přeskočil #FirewallD rovnou do nahatých #NFTables

- UFW využívá na pozadí iptables automaticky překládané do nftables, což je paskvil, který může vyhovovat závislákům na prehistorických iptables souborech "na které se nešahá", ale progresivnějšímu uživateli dost svazuje ruce
- navíc je nutné mít namemorovanou jejich speciální syntaxi a hlavně skladbu argumentů, takže většinou zadám validní příkaz na asi 4. pokus

- FirewallD si samozřejmě taky vymyslel vlastní příkazovou syntaxi, ale zároveň zapleveluje nftables nepoužívanými chainy, přijít k cizímu stroji a udělat nějakou drobnou úpravu v pravidlech je skoro na nobelovku

- NFtables jsou za mě nejpřehlednější a nejspolehlivější (největší kontrola), navíc umožňujou mít totální kontrolu nad firewallem a poslat k šípku snahy Dockeru o nadvládu
- navíc jsou velmi jednoduché a snadno pochopitelné

Public *
Andy Piper

I updated my Framework 13 to Fedora 42 about two weeks ago, just before the final release. It has been pretty solid!

This evening, I went to start up my VPN (I use NordVPN, FWIW). No luck. Just no connection.

The VPN connection has failed. Please check your internet connection and try connecting to the VPN again. If the issue persists, contact our customer support.

Well, thanks.

In case it was a package issue, I uninstalled and reinstalled the third party nordvpn RPM. No luck, same error.

Digging into the system log, I found this:

19:40:46 [Error] failed to connect to uk2646.nordvpn.com : resseting forward firewall: reseting allowlist rules: removing allowlisted subnets: listing iptables rules: exec: "iptables": executable file not found in $PATH

A “smoking gun”!

OK, so let’s dig a bit more.

$ journalctl -g iptables -b --no-pagerApr 28 19:47:20 neshatan tailscaled[1649]: linuxfw: clear iptables: exec: "iptables": executable file not found in $PATHApr 28 19:47:20 neshatan tailscaled[1649]: router: iptables not found: firewall mode "iptables" not supported: iptables command run fail: multiple errors:Apr 28 19:47:20 neshatan tailscaled[1649]:         exec: "iptables": executable file not found in $PATHApr 28 19:48:56 neshatan nordvpnd[1518]: 2025/04/28 19:48:56 [Error] failed to connect to uk2582.nordvpn.com : resseting forward firewall: reseting allowlist rules: removing allowlisted subnets: listing iptables rules: exec: "iptables": executable file not found in $PATHApr 28 19:49:22 neshatan nordvpnd[1518]: 2025/04/28 19:49:22 [Error] failed to connect to uk1910.nordvpn.com : unsetting allowlist: disabling allowlist routing: clearing allowlisting: iptables listing rules: exec: "iptables": executable file not found in $PATH:Apr 28 19:50:28 neshatan nordvpnd[1518]: 2025/04/28 19:50:28 [Error] failed to connect to uk2281.nordvpn.com : unsetting allowlist: disabling allowlist routing: clearing allowlisting: iptables listing rules: exec: "iptables": executable file not found in $PATH:Apr 28 19:53:36 neshatan nordvpnd[16192]: 2025/04/28 19:53:36 [Error] failed to connect to uk2570.nordvpn.com : resseting forward firewall: reseting allowlist rules: removing allowlisted subnets: listing iptables rules: exec: "iptables": executable file not found in $PATHApr 28 19:57:28 neshatan nordvpnd[16192]: 2025/04/28 19:57:28 [Error] failed to connect to uk2123.nordvpn.com : unsetting allowlist: disabling allowlist routing: clearing allowlisting: iptables listing rules: exec: "iptables": executable file not found in $PATH:

OK, so we definitely don’t have an iptables executable.

It turns out that there is an iptables-nft package installed (for netfilter), and this is supposed to install /usr/bin/iptables – but that file doesn’t exist.

A quick symlink of iptables-nft as iptables was a basic patch for this, and I was able to bring the VPN connection up again.

Two related reports from the interwebs, one from as recent as today (which may explain why I only just encountered it) – I found these just as I started to write this post.

I’ll take the opportunity of this blog post to point out that nordvpnd has two typos in log messages. I’m not entirely certain where else to report this issue. Consider resetting these.

In the meantime, I also accidentally discovered that tailscaled had also been reporting issues with a missing iptables executable. I hadn’t noticed too many issues with it over the past couple of weeks, but hopefully this is an improvement for both daemons!

Share this post from your fediverse server

https:// Share

This server does not support sharing. Please visit .

https://andypiper.co.uk/2025/04/28/nordvpn-fedora-42-and-iptables-compatibility/

#100DaysToOffload#Computing#Fedora
Public *
nigel
I was trying to use iptables decided that life is too short for this hobbyist to go down that path, so installed ufw and saw there was an XMPP app profile when doing ufw app list.

Brilliant, this should be easy then!
WRONG.

This is what ufw app info XMPP gave:

Profile: XMPP
Title: XMPP Chat
Description: XMPP protocol (Jabber and Google Talk)

Ports:
  5222/tcp
  5269/tcp
Which is um... not many ports. And naturally broke things like image uploading.

So I wrote my own in a new file at /etc/ufw/applications.d/ufw-prosody like this:

[Prosody]
title=Prosody XMPP
description=Prosody XMPP Server ports per https://prosody.im/doc/ports
ports=5000,5222,5223,5269,5270,5281/tcp
Which after saving, doing ufw app update Prosody,
then ufw app info Prosody now gives:

Profile: Prosody
Title: Prosody XMPP
Description: Prosody XMPP Server ports per https://prosody.im/doc/ports

Ports:
  5000,5222,5223,5269,5270,5281/tcp
ufw allow Prosody to apply (allow) the rules and all is well again.

❤️
#XMPP #Prosody #ufw #iptables #firewall
Public *
r1w1s1
Comparing firewall syntax for SSH (port 22) with default-deny:
================================================

#iptables (Linux)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -P INPUT DROP

#nftables (Linux)
nft add rule inet my_filter input tcp dport 22 accept
nft add rule inet my_filter input drop

#ufw (Linux - simplified frontend to iptables)
ufw allow 22/tcp
ufw default deny incoming

#pf (OpenBSD)
pass in proto tcp to port 22
block all

pf’s syntax feels so elegant, human-readable, & minimal!

After 20years scripting iptables, I’m ready to try UFW on my laptop.
#firewall #sysadmin #pf #iptables #ufw #nftables
Public
Ziggy the Hamster :whyfox:🐹🌻

I must be doing something wrong.

On the older EL8/Docker 24 instances, I can access the published port for a container via the host’s private IP. So host:32768->container:8080. This works great, even within a container.

It does not work on EL9/Docker 25. I do not know why. #iptables is configured near identically. Anyone have any ideas? I’ve tried nearly everything at this point. Going to try Docker 24 on EL9 next

Public
europlus :autisminf:

#Linux #SysAdmins #NetworkAdmins

Ubuntu 24.04 system with a publicly-routable external IP address.

For a given incoming UDP port (<1024, call it port x, I can’t change this), I want to forward that to localhost (or the ens3 interface) on another port (>1024, port y) so I can invoke QEMU as non-root and forward port y to the emulated system’s port x via slirp.

Is this doable?

I’ve tried heaps of nat prerouted examples, but haven’t yet gotten anything to stick.

Boosts appreciated!

#IPTables
Public
Linux Guides

Was fuer ein Quatsch ist das eigentlich denn, dass ufw nicht greift, wenn die offizielle Docker-Version installiert ist.

Meiner Ansicht nach eine riesiges Sicherheitsrisiko, dem sich viele Admins evtl. gar nicht bewusst sind.
Habe ich auch erst vor ein paar Monaten entdeckt.

Was meint Ihr? Und wie siehts da eigentlich bei debian 13 aus?

#linux#docker#ufw
Public
Diego Córdoba 🇦🇷

Por si les interesa, ando preparando un nuevo curso, relacionado con las redes y seguridad. Sale algo de firewalling con #nftables! 💪

Y de paso, a aprovechar para regrabar mucho contenido del curso de #iptables, teoría de firewalling, DMZ, y casos prácticos.

Se vienen cositas interesantes con el networking en #Linux! 😃

Public
MOULE

Since #Tumblr (owned by #MattMullenweg's #Automattic) renewed plans to join the #Fediverse, I suggest blocking them (as I have) for the same reason as #Threads: queerphobia and corporate tracking.

Just like the anti-Meta #FediPact (FediPact.online), there's now an anti-Automattic #FediPact2: FediPact2.online

Like I did with Meta, I wrote #iptables commands your #FediAdmin can use to drop all traffic to and from Automattic's IP addresses: pastebin.com/e5UKJCKU (source: AS2635)

Screenshot from https://wip.tumblr.com/post/773574776721702912/about-a-year-ago-wordpress-ceo-matt-mullenweg, where mohdasif asks: "About a year ago, WordPress CEO Matt Mullenweg mentioned that Tumblr would support the Fediverse, but there haven’t been any updates on this since then. "While the Fediverse is an interesting idea, I believe Tumblr should consider supporting AT Protocol instead. With Bluesky being the fastest-growing social media platform and the only one currently using AT Protocol, implementing this on Tumblr would not only provide strong competition but also make it easier for users to move between platforms. "This could help prevent monopolies and promote decentralized social networking. Are there any plans for Tumblr to adopt AT Protocol, or could this be considered in the future?" wip.tumblr.com replies: "Hi, @mohdasif! "Good news! While it is still on the list, the Tumblr to WordPress migration will definitely unlock ActivityPub for Tumblr! In fact, one big reason for the migration itself is to get us into the Fediverse. When that’s done, we’re in. "The migration is still a work in progress, as we’ve previously detailed here, but we can say for sure that it will include support for WordPress’s existing ActivityPub plugins. We hope this comes as good news. "Thanks for your question, and we hope it won’t be too long. Keep the questions coming!"
Screenshot of my Mastodon server's audit logs (an admin-only interface) showing that on January 27, 2025, at 9:01 PM AWST, I blocked tumblr.com from federating with my self-hosted Mastodon instance.
Screenshot from https://PasteBin.com/e5UKJCKU showing the list of all IP address ranges Automattic owns, as commands to drop all inbound and outbound traffic from them in iptables (a Linux firewall).
Screenshot showing the Mastodon user preferences menu with the following text explaining steps to mute Tumblr, with arrows pointing to each step. It reads: "How Mastodon users can mute federated Tumblr posts (NOTE: This will only hide posts from Tumblr from appearing in your timeline, only admins can block servers from federating entirely. See https://fedi.tips/blocking-and-muting-servers-on-mastodon/ for more information.) "1. Go to Preferences > Import and export > Import. 2. Click the "Import type" dropdown menu and select "Domain blocking list" 3. Create a CSV (Comma-Separated Variables) file named "blocked _domains.cv" with the following: domain,severity,public_comment,reject_media,reject_reports,obfuscate tumblr.com,suspend,,True,False,False 4. Click "Choose file" and choose "blocked_domains.csv". 5. Click "Merge". Do NOT click "Overwrite"; this will delete your previous domain blocks! 6. Click "Upload"."
Public
Dan Oachs

I was finally forced to switch from #iptables to #nftables on a new #linux campus firewall setup.

I really should have made the switch years ago. Nftables is SO MUCH nicer! Having sets and variables has really simplified the configuration a ton.

I was happy with iptables for a really long time and so familiar with it, that I guess I was afraid of something new, but learning nftables has been fun and a lot easier than I expected for some reason.

Public
Adam ♿

Can anyone tell me what this #IPTables entry related to #DNS is?

#Asus has "helpfully" added this to my parents' router.

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_DNS udp -- anywhere anywhere udp dpt:domain u32 "0x0>>0x16&0x3c@0x8>>0xf&0x1=0x0"
OUTPUT_DNS tcp -- anywhere anywhere tcp dpt:domain u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x8>>0xf&0x1=0x0"

#AskFedi
Replied in thread
Public *
Kevin Karhan :verified:

@lanefu @pearl I mean, I'd rather try to use #ipFire but sadly I've yet to see some #Linux-based #Networking distro / setup that comes close to #pfSense / #OPNsense...

  • It's just that once you used #pfSync / #CARP & had cheap hot-standby hardware redundancy you don't want to go back!

But that's me being "too lazy" to do #iptables...

infosec.space/@kkarhan/1137134

Infosec.SpaceKevin Karhan :verified: (@kkarhan@infosec.space)@ClickyMcTicker@hachyderm.io @pearl@rrr.sh @geerlingguy@mastodon.social *From scratch* should (and would) be possible if said #configuration isn't just proprietary bs but actually following a documented syntax akin to any proper #configuration. - I assume this is *NOT* the case cuz otherwise you'd not offer said job. Not to mention #vendors prefer #siloing amd #Enshittifying products, so having #InterchangeableFormats goes against their primary #commercial interests. - We can see this peak with #Cisco & #Microsoft pushing both proprietary #SingleVendor & #SingleProvider standards, #patenting the implementation (i.e. #VRRP) and sueing everyone who wants to implement them (i.e. #CARP had to do a shitton of redundant work!) whilst also refusing to follow #Standards (i.e. #Posix [new line](https://en.m.wikipedia.org/wiki/Newline) ) & #Conventions (I've seen literal CISCO <=> #IETF dictionaries!)... Sadly it's more #unrealistic to see such standardization to happen than #YAML being replaced [by](https://github.com/greyhat-academy/YADL) #YADL...
ExploreLive feeds
About