From patchwork Sun May 30 21:07:07 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Brown X-Patchwork-Id: 29693 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 1018527BC81; Sun, 30 May 2021 22:08:22 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS, T_DKIM_INVALID,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 9C82027BC78 for ; Sun, 30 May 2021 22:08:21 +0100 (BST) Received: from localhost ([::1]:47676 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lnSfU-0002Ob-L7 for patchwork@mira.cbaines.net; Sun, 30 May 2021 17:08:20 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:59142) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lnSfD-0002OQ-ME for guix-patches@gnu.org; Sun, 30 May 2021 17:08:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:48910) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lnSfB-0004ze-SD for guix-patches@gnu.org; Sun, 30 May 2021 17:08:01 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lnSfB-0005e7-MX for guix-patches@gnu.org; Sun, 30 May 2021 17:08:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#48753] iptables example update Resent-From: Eric Brown Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 30 May 2021 21:08:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 48753 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 48753@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.162240883921650 (code B ref -1); Sun, 30 May 2021 21:08:01 +0000 Received: (at submit) by debbugs.gnu.org; 30 May 2021 21:07:19 +0000 Received: from localhost ([127.0.0.1]:60456 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lnSeU-0005d8-G0 for submit@debbugs.gnu.org; Sun, 30 May 2021 17:07:19 -0400 Received: from lists.gnu.org ([209.51.188.17]:35142) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lnSeL-0005cq-FM for submit@debbugs.gnu.org; Sun, 30 May 2021 17:07:17 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:59008) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lnSeL-0002KD-Ap for guix-patches@gnu.org; Sun, 30 May 2021 17:07:09 -0400 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:46887) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lnSeJ-0004Ry-Iy for guix-patches@gnu.org; Sun, 30 May 2021 17:07:09 -0400 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 909C55C0045 for ; Sun, 30 May 2021 17:07:06 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Sun, 30 May 2021 17:07:06 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericcbrown.com; h=from:to:subject:date:message-id:mime-version:content-type; s= fm2; bh=LnEJw7NTCbAOM48mWoIVh/8bhdfoOYVoy7hf/9al8xk=; b=nIQqlzFh 7q1bGOckJnRqNja8xotQpMAQxqRlo88kRZ1iF/2l1vDTPFdPdAmAz2BTcqn7am+u vVQxaeju5HRZyt8yY9nFkRM/mkfe3YFxl2tdlLeouF3XnaJszOL8kFgEnKlFzgkh PfNuV8Y6SbCxRDHgmi99zmkneBmVem3TqECrnWgvuAQC6oN0MP6CImUS7rINR8uC TDRzVqzO4M5OzK9txqpHiI39NKY4dBue4IPAgeHU6twXBTZUgjeFAmM8bzpjuKP4 zw0yweaxNNwYtrkHpYMWMXl0D+3fnyd4oO9CwK8P3Zg/gPZagLAo3woo9u3llP5j 7w2ydWSs15d5Fw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=LnEJw7NTCbAOM48mWoIVh/8bhdfoO YVoy7hf/9al8xk=; b=i1RQVCXQxfNlzUat/a5mHPouHMSy3W0Sxt0D+0c6oKzAv 5k3Q97Ur5emxbU5kJ/HP+JA/hgIxwFf5dNlLr7/0cbBQ7sQax396254xuoGHx7zD jlK8PYlN5blwEqyX+jAsREgsUYBPsWP2bSttBBDPvR7NS2KTDKFSyaDmCHMhzu2R j6kIH9Xy1ii1ymLIpH6ud5IiCURofoBNnF5nTbdu333w8/AcTCgAe/x3VRM35cSI OTzQxW96//mYR8wq+hCQDMXAyRG2hkwDarQs699C/CAOpe9DzSpe+ywjEb59vjPN jpT8vhDTNWpdU5uMinpdVQg04P7dYzmN+iePEHVXw== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvdeluddgudehjecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhephffvufffkfgfgggtsehmtderre dtredtnecuhfhrohhmpefgrhhitgcuuehrohifnhcuoegvtggsrhhofihnsegvrhhitggt sghrohifnhdrtghomheqnecuggftrfgrthhtvghrnhepuddtkeffgeeltdetvdeljeejhf dtgedvheelvedtueevudfffeffudfftddvkeegnecukfhppeelledrgeefrdduvdejrddu necuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepvggtsg hrohifnhesvghrihgttggsrhhofihnrdgtohhm X-ME-Proxy: Received: from localhost (unknown [99.43.127.1]) by mail.messagingengine.com (Postfix) with ESMTPA for ; Sun, 30 May 2021 17:07:06 -0400 (EDT) From: Eric Brown Mail-reply-to: Eric Brown Mail-followup-to: Eric Brown Date: Sun, 30 May 2021 22:07:07 +0100 Message-ID: <86lf7wue10.fsf@hurd.ericcbrown.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu) MIME-Version: 1.0 Received-SPF: pass client-ip=66.111.4.27; envelope-from=ecbrown@ericcbrown.com; helo=out3-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" X-getmail-retrieved-from-mailbox: Patches Dear List, I have often puzzled over the iptables example that is given in the Guix manual. It seems that this rule would allow someone to ssh in, but would not practically allow ssh *outward* because the session would not be able to receive a response. I've added what I think is a line that fixes the issue. Best regards, Eric From 44faa84695a5df7a0a3c3a35520d70f255b9fe53 Mon Sep 17 00:00:00 2001 From: Eric Brown Date: Sun, 30 May 2021 22:00:52 +0100 Subject: [PATCH] doc: Updated iptables example * doc/guix.texi (iptables): Update iptables example to allow (functioning) outbound SSH --- doc/guix.texi | 2 ++ 1 file changed, 2 insertions(+) diff --git a/doc/guix.texi b/doc/guix.texi index dc10e88123..71851ca0b1 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -16427,6 +16427,7 @@ configuration rejecting all incoming connections except those to the ssh port :INPUT ACCEPT :FORWARD ACCEPT :OUTPUT ACCEPT +-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A INPUT -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-port-unreachable COMMIT @@ -16435,6 +16436,7 @@ COMMIT :INPUT ACCEPT :FORWARD ACCEPT :OUTPUT ACCEPT +-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A INPUT -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp6-port-unreachable COMMIT -- 2.32.0.rc0