• Protecting from Attacks

    From Jordanjm@VERT/JORDANJM to All on Saturday, June 20, 2026 22:56:37
    One thing I do is that I take the hack.log and pull out the IP Addresses. Then I feed those IP Addresses into a Fail2Ban Jail for SSH, Telnet, FTP, and RLOGIN (5513). I use a bash script that runs regularly through cron.

    ---
    þ Synchronet þ My Brand-New BBS
  • From nelgin@VERT/EOTLBBS to Jordanjm on Sunday, June 21, 2026 17:02:16
    On Sat, 20 Jun 2026 22:56:37 -0600
    "Jordanjm" (VERT/JORDANJM) <VERT/JORDANJM!Jordanjm@endofthelinebbs.com>
    wrote:
    One thing I do is that I take the hack.log and pull out the IP
    Addresses. Then I feed those IP Addresses into a Fail2Ban Jail for
    SSH, Telnet, FTP, and RLOGIN (5513). I use a bash script that runs
    regularly through cron.

    ---
    ­ Synchronet ­ My Brand-New BBS
    I would block them using iptables (or ntf or whatever they're using
    these days). I actually use ipsets with a rule to use the set in
    iptables. This is incredibility fast and reduces the workload on the
    system.
    ipset create hackers hash:ip
    If you plan on blocking and entire network like a /24 then you can use
    hash:net instead.

    You can make a corresponding ipv6
    ipset create hackers6 hash:ip family ipv6
    Then early in your iptables filter rules you'll want
    -A INPUT -m set --match-set hackers src -j DROP
    If you have a contrack rule for established connections, like this one
    -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    you'll probably might want to put the hack rule before it so it'll kill
    off any existing connections. If you're not to worries then put it
    afterwards. I have it before in mine but maybe that doesn't make sense.
    --
    End Of The Line BBS - Plano, TX
    telnet endofthelinebbs.com 23
    ---
    ­ Synchronet ­ End Of The Line BBS - endofthelinebbs.com
  • From Dumas Walker@VERT/CAPCITY2 to nelgin on Monday, June 22, 2026 10:30:55
    nelgin wrote to Jordanjm <=-

    I would block them using iptables (or ntf or whatever they're using
    these days). I actually use ipsets with a rule to use the set in
    iptables. This is incredibility fast and reduces the workload on the system.
    ipset create hackers hash:ip
    If you plan on blocking and entire network like a /24 then you can use hash:net instead.

    Is this a command in a script, or something you add to the iptables config?

    You can make a corresponding ipv6
    ipset create hackers6 hash:ip family ipv6
    Then early in your iptables filter rules you'll want
    -A INPUT -m set --match-set hackers src -j DROP

    Thanks!


    ... Keep your stick on the ice
    --- MultiMail/DOS v0.52
    þ Synchronet þ CAPCITY2 * Capitol City Online
  • From nelgin@VERT/EOTLBBS to Dumas Walker on Monday, June 22, 2026 16:16:56
    On Mon, 22 Jun 2026 10:30:55 -0500
    "Dumas Walker" (VERT/CAPCITY2)
    <VERT/CAPCITY2!Dumas.Walker@endofthelinebbs.com> wrote:
    nelgin wrote to Jordanjm <=-

    I would block them using iptables (or ntf or whatever they're
    using these days). I actually use ipsets with a rule to use the
    set in iptables. This is incredibility fast and reduces the
    workload on the system.
    ipset create hackers hash:ip
    If you plan on blocking and entire network like a /24 then you
    can use hash:net instead.

    Is this a command in a script, or something you add to the iptables
    config?

    You can make a corresponding ipv6
    ipset create hackers6 hash:ip family ipv6
    Then early in your iptables filter rules you'll want
    -A INPUT -m set --match-set hackers src -j DROP

    Thanks!


    ... Keep your stick on the ice
    --- MultiMail/DOS v0.52
    ­ Synchronet ­ CAPCITY2 * Capitol City Online
    ipset is a command. The -A thing is something you put in your iptables.
    In Ubuntu that's likely /etc/iptables/rules.v4.
    You'll also want netfilter-persistent and ipset-persistent packages.
    Whenever you create an ipset or add/remove from it, you want to run netfilter-persistent save to make sure it's written back to disk
    otherwise it'll be lost on reboot. It'll also ensure they're loaded at
    boot time.
    --
    End Of The Line BBS - Plano, TX
    telnet endofthelinebbs.com 23
    ---
    ­ Synchronet ­ End Of The Line BBS - endofthelinebbs.com
  • From Darksix@VERT/DARKSIX to nelgin on Monday, June 22, 2026 15:08:30
    On Sat, 20 Jun 2026 22:56:37 -0600 "Jordanjm" (VERT/JORDANJM) <VERT/JORDANJM!Jordanjm@endofthelinebbs.com> wrote:
    One thing I do is that I take the hack.log and pull out the IP Addresses. Then I feed those IP Addresses into a Fail2Ban Jail for SSH, Telnet, FTP, and
    RLOGIN (5513). I use a bash script that runs regularly through cron.

    ---
    þ Synchronet þ My Brand-New BBS
    I would block them using iptables (or ntf or whatever they're using these days). I actually use ipsets with a rule to use the set in iptables. This is
    incredibility fast and reduces the workload on the system. ipset create hackers hash:ip If you plan on blocking and entire network like a /24 then you can
    use hash:net instead.

    You can make a corresponding ipv6 ipset create hackers6 hash:ip family ipv6 Then early in your iptables filter rules you'll want -A INPUT -m set
    --match-set hackers src -j DROP If you have a contrack rule for established connections, like this one -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED
    -j ACCEPT you'll probably might want to put the hack rule before it so it'll kill off any existing connections. If you're not to worries then put it
    afterwards. I have it before in mine but maybe that doesn't make sense. -- End Of The Line BBS - Plano, TX telnet endofthelinebbs.com 23 --- þ
    Synchronet þ End Of The Line BBS - endofthelinebbs.com

    Standard is now nftables far as a few days ago on where things are going, at least on gentoo.
    You will want your DROP's before you have the conntrak or the other rules so they auto drop before going into a queue, I do all my rules by hand and in order of ip blocks.. Can use the normal ftp or telnet port normally is you set it up. I always get the real scan bots from having port 9100 open which is normally a printer port, but I use it for a MUD and it works well for weeding out people actually attacking, and or bots.

    Here's what I have so far and keep adding and should help out a good bit on crawlers and such..
    I do ban on the /24 and the /32 is not permanent. or won't be..

    https://paste.gentoo.zip/rb1Vgdet

    Mostly crawler bots and very high abuse networks. Let me know if it helps anyone reading this.
    I've never had the error or log of weird stuff going on with ftp/telnet.

    Just also drop using IPv6, unless you don't have an IPv4 address.. Just extra hassle and steps to take for now.

    ---
    þ Synchronet þ DaRKLoRD BBS
  • From nelgin@VERT/EOTLBBS to Darksix on Monday, June 22, 2026 20:35:13
    Re: Re: Protecting from Attacks
    By: Darksix to nelgin on Mon Jun 22 2026 15:08:30

    Standard is now nftables far as a few days ago on where things are going, at least on gentoo.

    I don't like how nft doesn't use ipset. I end up with a separate include file with all the blocked networks so I don't mess up my main table on my Arch system.

    ---
    þ Synchronet þ End Of The Line BBS - endofthelinebbs.com
  • From MRO@VERT/BBSESINF to binky nelge on Tuesday, June 23, 2026 04:04:29
    Re: Re: Protecting from Attacks
    By: nelgin to Darksix on Mon Jun 22 2026 08:35 pm

    Re: Re: Protecting from Attacks
    By: Darksix to nelgin on Mon Jun 22 2026 15:08:30

    Standard is now nftables far as a few days ago on where things are
    going, at least on gentoo.

    I don't like how nft doesn't use ipset. I end up with a separate
    include file with all the blocked networks so I don't mess up my
    main table on my Arch system.


    https://imgur.com/wvtIQTx


    --
    "Before using Wildcat....This Company did not have a convenient way of
    looking after some of the richest clients in the world...Now we do!"


    President of BBS Sysop's Union +++ https://bbses.info/union
    ---
    þ Synchronet þ ::: BBSES.info - free BBS services :::
  • From fusion@VERT/CFBBS to nelgin on Tuesday, June 23, 2026 10:18:00
    On 22 Jun 2026, nelgin said the following...

    ipset is a command. The -A thing is something you put in your iptables.

    this might not matter much if you fully dump and reload your firewall every time you change something (which can leave it wide open briefly!) but..

    -A is add (to the bottom)
    -I is insert (on top or wherever)

    that at least matters because iptables works top to bottom through the chain and will bail on the first matching rule.

    say you have commands to accept telnet, ftp, binkd, etc
    then you DROP everything else (all pretty standard)

    then you -A something (like dropping one pesky IP address temporarily) .. it goes BELOW the DROP mentioned above, so what happens is:

    pesky IP connects, iptables goes down the list and finds YEAH, telnet is accepted, and then sends the connection along as if you had never blocked it.

    -I will throw it on the TOP of the chain as the first thing to check (or a line number can be provided for where it should go)

    the default examples in Mystic's Event Editor for example are useless because of this.

    --- Mystic BBS v1.12 A47 2021/12/25 (Windows/32)
    * Origin: cold fusion - cfbbs.net - grand rapids, mi
  • From DaiTengu@VERT/ENSEMBLE to MRO on Tuesday, June 23, 2026 10:13:04
    Re: Re: Protecting from Attacks
    By: MRO to binky nelge on Tue Jun 23 2026 04:04 am

    I don't like how nft doesn't use ipset. I end up with a separate include
    file with all the blocked networks so I don't mess up my main table on my
    Arch system.


    https://imgur.com/wvtIQTx

    "How do you identify a vegan, a crossfitter, or an Arch user at a cocktail party?

    "Don't worry, they'll tell you."

    ...Scratch & Sniff .\\essage: Scratch Here --->²²²²²²²²<---

    ---
    þ Synchronet þ War Ensemble BBS - The sport is war, total war - warensemble.com
  • From Dumas Walker@VERT/CAPCITY2 to NELGIN on Tuesday, June 23, 2026 09:55:51
    ipset is a command. The -A thing is something you put in your iptables.
    In Ubuntu that's likely /etc/iptables/rules.v4.

    It is here on debian also. I have several rules set to forward inbound
    ports (like 23 inbound to 2323 local, 80 inbound to 8080 local, etc.) so
    that the bbs sofware doesn't have to run as root and bind to low ports. I
    am guessing I'd want that -A/DROP line to go before those so it covers all traffic.

    You'll also want netfilter-persistent and ipset-persistent packages.

    Will get those added if I don't already have them.

    Whenever you create an ipset or add/remove from it, you want to run netfilter-persistent save to make sure it's written back to disk
    otherwise it'll be lost on reboot. It'll also ensure they're loaded at
    boot time.

    Good advice.

    ipset create hackers hash:ip

    I presume you set up some ipset config options that tell it how to detect a potential hacker and add it to "hackers"?

    This could be very useful. Thanks!


    * SLMR 2.1a * Sheesh! You start havin' fun, and they send the lawyers!
    ---
    þ Synchronet þ CAPCITY2 * Capitol City Online
  • From Dumas Walker@VERT/CAPCITY2 to fusion on Tuesday, June 23, 2026 14:15:33
    On 22 Jun 2026, nelgin said the following...

    ipset is a command. The -A thing is something you put in your iptables.

    this might not matter much if you fully dump and reload your firewall every time you change something (which can leave it wide open briefly!) but..

    -A is add (to the bottom)
    -I is insert (on top or wherever)

    that at least matters because iptables works top to bottom through the chain and will bail on the first matching rule.


    Say I have something like this in my rules.v4:

    # Generated by iptables-save v1.8.11 (nf_tables) on Mon Aug 18 12:21:10 2025 *filter
    :INPUT ACCEPT [5477:286466]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [4483:9434151]
    COMMIT
    # Completed on Mon Aug 18 12:21:10 2025
    # Generated by iptables-save v1.8.11 (nf_tables) on Mon Aug 18 12:21:10 2025 *nat
    :PREROUTING ACCEPT [3:830]
    :INPUT ACCEPT [36:2810]
    :OUTPUT ACCEPT [136:8160]
    :POSTROUTING ACCEPT [136:8160]
    -A PREROUTING -d x.x.x.x/32 -p tcp -m tcp --dport 11 -j REDIRECT --to-ports 1111
    (etc. for other ports)
    COMMIT
    # Completed on Mon Aug 18 12:21:10 2025

    Are you saying adding the line as an -A *above* the existing first -A line won't cause it to be first?

    $$
    ---
    þ Synchronet þ CAPCITY2 * Capitol City Online
  • From Dumas Walker@VERT/CAPCITY2 to Neglin on Tuesday, June 23, 2026 18:58:00
    ipset is a command. The -A thing is something you put in your iptables.
    In Ubuntu that's likely /etc/iptables/rules.v4.

    It is here on debian also. I have several rules set to forward inbound ports (like 23 inbound to 2323 local, 80 inbound to 8080 local, etc.) so that the bbs sofware doesn't have to run as root and bind to low ports. I
    am guessing I'd want that -A/DROP line to go before those so it covers all traffic.

    Disregard my questions. I got curious and started researching it myself. iptables automatically put the ipset commands at the top, in the *filter section, before all the *nat rules.

    ipset create hackers hash:ip

    I presume you set up some ipset config options that tell it how to detect a potential hacker and add it to "hackers"?

    This could be very useful. Thanks!


    This, of course, works with a list of IPAs and nets that you already know are bad. I will have to work around some to see about monitoring and picking up new IPA and nets that need adding.

    At any rate, I got ipset (and the -persistent) packages installed and set up. thanks!

    $$
    ---
    þ Synchronet þ CAPCITY2 * Capitol City Online
  • From nelgin@VERT/EOTLBBS to Dumas Walker on Wednesday, June 24, 2026 00:39:36
    On Tue, 23 Jun 2026 18:58:00 -0500
    "Dumas Walker" (VERT/CAPCITY2)
    <VERT/CAPCITY2!Dumas.Walker@endofthelinebbs.com> wrote:
    ipset is a command. The -A thing is something you put in your
    iptables. In Ubuntu that's likely /etc/iptables/rules.v4.

    It is here on debian also. I have several rules set to forward
    inbound ports (like 23 inbound to 2323 local, 80 inbound to 8080
    local, etc.) so that the bbs sofware doesn't have to run as root
    and bind to low ports. I am guessing I'd want that -A/DROP line to
    go before those so it covers all traffic.

    Disregard my questions. I got curious and started researching it
    myself. iptables automatically put the ipset commands at the top, in
    the *filter section, before all the *nat rules.

    ipset create hackers hash:ip

    I presume you set up some ipset config options that tell it how to
    detect a potential hacker and add it to "hackers"?

    This could be very useful. Thanks!


    This, of course, works with a list of IPAs and nets that you already
    know are bad. I will have to work around some to see about
    monitoring and picking up new IPA and nets that need adding.

    At any rate, I got ipset (and the -persistent) packages installed and
    set up. thanks!

    $$
    ---
    ­ Synchronet ­ CAPCITY2 * Capitol City Online
    You should probably put your IP at the top, if you ssh into your box,
    to ensure you're not locked out accidentally. I run OpenWRT at home and
    it updates ones of my domains A records when the IP changes.
    I then have a script on all my servers that checks if the IP changes
    and if so, deletes my "nelgin" ipset and creates a new one with the IP
    address and any fixed addresses in the script. This means I can always
    access my servers when my IP changes and using an ipset means I don't
    have to fiddle with iptables rules.
    This is mostly useful for people who run their BBS on a VPS or remote
    server.
    --
    End Of The Line BBS - Plano, TX
    telnet endofthelinebbs.com 23
    ---
    ­ Synchronet ­ End Of The Line BBS - endofthelinebbs.com
  • From Darksix@VERT/DARKSIX to nelgin on Tuesday, June 23, 2026 22:52:58
    Re: Re: Protecting from Attacks By: Darksix to nelgin on Mon Jun 22 2026 15:08:30

    Standard is now nftables far as a few days ago on where things are going, at least on gentoo.

    I don't like how nft doesn't use ipset. I end up with a separate include file with all the blocked networks so I don't mess up my main table on my Arch
    system.

    I haven't used nftables myself, nor do I mess with ipset really. Just using ebtables and iptables as a wrapper I believe, and I use my own
    firewall saves so they are in order and just apply them quite a lot.. Tons of scanners/autohacks going on and when they hit port 9100
    it's easily noticable since it would be a printer port, or is known as one. My mud shows these even when a user doesn't connect so I can block
    256 ip's most of the time after looking their blocks up. Anyways, never really thought about doing them as an include, would be nicer looking at least.

    Haz Good Day. -Six

    ---
    þ Synchronet þ DaRKLoRD BBS
  • From fusion@VERT/CFBBS to Dumas Walker on Wednesday, June 24, 2026 12:30:00
    On 23 Jun 2026, Dumas Walker said the following...

    *nat
    -A PREROUTING -d x.x.x.x/32 -p tcp -m tcp --dport 11 -j REDIRECT --to-ports 1111
    (etc. for other ports)
    COMMIT

    Are you saying adding the line as an -A *above* the existing first -A
    line won't cause it to be first?

    not quite. that was mostly the purpose of mentioning dumping and reloading firewall rules.

    here's an example of what i meant:

    *filter
    -A INPUT -p tcp --dport 23 -j ACCEPT
    -A INPUT -m limit --limit 5/min -j LOG --log-prefix "badguy: " --log-level 7
    -A INPUT -j REJECT
    COMMIT

    this firewall setup would accept connections on port 23 and then *anything* else will first get logged, and then get rejected.

    now imagine i did

    iptables -A INPUT -s 71.95.196.34 -j DROP

    this is what our firewall will look like afterwards:

    *filter
    -A INPUT -p tcp --dport 23 -j ACCEPT
    -A INPUT -m limit --limit 5/min -j LOG --log-prefix "badguy: " --log-level 7
    -A INPUT -j REJECT
    -A INPUT -s 71.95.196.34 -j DROP
    COMMIT

    before it ever even checks the bad IP, it would accept the connection on port 23 if it matches. if the bad IP tries port 80, it would log the connection and REJECT them, also before the IP was actually specifically checked. (as an aside, that's bad because REJECT responds "yes i'm here, i don't want your connection" like we'd do for nice people, rather than just dumping the connection immediately)

    now we try:

    iptables -I INPUT -s 71.95.196.34 -j DROP

    and dump again:

    *filter
    -A INPUT -s 71.95.196.34 -j DROP
    -A INPUT -p tcp --dport 23 -j ACCEPT
    -A INPUT -m limit --limit 5/min -j LOG --log-prefix "badguy: " --log-level 7
    -A INPUT -j REJECT
    COMMIT

    NOW the badguy gets the boot before we even check if the connection is going to port 23.


    -A PREROUTING -d x.x.x.x/32 -p tcp -m tcp --dport 11 -j REDIRECT --to-ports 1111

    interestingly, this moves the connection's destination from the INPUT chain to the FORWARD chain because it's an alias for

    -j DNAT --to-destination 127.0.0.1:1111

    so nothing in INPUT will match it..

    -I FORWARD -m set --match-set blacklist src -j DROP


    anyways, sorry if this is just rehashing stuff you already know :)

    --- Mystic BBS v1.12 A47 2021/12/25 (Windows/32)
    * Origin: cold fusion - cfbbs.net - grand rapids, mi
  • From Darksix@VERT/DARKSIX to fusion on Thursday, June 25, 2026 14:25:20
    On 22 Jun 2026, nelgin said the following...

    ipset is a command. The -A thing is something you put in your iptables.

    this might not matter much if you fully dump and reload your firewall every time you change something (which can leave it wide open briefly!) but..

    -A is add (to the bottom) -I is insert (on top or wherever)

    that at least matters because iptables works top to bottom through the chain and will bail on the first matching rule.

    say you have commands to accept telnet, ftp, binkd, etc then you DROP everything else (all pretty standard)

    then you -A something (like dropping one pesky IP address temporarily) .. it goes BELOW the DROP mentioned above, so what happens is:

    pesky IP connects, iptables goes down the list and finds YEAH, telnet is accepted, and then sends the connection along as if you had never blocked it.

    -I will throw it on the TOP of the chain as the first thing to check (or a line number can be provided for where it should go)

    the default examples in Mystic's Event Editor for example are useless because of this.

    --- Mystic BBS v1.12 A47 2021/12/25 (Windows/32)

    Do your drops before you do the port commands, if you ban things.

    ---
    þ Synchronet þ DaRKLoRD BBS
  • From Darksix@VERT/DARKSIX to Dumas Walker on Thursday, June 25, 2026 14:25:20
    On 22 Jun 2026, nelgin said the following...

    ipset is a command. The -A thing is something you put in your iptables.

    this might not matter much if you fully dump and reload your firewall every time you change something (which can leave it wide open briefly!) but..

    -A is add (to the bottom) -I is insert (on top or wherever)

    that at least matters because iptables works top to bottom through the chain and will bail on the first matching rule.


    Say I have something like this in my rules.v4:

    # Generated by iptables-save v1.8.11 (nf_tables) on Mon Aug 18 12:21:10 2025 *filter :INPUT ACCEPT [5477:286466] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT
    [4483:9434151] COMMIT # Completed on Mon Aug 18 12:21:10 2025 # Generated by iptables-save v1.8.11 (nf_tables) on Mon Aug 18 12:21:10 2025 *nat :PREROUTING
    ACCEPT [3:830] :INPUT ACCEPT [36:2810] :OUTPUT ACCEPT [136:8160] :POSTROUTING ACCEPT [136:8160] -A PREROUTING -d x.x.x.x/32 -p tcp -m tcp --dport 11 -j
    REDIRECT --to-ports 1111 (etc. for other ports) COMMIT # Completed on Mon Aug 18 12:21:10 2025

    Are you saying adding the line as an -A *above* the existing first -A line won't cause it to be first?

    You have a badly configured firewall, should not have more than one COMMIT.

    ---
    þ Synchronet þ DaRKLoRD BBS
  • From fusion@VERT/CFBBS to Darksix on Thursday, June 25, 2026 18:29:00
    On 25 Jun 2026, Darksix said the following...

    You have a badly configured firewall, should not have more than one COMMIT.

    this is false. it seems you don't know what you're talking about.

    --- Mystic BBS v1.12 A47 2021/12/25 (Windows/32)
    * Origin: cold fusion - cfbbs.net - grand rapids, mi
  • From Dumas Walker@VERT/CAPCITY2 to fusion on Thursday, June 25, 2026 13:09:50
    fusion wrote to Dumas Walker <=-
    now we try:

    iptables -I INPUT -s 71.95.196.34 -j DROP

    and dump again:

    *filter
    -A INPUT -s 71.95.196.34 -j DROP
    -A INPUT -p tcp --dport 23 -j ACCEPT
    -A INPUT -m limit --limit 5/min -j LOG --log-prefix "badguy: "
    --log-level 7 -A INPUT -j REJECT
    COMMIT

    NOW the badguy gets the boot before we even check if the connection is going to port 23.

    So -A adds it to the bottom of whatever group is belongs in, while -I adds
    it to the top. Good to know!

    -A PREROUTING -d x.x.x.x/32 -p tcp -m tcp --dport 11 -j REDIRECT --to-ports 1111

    interestingly, this moves the connection's destination from the INPUT chain to the FORWARD chain because it's an alias for

    -j DNAT --to-destination 127.0.0.1:1111

    so nothing in INPUT will match it..

    -I FORWARD -m set --match-set blacklist src -j DROP

    The purpose of thta line is to route all incoming traffic on port 11 to
    port 1111 (the one that synchronet is set to listen on).

    Are you saying the *filter rules above this section will be ignored unless
    I set them as "FORWARD" instead of "INPUT," even though these rules come
    after the *filter section?

    anyways, sorry if this is just rehashing stuff you already know :)

    No, that I sure did not know!




    ... Isn't this where....
    --- MultiMail/DOS v0.52
    þ Synchronet þ CAPCITY2 * Capitol City Online
  • From fusion@VERT/CFBBS to Dumas Walker on Thursday, June 25, 2026 22:45:00
    On 25 Jun 2026, Dumas Walker said the following...

    The purpose of thta line is to route all incoming traffic on port 11 to port 1111 (the one that synchronet is set to listen on).

    Are you saying the *filter rules above this section will be ignored
    unless I set them as "FORWARD" instead of "INPUT," even though these
    rules come after the *filter section?

    ah sorry my bad.. looking at it now the nat table will put the packets to INPUT (or automatically recognize 'localhost', 127.0.0.1, the ipv6 one.. etc) ..

    but will move it to FORWARD if, for example, you have a separate BBS machine and IP that you forward (<- heh) the port to.

    mine gets forwarded from a linux router to a win32 bbs machine so to block IPs i have to put it in the FORWARD section.

    i guess the point i was trying to get across is it's pretty easy to accidentally put in do-nothing rules

    --- Mystic BBS v1.12 A47 2021/12/25 (Windows/32)
    * Origin: cold fusion - cfbbs.net - grand rapids, mi
  • From Dumas Walker@VERT/CAPCITY2 to Darksix on Thursday, June 25, 2026 18:53:05

    # Generated by iptables-save v1.8.11 (nf_tables) on Mon Aug 18 12:21:10 2025 *filter :INPUT ACCEPT [5477:286466] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT
    [4483:9434151] COMMIT # Completed on Mon Aug 18 12:21:10 2025 # Generated by iptables-save v1.8.11 (nf_tables) on Mon Aug 18 12:21:10 2025 *nat :PREROUTING
    ACCEPT [3:830] :INPUT ACCEPT [36:2810] :OUTPUT ACCEPT [136:8160] :POSTROUTING ACCEPT [136:8160] -A PREROUTING -d x.x.x.x/32 -p tcp -m tcp --dport 11 -j
    REDIRECT --to-ports 1111 (etc. for other ports) COMMIT # Completed on Mon Aug 18 12:21:10 2025

    Are you saying adding the line as an -A *above* the existing first -A line won't cause it to be first?

    You have a badly configured firewall, should not have more than one COMMIT.

    I didn't key that in there. iptables generated it that way. <shrugs>

    $$
    ---
    þ Synchronet þ CAPCITY2 * Capitol City Online
  • From Dumas Walker@VERT/CAPCITY2 to fusion on Friday, June 26, 2026 13:44:59
    fusion wrote to Dumas Walker <=-

    The purpose of thta line is to route all incoming traffic on port 11 to port 1111 (the one that synchronet is set to listen on).

    Are you saying the *filter rules above this section will be ignored
    unless I set them as "FORWARD" instead of "INPUT," even though these
    rules come after the *filter section?

    ah sorry my bad.. looking at it now the nat table will put the packets
    to INPUT (or automatically recognize 'localhost', 127.0.0.1, the ipv6 one.. etc) ..

    No worries!

    but will move it to FORWARD if, for example, you have a separate BBS machine and IP that you forward (<- heh) the port to.

    I never could get "other machine" to work, and I bet that is why... I
    wasn't using FORWARD!

    i guess the point i was trying to get across is it's pretty easy to accidentally put in do-nothing rules

    True. Turned out my *filter rules were logging, but I had forgot to go
    back and add the DROP lines once I verified the filers were being hit. So
    this discussion did bear some fruit for me after all. Thanks to you and
    Neglin for following along on my train of thought.



    ... 2 + 2 = 5 for extremely small values of 5
    --- MultiMail/DOS v0.52
    þ Synchronet þ CAPCITY2 * Capitol City Online
  • From Darksix@VERT/DARKSIX to Dumas Walker on Saturday, June 27, 2026 10:57:25

    # Generated by iptables-save v1.8.11 (nf_tables) on Mon Aug 18 12:21:10 2025 *filter :INPUT ACCEPT [5477:286466] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT
    [4483:9434151] COMMIT # Completed on Mon Aug 18 12:21:10 2025 # Generated by iptables-save v1.8.11 (nf_tables) on Mon Aug 18 12:21:10 2025 *nat
    :PREROUTING ACCEPT [3:830] :INPUT ACCEPT [36:2810] :OUTPUT ACCEPT [136:8160] :POSTROUTING ACCEPT [136:8160] -A PREROUTING -d x.x.x.x/32 -p tcp -m tcp
    --dport 11 -j REDIRECT --to-ports 1111 (etc. for other ports) COMMIT # Completed on Mon Aug 18 12:21:10 2025

    Are you saying adding the line as an -A *above* the existing first -A line won't cause it to be first?

    You have a badly configured firewall, should not have more than one COMMIT.

    I didn't key that in there. iptables generated it that way. <shrugs>


    That's kind of weird that it did COMMIT more than once, and also to the other fella, you can have more than one commit
    but it should all be commited fully on one go if using iptables-save even if this is nftables wrapper. But I guess
    still didn't change the fact it wasn't correct you could say besides the commit.

    Hav G'day eh

    ---
    þ Synchronet þ DaRKLoRD BBS
  • From fusion@VERT/CFBBS to Darksix on Sunday, June 28, 2026 12:37:00
    On 27 Jun 2026, Darksix said the following...

    That's kind of weird that it did COMMIT more than once, and also to the other fella, you can have more than one commit
    but it should all be commited fully on one go if using iptables-save
    even if this is nftables wrapper. But I guess
    still didn't change the fact it wasn't correct you could say besides the commit.

    again, this isn't correct.

    root@orion:/home/alex# cat derp *nat

    -A PREROUTING -i eth0 -p tcp --dport 23 -j REDIRECT --to-port 2323

    # <--- missing COMMIT here

    *filter

    -A FORWARD -i eth0 -p tcp --dport 23 -j ACCEPT

    COMMIT


    ....


    root@orion:/home/alex# iptables-restore < derp Bad argument `*filter'
    Error occurred at line: 7
    Try `iptables-restore -h' or 'iptables-restore --help' for more information.


    ....


    you cannot introduce a new table without COMMIT-ing the previous one. in this context the error is basically saying: *nat without COMMIT

    --- Mystic BBS v1.12 A47 2021/12/25 (Windows/32)
    * Origin: cold fusion - cfbbs.net - grand rapids, mi