iptables --syn and ! --syn

General questions
1

Hello fellow VyOS users,

I’m in the process of migrating a huge (almost 9000 rules) iptables firewall to a vyos box.

What I have is the old config in iptables-save syntax and I need to migrate this to new vyos based firewalls.

I hope this is a trivial question, but how do I convert tons and tons of lules like this

to vyos/vyatta style config?

The best explanation for those flags I found is this one: http://www.smythies.com/~doug/network/iptables_syn/index.html

It seems obvious to do the non-negated version of it, but how do I do exactly the same (negated) version of --syn? :wink:

Thanks in advance for any helpful pointer!

Irrwitzer

2

Hi irrwitzer

Something like

set firewall name SOME-NAME rule 20 
set firewall name SOME-NAME rule 20 action accept
set firewall name SOME-NAME rule 20 description "Some TCP..."
set firewall name SOME-NAME rule 20 source address 1.2.3.4
set firewall name SOME-NAME rule 20 protocol tcp
set firewall name SOME-NAME rule 20 tcp flags <flags>

are SYN, ACK, FIN, RST, URG, PSH, and ALL. You may use a comma-separated list and use the “!” to negate the flag.

I tries to use something like this

set firewall name SOME-NAME rule 20 state established enable
set firewall name SOME-NAME rule 20 state new disable
set firewall name SOME-NAME rule 20 state related enable

the established, new and related are easier to understand for most people. But if you have some specific requirements for the tcp flags it’s supported by the tcp flag statement.

3

Hi ArneO,

thanks for your answer!

Using tcp flags I can only negate single flags, not groups of flags, so I can’t mimic the exact same rule. If there were a way to negate a whole rule it would be easy, but theres neither a way to negate the group of flags, nor the whole rule, as far as I can see.

Thanks! I guess I will take your approach and use state based rules instead of the tcp flags ones. Like you said, those are much too cryptic after all.

Thanks again!

Irrwitzer

4

“Negate” a whole rule is action drop and specify what you don’t accept - or am I missing something here?