I can't load iptables rules
I'm using RH9 and my firewall script can't load the modules or even the rules. I don't have a /usr/sbin/iptables file so i've also tried editing the rc.firewall to point to /sbin/iptables and i get the same errors...
Heres the output when i try to run my iptables script. [root@localhost root]# ./rc.firewall : command not found 2: : command not found 8: : command not found 10: : command not found 12: /sbin/depmod: invalid option -- depmod 2.4.22 depmod -[aA] [-n -e -v -q -V -r -u] [-C configfile] [-F kernelsyms] [-b basedirectory] [forced_version] depmod [-n -e -v -q -r -u] [-F kernelsyms] module1.o module2.o ... If no arguments (except options) are given, "depmod -a" is assumed depmod will output a dependancy list suitable for the modprobe utility. depmod -a will find the list of modules to probe from the file /etc/modules.conf. It will output the result into the depfile specified in this configuration file depmod -A is the same as depmod -a, but will first compare the timestamps of the files involved to see if the depfile needs updating. Normally depmod operates silently, reporting only the list of modules that won't load properly (missing symbols). Options: -a, --all Probe modules listed in /etc/modules.conf -A Like -a, compares timestamps first -q, --quiet Don't report missing symbols -e, --errsyms List unresolved symbols for the given module -s, --syslog Report errors using syslog -v, --verbose Print all visited modules -n, --show Write the dependency file on stdout only -r, --root Allow root to allow modules not owned by root -V, --version Print the release version -u, --unresolved-error Set an error return code for unresolved symbols -h, --help Print this usage message The following options are useful for people managing distributions: -b basedirectory --basedir basedirectory Use an image of a module tree. -C configfile --config configfile Use the file instead of /etc/modules.conf. -F kernelsyms --filesyms kernelsyms Use the file instead of the current kernel symbols. modprobe: Can't locate module ip_tables modprobe: Can't locate module ip_conntrack modprobe: Can't locate module iptable_filter modprobe: Can't locate module ipt_LOG modprobe: Can't locate module ipt_limit modprobe: Can't locate module ipt_state : command not found 23: : command not found 25: Clearing Tables... : No such file or directoryr/sbin/iptables : No such file or directoryr/sbin/iptables : No such file or directoryr/sbin/iptables : command not found 30: : command not found 32: : No such file or directoryr/sbin/iptables : No such file or directoryr/sbin/iptables : No such file or directoryr/sbin/iptables : No such file or directoryr/sbin/iptables : No such file or directoryr/sbin/iptables : command not found 38: : command not found 40: : No such file or directoryr/sbin/iptables ./rc.firewall: line 42: -m: command not found : No such file or directoryr/sbin/iptables ./rc.firewall: line 44: --log-prefix: command not found : No such file or directoryr/sbin/iptables [It goes on] |
BTW when i type /sbin/lsmod it doesn't list any iptables related modules, but after i type iptables -L it lists ip_tables and iptable_filter. I have also tried loading the other modules by typing /sbin/modprobe [missing module name]... confirming they are loaded and then loading my firewall script and still get the same errors :/
|
Hi
I am not sure but try this... I think your iptable rpm not install or not install proper ly. so just make sure where it is install? with this command... rpm -qa |grep iptable* and chekc it... if it not then install it with this command rpm -ivh iptable [with that veriosn] or iptable need other package depencence so it also.... if it display error ,then post it again. ------------------- Hitesh |
Heres what it said...
[root@localhost root]# rpm -qa|grep iptable* iptables-1.2.7a-2 [root@localhost root]# rpm -ivh iptables-1.2.7a-2 error: open of iptables-1.2.7a-2 failed: No such file or directory |
I've just tried MonMotha's IPTables Firewall script and that for some reason works. So i know the problem has to be with my script, i just don't know what it could be.
|
Quote:
Can you post your script? Perhaps someone'll see some error juump out (unless RH9 has changed the rules... again. :-) ) Good luck... |
To debug your script, put lines throughout it that are like:
echo "Checkpoint 1" (except change 1 to other numbers after the first one) Then look at what checkpoints the error messages fall between and move the checkpoints until you have the source of each error isolated to a single line (some errors after the first may be caused by the first, so it is best to fix them one at a time). |
Here it is, it's based it off an example script from the "Iptables Tutorial" v1.1.17 from http://iptables-tutorial.frozentux.net... I pretty much just copied it in notepad, customized it, copied it to linux and ran it.
## INTERFACES ## LAN_IP="192.168.5.4" LAN_BROADCAST_ADDRESS="192.168.5.255" LAN_IFACE="eth0" LO_IFACE="lo" LO_IP="127.0.0.1" IPTABLES="/sbin/iptables" ## MODULES ## /sbin/depmod -a /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe iptable_filter /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_state #/sbin/modprobe ipt_owner #/sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc ## DEFAULT POLICIES ## echo "Clearing Tables..." $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP ## CREATE CHAINS ## $IPTABLES -N bad_tcp_packets $IPTABLES -N allowed $IPTABLES -N tcp_packets $IPTABLES -N udp_packets $IPTABLES -N icmp_packets ## BAD TCP CHAIN ## $IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \ -m --state NEW -j REJECT --reject-with tcp-reset $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "New not syn:" $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP # ALLOWED CHAIN ## $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A allowed -p TCP -j DROP ## TCP RULES ## $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed ## UDP RULES ## #$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 53 -j ACCEPT ## ICMP RULES ## $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT #### INPUT CHAIN #### echo "Creating INPUT Rules..." ## LOCAL ## $IPTABLES -A INPUT -p tcp -j bad_tcp_packets $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT ## INTERNET ## $IPTABLES -A INPUT -p ALL -d $LAN_IP -m state --state ESTABLISHED,RELATED \ -j ACCEPT $IPTABLES -A INPUT -p TCP -i $LAN_IFACE -j tcp_packets $IPTABLES -A INPUT -p UDP -i $LAN_IFACE -j udp_packets $IPTABLES -A INPUT -p ICMP -i $LAN_IFACE -j icmp_packets ## LOG UNUSUAL PACKETS ## $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT INPUT packet died: " #### OUTPUT CHAIN #### echo "Creating OUTPUT Rules..." $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT ## LOG UNUSUAL PACKETS ## $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " |
Quote:
|
I think still it not install properly ,
so you have to install with this commnad, rpm -ivh --force iptables-1.2.7a-2.rpm or upgrade with this, rpm -U iptables-1.2.7a-2.rpm try with this and see... i never used RHL9 ,but if you face problem then download this rpm from www.redhat.com/download/ --------------- Hitesh |
Quote:
1.) It appears to be missing the ``#!/bin/sh'' or ``#!/bin/bash'' line at the top. Without that, you'd need to run the script as ``. ./rc.firewall'' or ``sh ./rc.firewall''. 2.) Make sure that the lines that have been continued onto another line don't have any spaces following the backslash ``\''. I.e., that you don't have any ``\ '' sequences. If it were me, I'd go through the script and remove all the backslash-escaped newlines and just go with the long line (by removing the "\" and joining the lines. In vi, you do that with the `J' command, but you can use any editor and get the same result. Other than those two things, the rest of it (after a quick look) appears fine. |
your post that says
No such file or directoryr/sbin/iptables this says that it's looking for r/sbin/iptables so the file is not formatted correctly remove all leading and trailing spaces you need to use an editor like vi to prevent the file from being hosed the module errors usually mean the modules are not there this also says there is a lot of junk in the file that we are not seeing in your post command not found 2: : command not found 8: : command not found 10: : command not found 12: as stated above the continued lines are not seen as continued lines due to your editor |
Thanks david, i created a new file and retyped the rules so now everything but the ipt_state module seems to work. It shows it listed when i type /sbin/lsmod the ipt_state entry is:
ipt_state 1048 3 When i run the firewall script the error it gives is: iptables v1.2.7a: Couldn't load match '--state':/lib/iptables/libipt_--state.so: cannot open shared object file: No such file or directory ipt_state works with MonMotha's IPTables Firewall but not mine. :confused: |
try running ldconfig
or you may need to change something in your kernel, or not use that rule |
WOOT! It works now, I had this line
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m --state NEW -j REJECT --reject-with tcp-reset When it should of had a "-m state --state" instead of "-m --state" like was used in the example script ;) Thanks for everyones help. |
All times are GMT -5. The time now is 08:47 AM. |