LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices



Reply
 
Search this Thread
Old 04-11-2003, 03:06 PM   #1
Kinstonian
LQ Newbie
 
Registered: Mar 2002
Posts: 29

Rep: Reputation: 15
I can't load iptables rules


I'm using RH9 and my firewall script can't load the modules or even the rules. I don't have a /usr/sbin/iptables file so i've also tried editing the rc.firewall to point to /sbin/iptables and i get the same errors...
Heres the output when i try to run my iptables script.

[root@localhost root]# ./rc.firewall
: command not found 2:
: command not found 8:
: command not found 10:
: command not found 12:
/sbin/depmod: invalid option --
depmod 2.4.22
depmod -[aA] [-n -e -v -q -V -r -u]
[-C configfile] [-F kernelsyms] [-b basedirectory] [forced_version]
depmod [-n -e -v -q -r -u] [-F kernelsyms] module1.o module2.o ...
If no arguments (except options) are given, "depmod -a" is assumed

depmod will output a dependancy list suitable for the modprobe utility.
depmod -a will find the list of modules to probe from the file
/etc/modules.conf. It will output the result into the depfile specified
in this configuration file

depmod -A is the same as depmod -a, but will first compare the timestamps
of the files involved to see if the depfile needs updating.

Normally depmod operates silently, reporting only the list of modules that
won't load properly (missing symbols).

Options:
-a, --all Probe modules listed in /etc/modules.conf
-A Like -a, compares timestamps first
-q, --quiet Don't report missing symbols
-e, --errsyms List unresolved symbols for the given module
-s, --syslog Report errors using syslog
-v, --verbose Print all visited modules
-n, --show Write the dependency file on stdout only
-r, --root Allow root to allow modules not owned by root
-V, --version Print the release version
-u, --unresolved-error Set an error return code for unresolved symbols
-h, --help Print this usage message

The following options are useful for people managing distributions:
-b basedirectory
--basedir basedirectory Use an image of a module tree.
-C configfile
--config configfile Use the file instead of
/etc/modules.conf.
-F kernelsyms
--filesyms kernelsyms Use the file instead of the
current kernel symbols.
modprobe: Can't locate module ip_tables
modprobe: Can't locate module ip_conntrack
modprobe: Can't locate module iptable_filter
modprobe: Can't locate module ipt_LOG
modprobe: Can't locate module ipt_limit
modprobe: Can't locate module ipt_state
: command not found 23:
: command not found 25:
Clearing Tables...
: No such file or directoryr/sbin/iptables
: No such file or directoryr/sbin/iptables
: No such file or directoryr/sbin/iptables
: command not found 30:
: command not found 32:
: No such file or directoryr/sbin/iptables
: No such file or directoryr/sbin/iptables
: No such file or directoryr/sbin/iptables
: No such file or directoryr/sbin/iptables
: No such file or directoryr/sbin/iptables
: command not found 38:
: command not found 40:
: No such file or directoryr/sbin/iptables
./rc.firewall: line 42: -m: command not found
: No such file or directoryr/sbin/iptables
./rc.firewall: line 44: --log-prefix: command not found
: No such file or directoryr/sbin/iptables
[It goes on]

Last edited by Kinstonian; 04-12-2003 at 11:12 PM.
 
Old 04-12-2003, 02:52 AM   #2
Kinstonian
LQ Newbie
 
Registered: Mar 2002
Posts: 29

Original Poster
Rep: Reputation: 15
BTW when i type /sbin/lsmod it doesn't list any iptables related modules, but after i type iptables -L it lists ip_tables and iptable_filter. I have also tried loading the other modules by typing /sbin/modprobe [missing module name]... confirming they are loaded and then loading my firewall script and still get the same errors :/
 
Old 04-12-2003, 03:11 AM   #3
hitesh_linux
Member
 
Registered: Dec 2001
Location: /root
Distribution: FreeBSD,NETBSD,redhat
Posts: 472

Rep: Reputation: 30
Hi

I am not sure but try this...

I think your iptable rpm not install or not install proper ly.
so just make sure where it is install?

with this command...

rpm -qa |grep iptable*

and chekc it...

if it not then install it with this command

rpm -ivh iptable [with that veriosn]

or iptable need other package depencence
so it also....

if it display error ,then post it again.

-------------------
Hitesh
 
Old 04-12-2003, 01:26 PM   #4
Kinstonian
LQ Newbie
 
Registered: Mar 2002
Posts: 29

Original Poster
Rep: Reputation: 15
Heres what it said...

[root@localhost root]# rpm -qa|grep iptable*
iptables-1.2.7a-2
[root@localhost root]# rpm -ivh iptables-1.2.7a-2
error: open of iptables-1.2.7a-2 failed: No such file or directory
 
Old 04-12-2003, 06:39 PM   #5
Kinstonian
LQ Newbie
 
Registered: Mar 2002
Posts: 29

Original Poster
Rep: Reputation: 15
I've just tried MonMotha's IPTables Firewall script and that for some reason works. So i know the problem has to be with my script, i just don't know what it could be.
 
Old 04-12-2003, 10:39 PM   #6
rnturn
Member
 
Registered: Jan 2003
Location: Illinois (Chicago area)
Distribution: Red Hat (8.0), SuSE (10.x, 11.x, 12.2, 13.2), Solaris (8-10), Tru64
Posts: 982

Rep: Reputation: 53
Quote:
Originally posted by Kinstonian
So i know the problem has to be with my script, i just don't know what it could be.
That'd be my guess. The output you posted was filled with error messages that looked like there were typos and syntax errors. It sure appears that you have a problem loading modules. That might have been preventing the iptables module (I'm assuming it's a module on your system) from loading. Look at what the MonMotha script is doing to load modules and adapt that to your script. Any time you see a dump of the the ``usage'' message for a program, it's a sure sign of a problem. If you're interested in fixing your original script, try inserting a ``set -x'' command at near the top as you can, and a ``set -'' near the bottom. Then when you run it you'll at least have the lines from the script intermixed with all the messages which usually makes it easier to sort out where all those errors were coming from. Then remove those two commands when you get it all fixed.

Can you post your script? Perhaps someone'll see some error juump out (unless RH9 has changed the rules... again. :-) )

Good luck...
 
Old 04-12-2003, 11:01 PM   #7
oot
Member
 
Registered: Dec 2002
Distribution: Slackware 12.0
Posts: 240

Rep: Reputation: 30
To debug your script, put lines throughout it that are like:
echo "Checkpoint 1"
(except change 1 to other numbers after the first one)

Then look at what checkpoints the error messages fall between and move the checkpoints until you have the source of each error isolated to a single line (some errors after the first may be caused by the first, so it is best to fix them one at a time).
 
Old 04-12-2003, 11:12 PM   #8
Kinstonian
LQ Newbie
 
Registered: Mar 2002
Posts: 29

Original Poster
Rep: Reputation: 15
Here it is, it's based it off an example script from the "Iptables Tutorial" v1.1.17 from http://iptables-tutorial.frozentux.net... I pretty much just copied it in notepad, customized it, copied it to linux and ran it.

## INTERFACES ##

LAN_IP="192.168.5.4"
LAN_BROADCAST_ADDRESS="192.168.5.255"
LAN_IFACE="eth0"
LO_IFACE="lo"
LO_IP="127.0.0.1"

IPTABLES="/sbin/iptables"

## MODULES ##

/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
#/sbin/modprobe ipt_owner
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc

## DEFAULT POLICIES ##

echo "Clearing Tables..."
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

## CREATE CHAINS ##

$IPTABLES -N bad_tcp_packets
$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets

## BAD TCP CHAIN ##

$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

# ALLOWED CHAIN ##

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

## TCP RULES ##

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

## UDP RULES ##

#$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 53 -j ACCEPT

## ICMP RULES ##

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#### INPUT CHAIN ####
echo "Creating INPUT Rules..."

## LOCAL ##

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT

## INTERNET ##

$IPTABLES -A INPUT -p ALL -d $LAN_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -p TCP -i $LAN_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $LAN_IFACE -j udp_packets
$IPTABLES -A INPUT -p ICMP -i $LAN_IFACE -j icmp_packets

## LOG UNUSUAL PACKETS ##

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

#### OUTPUT CHAIN ####

echo "Creating OUTPUT Rules..."
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT

## LOG UNUSUAL PACKETS ##

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
 
Old 04-12-2003, 11:15 PM   #9
Kinstonian
LQ Newbie
 
Registered: Mar 2002
Posts: 29

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by oot
To debug your script, put lines throughout it that are like:
echo "Checkpoint 1"
(except change 1 to other numbers after the first one)

Then look at what checkpoints the error messages fall between and move the checkpoints until you have the source of each error isolated to a single line (some errors after the first may be caused by the first, so it is best to fix them one at a time).
Thats a good idea but i that wouldn't work for me right now because i'm getting errors from start to finish. I'll use that technique once i get the basics working, thanks.
 
Old 04-12-2003, 11:19 PM   #10
hitesh_linux
Member
 
Registered: Dec 2001
Location: /root
Distribution: FreeBSD,NETBSD,redhat
Posts: 472

Rep: Reputation: 30
I think still it not install properly ,

so you have to install with this commnad,

rpm -ivh --force iptables-1.2.7a-2.rpm or upgrade with this,

rpm -U iptables-1.2.7a-2.rpm


try with this and see...

i never used RHL9 ,but if you face problem then
download this rpm from www.redhat.com/download/


---------------
Hitesh
 
Old 04-12-2003, 11:29 PM   #11
rnturn
Member
 
Registered: Jan 2003
Location: Illinois (Chicago area)
Distribution: Red Hat (8.0), SuSE (10.x, 11.x, 12.2, 13.2), Solaris (8-10), Tru64
Posts: 982

Rep: Reputation: 53
Quote:
Originally posted by Kinstonian
Here it is, it's based it off an example script from the "Iptables Tutorial" v1.1.17 from http://iptables-tutorial.frozentux.net... I pretty much just copied it in notepad, customized it, copied it to linux and ran it.
A couple of things:

1.) It appears to be missing the ``#!/bin/sh'' or ``#!/bin/bash'' line at the top. Without that, you'd need to run the script as ``. ./rc.firewall'' or ``sh ./rc.firewall''.

2.) Make sure that the lines that have been continued onto another line don't have any spaces following the backslash ``\''. I.e., that you don't have any ``\ '' sequences. If it were me, I'd go through the script and remove all the backslash-escaped newlines and just go with the long line (by removing the "\" and joining the lines. In vi, you do that with the `J' command, but you can use any editor and get the same result.

Other than those two things, the rest of it (after a quick look) appears fine.

Last edited by rnturn; 04-13-2003 at 01:07 AM.
 
Old 04-13-2003, 01:00 AM   #12
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,155

Rep: Reputation: 56
your post that says

No such file or directoryr/sbin/iptables

this says that it's looking for r/sbin/iptables

so the file is not formatted correctly

remove all leading and trailing spaces

you need to use an editor like vi to prevent the file from being hosed

the module errors usually mean the modules are not there

this also says there is a lot of junk in the file that we are not seeing in your post

command not found 2:
: command not found 8:
: command not found 10:
: command not found 12:


as stated above the continued lines are not seen as continued lines due to your editor


Last edited by DavidPhillips; 04-13-2003 at 01:01 AM.
 
Old 04-13-2003, 03:24 PM   #13
Kinstonian
LQ Newbie
 
Registered: Mar 2002
Posts: 29

Original Poster
Rep: Reputation: 15
Thanks david, i created a new file and retyped the rules so now everything but the ipt_state module seems to work. It shows it listed when i type /sbin/lsmod the ipt_state entry is:
ipt_state 1048 3

When i run the firewall script the error it gives is:
iptables v1.2.7a: Couldn't load match '--state':/lib/iptables/libipt_--state.so: cannot open shared object file: No such file or directory

ipt_state works with MonMotha's IPTables Firewall but not mine.
 
Old 04-13-2003, 04:12 PM   #14
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,155

Rep: Reputation: 56
try running ldconfig


or you may need to change something in your kernel, or not use that rule
 
Old 04-13-2003, 08:47 PM   #15
Kinstonian
LQ Newbie
 
Registered: Mar 2002
Posts: 29

Original Poster
Rep: Reputation: 15
Thumbs up

WOOT! It works now, I had this line
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m --state NEW -j REJECT --reject-with tcp-reset

When it should of had a "-m state --state" instead of "-m --state" like was used in the example script Thanks for everyones help.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how can i load iptables rules at startup synaptical Debian 6 07-15-2005 12:28 PM
IPTABLES - rules in /etc/sysconfig/iptables The_JinJ Linux - Newbie 6 11-20-2004 02:40 AM
iptables rules chrisfirestar Linux - Security 2 10-29-2003 03:30 AM
how to get iptables to load rules on startup ? qwijibow Linux - Security 5 09-02-2003 10:48 AM
iptables rules hazza96 Linux - Security 3 09-09-2001 12:16 PM


All times are GMT -5. The time now is 01:03 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration