LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 04-01-2003, 08:51 AM   #1
UserName
LQ Newbie
 
Registered: Mar 2003
Distribution: redhat 8.0,mandrake 9.1
Posts: 29

Rep: Reputation: 15
neeed some help debugging iptables please


hi i am trying to run iptables firewall and found a script which i have changed a litlle bit to match my connection
i am running redhat 8 and using adsl vpn connection
heres the commands:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# a table for dealing with icmp traffic
-N icmp_packets
# a table to deal with tcp traffic
-N tcp_packets
# a table for udp traffic
-N udp_packets
#this is the tcp_packets table.
# tcp packets that start a new sessions are sent to the tcp_services table
-A tcp_packets -p TCP --syn -j tcp_packets
# this line allows exisiting connections to live. It is actualy redundent since we had this line in the INPUT table.
-A tcp_packets -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
# we log the packets before DROPing them
-A tcp_packets -m limit --limit 60/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "TCP packets packet died: "
# tcp packets that are not related to established session, and are not syn packets, gets drop
-A tcp_packets -p TCP -j DROP
# no other services, so we log and then drop
#-A tcp -m limit --limit 60/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "TCP srv packet died: "
#-A tcp -p TCP -s 0/0 -j DROP
#
# ICMP rules
#
# we permit icmp types 3,11
# type 3 is destination unreachable. this may save us b/w of accessive retries
# type 11 is Time Exceeded - good for traceroute .

-A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
-A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#this is where we do the masquerading.
-t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# This is the INPUT table. Most filtering is done here
#
# for performance efficiency, we put the rules that should get the highest matces
# first.
#
# Firtst , we permit the ADSL modem to pass traffic on pptp (tcp port 1723) and the gre tunnel (protocol 47)
-A INPUT -p 47 -s x.x.x.x/x -j ACCEPT
-A INPUT -p tcp -s x.x.x.x/x --sport 1723 -j ACCEPT
# we trust our internal host. If you want to specificaly control its activity, remove this line and permit specific
# service in the apropriate tables.
-A INPUT -p ALL -s x.x.x.x/x -j ACCEPT
# the following 3 rules ensure that established connections will not break. These are the lines that make the
# stateful inspection (and which match most of the LAN and PPP interface traffic).
-A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
# then we permit the loopback interface
-A INPUT -s 127.0.0.1 -j ACCEPT
#The following 2 rules enables the passive and active ftp port command (that opens a data stream).
-A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
# we allow broadcasts.
-A INPUT -p ALL -d x.255.255.255/x -j ACCEPT
# any traffic coming on the internet interface that did not match the previous rules (basicaly packets that try to start sessions, or probes, or just any
# other packet that is not related to an existing stream) will be separated to icmp, tcp and udp and treated specificaly.
-A INPUT -p ICMP -i ppp0 -j icmp_packets
-A INPUT -p TCP -i ppp0 -j tcp_packets
-A INPUT -p UDP -i ppp0 -j udp_packets
-A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
# before we drop the packets that reach the end of the table, we want to record it. We limit the log rate so that we wont
#chocke it we are badly attacked.
-A INPUT -m limit --limit 60/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
# This is the output table.
#First we permit the pptp and gre tunnel to the ADSL
-A OUTPUT -p 47 -d x.x.x.x/x -j ACCEPT
# We trust our internal host
-A OUTPUT -p ALL -d x.x.x.x/x -j ACCEPT
# we make stateful inspection and let established sessions live, and new connections to be created.
-A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -m limit --limit 60/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
# We forward for established sessions
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# set default policies for the INPUT, FORWARD and OUTPUT chains. #Since we filter on the INPUT , the FORWARD
# policy is ACCEPT
-P INPUT DROP
-P OUTPUT DROP
-P FORWARD DROP

for some reason when i try to restart iptables with the command /etc/rc.d/init.d/iptables start

i get errors which state:
Applying iptables firewall rules: iptables-restore v1.2.6a: Unknown arg `--icmp-type'
--sport
--dport
i have checked the iptables man and all of these commands are allowed i even tried not using the alias name as in : --source-port etc and no go
i appriciate any help on this subject

TIA
 
Old 04-01-2003, 05:07 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
I think in your ICMP rules that the protocol has to be lower case, so:

-A icmp_packets -p icmp -s 0/0 --icmp-type 3 -j ACCEPT

which is why it doesn't like the -icmp-type part. You need to have the -p icmp part recognized so that it can load the -icmp-type extensions. Try that and see if you still get errors.
 
Old 04-01-2003, 08:38 PM   #3
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Scatch that, case doesn't matter for the protocol type.

But I do have a question, are you loading these rules with a script, by command line, or are you directly editing the /etc/sysconfig/iptables file?

If you're editing the file by hand, that might be the problem. For some reason if you edit the file by hand, the extension modules are not loaded (the ones that specify how to handle the --dport, --sport, --icmp-type).
 
Old 04-02-2003, 04:46 AM   #4
UserName
LQ Newbie
 
Registered: Mar 2003
Distribution: redhat 8.0,mandrake 9.1
Posts: 29

Original Poster
Rep: Reputation: 15
thanks for the reply,
Capt_Caveman: i am editing the iptables files directly,so anyone know hot to enable them or should i just make it a script and try it?
thanks
 
Old 04-02-2003, 07:44 AM   #5
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
I'd go ahead and use a script. As I've been trying to learn iptables, I've created a few different scripts for me to play with. I've also got one "good" firewall script that I don't play with so no matter how badly I screw up the one I'm working on, a good firewall is only a script run away....
 
Old 04-02-2003, 09:37 AM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
You can type them in at the command line one after another using the iptables command, the nice part being that you can debug them line by line.

But I'd agree with Hangdog42, that a script is probably the way to go. Just put a line that points to the path of the script in rc.local, so that it get loaded at boot. And don't forget to make it executable.
 
Old 04-02-2003, 10:34 AM   #7
UserName
LQ Newbie
 
Registered: Mar 2003
Distribution: redhat 8.0,mandrake 9.1
Posts: 29

Original Poster
Rep: Reputation: 15
cool thanks for the replys guys
i just tried running them all manualy and no errors its a bit strange though that on the iptables files it doesnt work any way how do i go about the command in rc.local would:
sh /path/to/script/script.sh
be ok?

thanks again people
 
Old 04-02-2003, 11:33 AM   #8
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
I actually run my firewall script from rc.inet1 before the NIC is set up. That way I'm never without a firewall in place. I've got the firewall script in the same directory as rc.inet1 and just have a line that says ./rc.firewall.
 
Old 04-02-2003, 12:51 PM   #9
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
>its a bit strange though that on the iptables files it doesnt work

yeah, I thought so too. I had a similar problem once where if I pasted a line into the iptables file it would give me an error, but if I pasted the exact same line into the command line with "iptables" in front of it, it would run no problem. Somehow the act of entering the command (through a script or command line) tells the kernel to load the proper extension modules.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Visual Debugging and Linux Kernel Debugging Igor007 Programming 0 09-30-2005 10:33 AM
Changing from Windows to Linux and I neeed help kiwusek Mandriva 40 08-30-2005 08:57 PM
Neeed help with exploits plz ziggy123 Programming 7 12-25-2004 03:12 PM
i neeed help in this please howareyou Linux - Enterprise 3 05-06-2004 02:36 PM
debugging devit Programming 1 02-10-2004 11:49 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 12:48 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration