Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
After installing trustix, I took a firewall confiig and placed it in /etc/sysconfig/iptables. I recieved the following error:
#service iptables restart
Flushing current rules and chains [60G[ [0;32mOK[0;39m ]
Clearing current rules and chains [60G[ [0;32mOK[0;39m ]
Resetting default rules to ACCEPT:
[60G[ [0;32mOK[0;39m ]
Unloading iptables modules: .................................................
Loading iptables modules: .................................................
Flushing current rules and chains [60G[ [0;32mOK[0;39m ]
Clearing current rules and chains [60G[ [0;32mOK[0;39m ]
Loading new rulesiptables-restore v1.2.8: iptables-restore: unable to initializetable 'mangle
'
Error occured at line: 1
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
[60G[[0;31mFAILED[0;39m]
errrrrrrrrr LOL
Any ideas on how to fix this? I tried iptables-restore with/out the different options, but it just hangs.
This same config file works just fine on a buddy of mine's trustix install. I can play the defualt config back in and it works, but that's basically blank. I could try to command-line every one, but then it doesn't save to the iptables file.
Any ideas (please)? Google didn't help me one bit on this one.
The difference could be that you need to load some modules, or maybe you are trying to do something that your kernel is not configured to support.
By entering rules manually it is easier to see what's failing and what to do next. Since you said you could enter it manually it sounded like the easiest route to take at the moment. Then when you find the bad rule you can fix the problem. It is almost certainly a module that needs to be built or loaded.
I did what you said, and there was no output whatsoever. I am guessing that means things are ok?
The crazy thing is, this is the same EXACT script my buddy used on his system (trustix 2.0) and it worked like a charm. That's wacky, man!
I am going to hit the hay right now, as it is 3:00 am where I am. I will go through the configuration by hand tomorrow and see what happens.
Also, so you know, I took out the wacky NIC and reinstalled. Only takes 10 mintues with Trustix, eh. Still the same error message. I have no clue here!
Thanks again, and if you or anyone else have any comments or suggestions, it would be greatly appreciated.
Yes, I read that right after I posted and actually took out a huge file I put into the post. You know a little sleep can be good for the brain. Sometimes sitting too close to the computer for too many hours straight keeps the forest from being seen and lowers the IQ, eh. I should have turned in a long time before I did last night. I still went to bed with two books and was up for another 2 hours. Little tired right now, eh.
I will be putting together a more appropriate firewall into a file in the next few hours and giving it a shot. I will load it from the shell this time and then iptables-save. Then I will debug it, if I have to. I will post back later tonight (my time and the evening pans out like it should) with what happens.
Throwing the file in alone didn't work, and I really would like to know if anyone else has had success by doing this. And, I simply mean just dropping in a file without running any other commands other than restarting iptables. If others can do that, I would like to know why I cannot do it. Of course, taking 10 days to figure it out or more probably learning all the prerequisite knowledge is something I cannot do right now, so it will have to be something I come to understand further down the road in all likelihood.
Man, that was crazy. If my friend hadn't told me he just dropped the iptables file in and it worked, then it would have never taken me that long. But, I learned a lot in the process and I am please with that.
To configure new chains/config, you make your own file: eg. test_firewall
#>vi test_firewall
Add your iptables commands and options you want: Easier than it might seem at first, like most stuff, eh.
Example:
# Policy setup to drop all incoming by defaut
iptables -P INPUT DROP
#>iptables -F
(flush/clear current iptable chains - you can put it in your test_firewall file as well, as that is what I have done.)
#>sh test_firewall
take a peak:
#>iptables -L
#>iptables-save > /etc/sysconfig/iptables
#>service iptables restart
And, you are done!
That is way too easy now that I know what to do. Drop the file in and go....that didn't work! I have no idea how that worked for my friend.
Anyway, thanks for the feedback, and the due diligence paid off. I am very pleased with my understanding now. :O)
-joseph
Ps. IMPORTANT NOTE: The above is only an example and there is a lot more than needs to be done to get your system safe and secure in regard to configuring iptables. I say this because I don't assume someone reading this will know that. Hope this helps someone down the road. Everyone starts somewhere, so don't get discouraged.
Last edited by joseph_1970; 12-02-2003 at 07:48 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.