LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 07-07-2002, 02:21 AM   #1
X11
Member
 
Registered: Dec 2001
Location: Brisie, Australia
Distribution: Slackware 8.1
Posts: 324

Rep: Reputation: 30
IPTables doesn't seem to work


I been trying to test this script but have had no success in doing it:

Quote:
#!/bin/sh

#Ethernet card interface to Internet. DHCP Assigned Cable Internet.
INET_IP=""
INET_IFACE="eth0"

#Load iptables/netfilter modules.
/sbin/modprobe ipt_LOG
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack

#Drop all incoming, outgoing and forwarding packets.
/sbin/iptables -P INPUT DROP #Drops all incoming packets from all interfaces.
/sbin/iptables -P OUTPUT DROP #Drops all outgoing packets from all interfaces.
/sbin/iptables -P FORWARD DROP #Drops all forwarding packets from all interfaces.

#The weakest link
/sbin/iptables -A INPUT -i eth0 -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

#Accept certain incoming ICMP packet types.
/sbin/iptables -A OUTPUT -o eth0 -p icmp -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type address-mask-reply -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type required-option-missing -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type parameter-problem -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type ip-header-bad -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type time-exceeded -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type TOS-host-unreachable -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type source-route-failed -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type network-unknown -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type echo-reply -j ACCEPT

#Drop certain incoming ICMP packet types.
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type destination-unreachable -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type network-unreachable -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type host-unreachable -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type protocol-unreachable -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type port-unreachable -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type fragmentation-needed -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type host-unknown -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type network-prohibited -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type host-prohibited -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type TOS-network-unreachable -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type communication-prohibited -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type host-precedence-violation -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type precedence-cutoff -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type source-quench -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type redirect -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type network-redirect -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type host-redirect -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type TOS-network-redirect -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type TOS-host-redirect -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -m limit --limit 1/s
--limit-burst 1 -j LOG --log-level --log-prefix PING-REQUEST
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type router-advertisement -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type router-solicitation -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type ttl-zero-during-transit -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type ttl-zero-during-reassembly -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type timestamp-request -j DROP

#Active FTP.
/sbin/iptables -A INPUT -i eth0 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --sport 53 -d $INET_IP --dport 1023:65535 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --sport 53 -d $INET_IP --dport 1023:65535 -j ACCEPT
/sbin/iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -s 0/0 --sport 53 -d $INET_IP --dport 1023:65535 -j ACCEPT
/sbin/iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -s 0/0 --sport 53 -d 10.50.28.4 --dport 1023:65535 -j ACCEPT

#Syn-flood protection.
/sbin/iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j ACCEPT

#Drop nasty flags.
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-level --log-prefix
BAD FLAG ! L1"
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-level --log-prefix
BAD FLAG ! L2"
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-level --log-prefix BAD FLAG
! L3"
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
/sbin/iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level --log-prefix
BAD FLAG ! L4"
/sbin/iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
/sbin/iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-level --log-prefix
BAD FLAG ! L5"
/sbin/iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

#Stealth port scanner protection.
/sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
/sbin/iptables -A syn-flood -j LOG --log-level --log-prefix SYN Flood stopped

#Ping of death protection.
/sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
This is the error I get:
Quote:
iptables v1.2.6a: can't initialize iptables table `filter': iptables who? (do you need to
insmod?)
Perhaps iptables or your kernel needs to be upgraded.
I tried doing:
modprobe iptables
modprobe ip_tables
insmod iptables
insmod ip_tables
 
Old 07-07-2002, 11:12 AM   #2
CARTMAN
Member
 
Registered: Feb 2002
Location: Turkiye
Distribution: Pardus
Posts: 147

Rep: Reputation: 15
your iptables compiled for another kernel version if you use rpm uninstall it and install by hand.
 
Old 07-07-2002, 11:50 AM   #3
pickledbeans
Member
 
Registered: Jun 2002
Location: Bailey, CO
Distribution: Slackware
Posts: 483

Rep: Reputation: 31
Check path to iptables, I'm using a standard install of Slack-8.1 and

slacker:root >> type iptables
iptables is /usr/sbin/iptables
 
Old 07-08-2002, 12:23 AM   #4
X11
Member
 
Registered: Dec 2001
Location: Brisie, Australia
Distribution: Slackware 8.1
Posts: 324

Original Poster
Rep: Reputation: 30
Thanks ofr the replies, I've tried reinstalling iptables via the Slackware 8.1 CD, it installs OK, but it doesn't seem to work OK.

I've tried to test it by typing:
iptables -L

But it spits out this error every time I do it:
Quote:
modprobe: Can't locate module ip_tables

iptables v1.26a: can't initialize iptables table 'filter': iptables who? (do you need to insmod)

Prehaps iptables or your kernel needs to upgraded.
 
Old 07-08-2002, 12:30 AM   #5
pickledbeans
Member
 
Registered: Jun 2002
Location: Bailey, CO
Distribution: Slackware
Posts: 483

Rep: Reputation: 31
OK i got it , iptables isn't loaded as a module it part of the kernel ? I just ran iptable form the command line w/o that error.

What happens if you run /usr/sbin/iptables ? Post the error messages.

BTW, /usr/sbin isn't in the normal user $PATH.
 
Old 07-08-2002, 12:32 AM   #6
X11
Member
 
Registered: Dec 2001
Location: Brisie, Australia
Distribution: Slackware 8.1
Posts: 324

Original Poster
Rep: Reputation: 30
BTW: While we're he're is anything wrong with my script:

I'm need:
1. Access to HTTP for normal web browsing
2. Access to SMTP and POP3 for email
3. Access to the UDP for 'Real' Streaming video (this is more of a want than a need any way)
4. FTP Downloading
5. Any else that is essential to go online securely.
 
Old 07-08-2002, 12:35 AM   #7
X11
Member
 
Registered: Dec 2001
Location: Brisie, Australia
Distribution: Slackware 8.1
Posts: 324

Original Poster
Rep: Reputation: 30
Quote:
Originally posted by pickledbeans
OK i got it , iptables isn't loaded as a module it part of the kernel ? I just ran iptable form the command line w/o that error.

What happens if you run /usr/sbin/iptables ? Post the error messages.

BTW, /usr/sbin isn't in the normal user $PATH.
Well I'm logged on as the root user and have tried what you have told me. But it still comes up with this error message.
Quote:
modprobe: Can't locate module ip_tables

iptables v1.26a: can't initialize iptables table 'filter': iptables who? (do you need to insmod)

Prehaps iptables or your kernel needs to upgraded.
 
Old 07-08-2002, 12:39 AM   #8
pickledbeans
Member
 
Registered: Jun 2002
Location: Bailey, CO
Distribution: Slackware
Posts: 483

Rep: Reputation: 31
X11, frst things first. did that command work?

The short answer is I don't know, I'm concerned with
helping you find iptables?

If so then you need to change you path statement.

My suggeston would be to break the script down into pieces and test it that way.

Have you checked out the iptable howto on:
http://tldp.org
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables question: Will this work? lucktsm Linux - Networking 7 07-06-2005 03:22 PM
Iptables command won't work no_names_left Linux - Networking 9 04-23-2005 07:53 PM
iptables doesn't work with me Agent007 Linux - Networking 4 01-23-2004 07:14 AM
IPTABLES doesn't work!!! help... saruman666 Linux - Networking 11 08-16-2003 04:15 PM
iptables doesn't work correctly themorph Linux - Networking 1 02-20-2002 09:33 PM


All times are GMT -5. The time now is 04:46 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration