IPTables doesn't seem to work

X11 · 07-07-2002, 02:21 AM

I been trying to test this script but have had no success in doing it:

Quote:

#!/bin/sh

#Ethernet card interface to Internet. DHCP Assigned Cable Internet.
INET_IP=""
INET_IFACE="eth0"

#Load iptables/netfilter modules.
/sbin/modprobe ipt_LOG
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack

#Drop all incoming, outgoing and forwarding packets.
/sbin/iptables -P INPUT DROP #Drops all incoming packets from all interfaces.
/sbin/iptables -P OUTPUT DROP #Drops all outgoing packets from all interfaces.
/sbin/iptables -P FORWARD DROP #Drops all forwarding packets from all interfaces.

#The weakest link
/sbin/iptables -A INPUT -i eth0 -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

#Accept certain incoming ICMP packet types.
/sbin/iptables -A OUTPUT -o eth0 -p icmp -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type address-mask-reply -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type required-option-missing -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type parameter-problem -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type ip-header-bad -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type time-exceeded -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type TOS-host-unreachable -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type source-route-failed -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type network-unknown -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type echo-reply -j ACCEPT

#Drop certain incoming ICMP packet types.
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type destination-unreachable -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type network-unreachable -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type host-unreachable -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type protocol-unreachable -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type port-unreachable -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type fragmentation-needed -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type host-unknown -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type network-prohibited -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type host-prohibited -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type TOS-network-unreachable -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type communication-prohibited -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type host-precedence-violation -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type precedence-cutoff -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type source-quench -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type redirect -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type network-redirect -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type host-redirect -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type TOS-network-redirect -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type TOS-host-redirect -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -m limit --limit 1/s
--limit-burst 1 -j LOG --log-level --log-prefix PING-REQUEST
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type router-advertisement -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type router-solicitation -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type ttl-zero-during-transit -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type ttl-zero-during-reassembly -j DROP
/sbin/iptables -A INPUT -i eth0 -p icmp --icmp-type timestamp-request -j DROP

#Active FTP.
/sbin/iptables -A INPUT -i eth0 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --sport 53 -d $INET_IP --dport 1023:65535 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --sport 53 -d $INET_IP --dport 1023:65535 -j ACCEPT
/sbin/iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -s 0/0 --sport 53 -d $INET_IP --dport 1023:65535 -j ACCEPT
/sbin/iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -s 0/0 --sport 53 -d 10.50.28.4 --dport 1023:65535 -j ACCEPT

#Syn-flood protection.
/sbin/iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j ACCEPT

#Drop nasty flags.
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-level --log-prefix
BAD FLAG ! L1"
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-level --log-prefix
BAD FLAG ! L2"
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-level --log-prefix BAD FLAG
! L3"
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
/sbin/iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level --log-prefix
BAD FLAG ! L4"
/sbin/iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
/sbin/iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-level --log-prefix
BAD FLAG ! L5"
/sbin/iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

#Stealth port scanner protection.
/sbin/iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
/sbin/iptables -A syn-flood -j LOG --log-level --log-prefix SYN Flood stopped

#Ping of death protection.
/sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

This is the error I get:

Quote:

iptables v1.2.6a: can't initialize iptables table `filter': iptables who? (do you need to
insmod?)
Perhaps iptables or your kernel needs to be upgraded.

I tried doing:
modprobe iptables
modprobe ip_tables
insmod iptables
insmod ip_tables

CARTMAN · 07-07-2002, 11:12 AM

your iptables compiled for another kernel version if you use rpm uninstall it and install by hand.

pickledbeans · 07-07-2002, 11:50 AM

Check path to iptables, I'm using a standard install of Slack-8.1 and

slacker:root >> type iptables
iptables is /usr/sbin/iptables

X11 · 07-08-2002, 12:23 AM

Thanks ofr the replies, I've tried reinstalling iptables via the Slackware 8.1 CD, it installs OK, but it doesn't seem to work OK.

I've tried to test it by typing:
iptables -L

But it spits out this error every time I do it:

Quote:

modprobe: Can't locate module ip_tables

iptables v1.26a: can't initialize iptables table 'filter': iptables who? (do you need to insmod)

Prehaps iptables or your kernel needs to upgraded.

pickledbeans · 07-08-2002, 12:30 AM

OK i got it , iptables isn't loaded as a module it part of the kernel ? I just ran iptable form the command line w/o that error.

What happens if you run /usr/sbin/iptables ? Post the error messages.

BTW, /usr/sbin isn't in the normal user $PATH.

X11 · 07-08-2002, 12:32 AM

BTW: While we're he're is anything wrong with my script:

I'm need:
1. Access to HTTP for normal web browsing
2. Access to SMTP and POP3 for email
3. Access to the UDP for 'Real' Streaming video (this is more of a want than a need any way)
4. FTP Downloading
5. Any else that is essential to go online securely.

X11 · 07-08-2002, 12:35 AM

Quote:

Originally posted by pickledbeans
OK i got it , iptables isn't loaded as a module it part of the kernel ? I just ran iptable form the command line w/o that error.

What happens if you run /usr/sbin/iptables ? Post the error messages.

BTW, /usr/sbin isn't in the normal user $PATH.

Well I'm logged on as the root user and have tried what you have told me. But it still comes up with this error message.

Quote:

modprobe: Can't locate module ip_tables

iptables v1.26a: can't initialize iptables table 'filter': iptables who? (do you need to insmod)

Prehaps iptables or your kernel needs to upgraded.

pickledbeans · 07-08-2002, 12:39 AM

X11, frst things first. did that command work?

The short answer is I don't know, I'm concerned with
helping you find iptables?

If so then you need to change you path statement.

My suggeston would be to break the script down into pieces and test it that way.

Have you checked out the iptable howto on:
http://tldp.org