[SOLVED] Iptables error, unknown option --state

leftism · 11-03-2012, 04:14 AM

Hello. This is my first post here.

Im trying to setup iptables firewall but I get some errors when I run it.

"iptables v1.4.8: unknown option `--state'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.8: unknown option `--state'
Try `iptables -h' or 'iptables --help' for more information."

My iptables firewall looks like this.

# Flush all chains of all rules
iptables -F
# Zero the counters
iptables -Z
# Set the base policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# INPUT SIDE
# Accept all loopback input
iptables -A INPUT -i lo -j ACCEPT

# Allow the three way handshake
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Reject spoofed packets
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP

iptables -A INPUT -s 224.0.0.0/4 -j DROP
iptables -A INPUT -d 224.0.0.0/4 -j DROP
iptables -A INPUT -s 240.0.0.0/5 -j DROP
iptables -A INPUT -d 240.0.0.0/5 -j DROP
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -d 0.0.0.0/8 -j DROP
iptables -A INPUT -d 239.255.255.0/24 -j DROP
iptables -A INPUT -d 255.255.255.255 -j DROP

# Stop smurf attacks
iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT

# Drop all invalid packets
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP

# Drop excessive RST packets to avoid smurf attacks
iptables -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT

# Attempt to block portscans
# Anyone who tried to portscan us is locked out for an entire day
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP

# Once the day has passed, remove them from the portscan list
iptables -A INPUT -m recent --name portscan --remove
iptables -A FORWARD -m recent --name portscan --remove

# These rules add scanners to the portscan list, and log the attempt
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
iptables -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

# Allow the following ports through from outside

# dns server
iptables -A INPUT -p udp -m udp --dport 53 --state NEW -j ACCEPT
# for zone transfers
#iptables -A INPUT -p tcp --dport 53 --syn -s $DNSSLAVE -m state --state NEW -j ACCEPT

# ssh & sftp
iptables -A INPUT -p tcp -m tcp --dport 22 --state NEW,ESTABLISHED -j ACCEPT

# Web server
#iptables -A INPUT -p tcp -m tcp --dport 80 --state NEW,ESTABLISHED -j ACCEPT

# Allow pings through
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

Which rule is creates the error ?

Thanks in advance

leftism · 11-03-2012, 04:34 AM

I found the problem i was missing -m state in the incoming ssh and dns