iptables: Bad policy name
 

I am running Redhat 8.0 for a router/firewall for my home office (this is a continuation of a post I made to the network forum entitled no connection on redhat 8.0 at http://www.linuxquestions.org/questi...threadid=39319

Three components of office network are:

A. FIREWALL /DNS server with three NIC's
eth0 IP Address: 10.1.1.1 (connection to local network)
eth1 IP Address: xxx.xxx.xxx.xxx (connection to the internet)
eth2 IP Address: 10.1.10.1 (connection to Apache server only)

B. APACHE SERVER
eth0 IP Address: 10.1.10.2

C. WORKSTATION
eth0 IP Address: 10.1.1.2

now that i have a connection, i'm running into trouble with my firewall rules. i adapted a firewall rules set from the bastille.org site. see
http://www.bastille-linux.org/jay/soho-iptables-nat.txt
and
http://www.bastille-linux.org/jay/bu...-firewall.html

i have made some modifications to the original script in response to error messages from running the shell script. For example, I deleted the $ from the variables that were in the orginal script pursuant to the suggestion of another user. this change and the other changes have greatly reduced the number of error messages. The other changes were made based on the Linux IP Masquerade HOWTO at
http://www.e-infomax.com/ipmasq/

when running the script, i now get the following errors.
quote:iptables: Bad policy name
iptables: Bad policy name
iptables v1.2.6a: multiple -d flags not allowed
Try `iptables -h' or 'iptables --help' for more information.

The current script follows:

#!/bin/bash
# Model SOHO firewall adaped from SP article
# by Jay Beale (jay@bastille-linux.org)
#
# Warning: you're going to have to hack this for your own purposes.
#assumptions:
#Kernel IP routing table
# Destination Gateway Genmask Flags Metric Ref Use Iface
# 10.1.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
# $INTERNET 0.0.0.0 255.255.255.0 U 0 0 0 eth1
# 10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
# 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
# 0.0.0.0 external ISP gw 0.0.0.0 UG 0 0 0 eth1
#
# ie, internal network is 10.1.1.0/24 on eth0
# our gateway's IP address is 10.1.1.1
#
# Additionally:
# we have another internal network, a DMZ: 10.1.10.0/24 on eth2
#
INTERNAL_IP=10.1.1.1
INTERNAL_NET=10.1.1.0/24

# a routable IP address assigned by ISP
INTERNET=xxx.xxx.xxx.xxx

DMZ=10.1.10.0/24
#Setting the EXTERNAL and INTERNAL interfaces for the network
#
# Each IP Masquerade network needs to have at least one
# external and one internal network. The external network
# is where the natting will occur and the internal network
# should preferably be addressed with a RFC1918 private address
# scheme.
#
# For this example, "eth0" is external and "eth1" is internal"
#
# NOTE: If this doesnt EXACTLY fit your configuration, you must
# change the EXTIF or INTIF variables above. For example:
#
# EXTIF="ppp0"
#
# if you are a modem user.
#
EXTIF="eth1"
INTIF="eth0"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"

# The location of the iptables and kernel module programs
IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmod
INSMOD=/sbin/insmod
# Insert the required kernel modules
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp

echo -en " loading modules: "

# Need to verify that all modules have all required dependencies
#
echo " - Verifying that all kernel modules are ok"
$DEPMOD -a
#Clearing any previous configuration
#
# Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
# The default for FORWARD is DROP
#
echo " clearing any existing rules and setting default policy.."

# Set default policies for packets going through this firewall box

iptables -t nat -P PREROUTING DROP
iptables -t nat -P POSTROUTING DROP
iptables -P FORWARD DROP

# Set default policies for packet entering this box

iptables -P OUTPUT ALLOW
iptables -P INPUT ALLOW

# Kill spoofed packets

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done

# Anything coming from our internal network should have only our addresses!
iptables -A FORWARD -i eth0 -s ! $INTERNAL_NET -j DROP

# Anything coming from the Internet should have a real Internet address
iptables -A FORWARD -i eth1 -s 192.168.0.0/16 -j DROP
iptables -A FORWARD -i eth1 -s 172.16.0.0/12 -j DROP
iptables -A FORWARD -i eth1 -s 10.0.0.0/8 -j DROP

# Note: There are more reserved networks, but these are the classical ones.

# Block outgoing network filesharing protocols that aren't designed
# to leave the LAN

# SMB / Windows filesharing
iptables -A FORWARD -p tcp --sport 137:139 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -j DROP
# NFS Mount Service (TCP/UDP 635)
iptables -A FORWARD -p tcp --sport 635 -j DROP
iptables -A FORWARD -p udp --sport 635 -j DROP
# NFS (TCP/UDP 2049)
iptables -A FORWARD -p tcp --sport 2049 -j DROP
iptables -A FORWARD -p udp --sport 2049 -j DROP
# Portmapper (TCP/UDP 111)
iptables -A FORWARD -p tcp --sport 111 -j DROP
iptables -A FORWARD -p udp --sport 111 -j DROP

# Block incoming syslog, lpr, rsh, rexec...
iptables -A FORWARD -i eth1 -p udp --dport syslog -j DROP
iptables -A FORWARD -i eth1 -p tcp --dport 515 -j DROP
iptables -A FORWARD -i eth1 -p tcp --dport 514 -j DROP
iptables -A FORWARD -i eth1 -p tcp --dport 512 -j DROP

###
# Transparently proxy all web-surfing through Squid box (commented out)

#$SQUID = 192.168.1.2:8080
#$SQUIDSSL = 192.168.1.2:443
#iptables -t nat -A PREROUTING -i eth1 -tcp --dport 80 -j DNAT --to $SQUID
#iptables -t nat -A PREROUTING -i eth1 -tcp --dport 443 -j DNAT --to $SQUIDSSL

# Transparently forward all outgoing mail to a relay host (commented out)

#$SMTP = 192.168.1.3
#iptables -t nat -A PREROUTING -i eth1 -tcp --dport 25 -j DNAT --to $SMTP

# Transparently redirect web connections from outside to the DMZ web
# server

DMZ_WEB=10.1.10.2
iptables -t nat -A PREROUTING -i eth1 -d xxx.xxx.xxx.xxx -dport 80 -j DNAT --to $DMZ_WEB eth2
# Source NAT to get Internet traffic through
iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to $INTERNET

# STATEFUL PART!
# Allow all remaining packets out of our network
iptables -A FORWARD -m state --state NEW -i eth1 -s $INTERNAL_NET -j ACCEPT

# Optionally, only allow remaining packets out of network if they're from
# known MAC addresses:
#
# iptables -A FORWARD -m state --state NEW -m mac --mac-source 00:60:08:91:CC:B7 -j ACCEPT
#

# Allow the associated packets with those connections back in.
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i eth0 -s ! $INTERNAL_NET -j ACCEPT

# Activate the forwarding!
echo 1 >/proc/sys/net/ipv4/ip_forward
# End

I don't think there's such a thing as ALLOW, it should be....

iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT

iptables v1.2.6a: multiple -d flags not allowed
 

Thanks niknah. your really know your stuff. i was staring at the screen for hours and missed that. your suggestion eliminated the "bad policy" error.

That leaves only the "iptables v1.2.6a: multiple -d flags not allowed" error. i'm doing google searches to see which -d flags are allowed. for example, is line 139 an example of multiple -d flags? It appears from my research that I need to modify the reference to -dport 80 to --dport 80. does that make any sense to anyone? i'm not at my linux box right now so i can't test this theory.

also, i wonder if anyone knows the correct way to specify the eth2 interface as a variable. from the HOWTO i used the EXTIF="eth1" format at line 46 and 47 but i don't have a reference to my eth2 nic interface. if you notice, I have a reference to a third NIC at line 139. the way line 139 reads now I have it defined in a policy statement (see quote above). if this was to be a truely portable firewall to be reused by others, we should be consistent in defining the variable across the board. otherwise, it will easily break when others attempt modifications. can i just arbitrarily create a variable for the nic interface for my DMZ like INTIF_DMZ="eth2"?

yes --dport should fix it.

INTIF_DMZ=eth2 is fine, but there's no usage of EXTIF in your script anyways.

niknah:
thanks again for your knowledgeable posts (i've seen some of your contributions around the site). i'll post back with results when i get to my linux box late this evening or early tomorrow am.

regarding the variables, i'd like to integrate variables (e.g. EXTIF="eth1" and INTIF="eth0") as much as possible within these rules so that someone could basically put all the variables at the top of the file, substitute in the correct variables, place the file on their own firewall and make it fly with a couple of adjustments. i've seen a lot of requests for similar configurations for homeoffices with a apache or webmail server but not a lot of current materials available. making the modular with variables, of course, presupposes tightening up the security afforded by the rules. I'd also like to the file lenght to 100 lines. you seem very knoweldeable about these things. is that a something you would be interested in?

thank you :)

before you start doing something, you may want to search to see if there's something like what you want out there already, freshmeat.net has lots of them.

Unknown arg `--dport'
 

can anyone help me with this error message. the following line in my firewall rule script (please note the xxx.xxx.xxx.xxx = my external IP address):

iptables -t nat -A PREROUTING -i eth1 -d xxx.xxx.xxx.xxx --dport 80 -j DNAT --to $DMZ_WEB eth2

generates this error message:
iptables v1.2.6a: Unknown arg `--dport'

i edited this line previously to add the extra "-" to the flag because -dport generated the error message: "iptables v1.2.6a: multiple -d flags not allowed"

Since --dport is a tcp extension, you will have to specify the protocol being used with --protocol.

So try:

iptables -t nat -A PREROUTING -i eth1 --protocol tcp -d xxx.xxx.xxx.xxx --dport 80 -j DNAT --to $DMZ_WEB eth2

Good luck.

iptables error message 80 is an unknown arg
 

Thanks biosx. that was the solution. thank you to you and all the others who have helped.

now that i've gotten my basic firewall set, i'm still working on some enhancements related to my apache server.

i'm trying to add a rule to allow traffic to an apache server attached to my firewall on a third nic interface which i have defined by the variable $DMZ_IFACE. I want the packet to come in through my Internet interface ($INET_IFACE) through the $DMZ_IFACE to my apache server with a static IP defined as a variable called $DMZ_HTTP_IP. When i run the firewall with these two new lines on the script, i get the error message 80 is an "unknown arg." can any one help me with some suggestions?

check the bit before "--dport 80", it's probably an empty variable so the arguments is maybe being processed something like "-d --dport 80"

IP tables error message solved: Unknown arg `--to-destination
 

Thanks Niknah! I had failed to uncomment the variable for the DMZ_HTTP_IP variable.

This same problem caused the destination nat error messages for the following rules. Since I have not yet set up my dns server, i commented out the variable for the $DMZ_DNS_IP and the null value caused the destination error message.

$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --dport 80 -j DNAT --to-destination $DMZ_HTTP_IP

$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 -j DNAT --to-destination $DMZ_DNS_IP

$IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $DNS_IP --dport 53 -j DNAT --to-destination $DMZ_DNS_IP