iptables: Bad policy name
I am running Redhat 8.0 for a router/firewall for my home office (this is a continuation of a post I made to the network forum entitled no connection on redhat 8.0 at http://www.linuxquestions.org/questi...threadid=39319
Three components of office network are: A. FIREWALL /DNS server with three NIC's eth0 IP Address: 10.1.1.1 (connection to local network) eth1 IP Address: xxx.xxx.xxx.xxx (connection to the internet) eth2 IP Address: 10.1.10.1 (connection to Apache server only) B. APACHE SERVER eth0 IP Address: 10.1.10.2 C. WORKSTATION eth0 IP Address: 10.1.1.2 now that i have a connection, i'm running into trouble with my firewall rules. i adapted a firewall rules set from the bastille.org site. see http://www.bastille-linux.org/jay/soho-iptables-nat.txt and http://www.bastille-linux.org/jay/bu...-firewall.html i have made some modifications to the original script in response to error messages from running the shell script. For example, I deleted the $ from the variables that were in the orginal script pursuant to the suggestion of another user. this change and the other changes have greatly reduced the number of error messages. The other changes were made based on the Linux IP Masquerade HOWTO at http://www.e-infomax.com/ipmasq/ when running the script, i now get the following errors. quote:iptables: Bad policy name iptables: Bad policy name iptables v1.2.6a: multiple -d flags not allowed Try `iptables -h' or 'iptables --help' for more information. The current script follows: #!/bin/bash # Model SOHO firewall adaped from SP article # by Jay Beale (jay@bastille-linux.org) # # Warning: you're going to have to hack this for your own purposes. #assumptions: #Kernel IP routing table # Destination Gateway Genmask Flags Metric Ref Use Iface # 10.1.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 # $INTERNET 0.0.0.0 255.255.255.0 U 0 0 0 eth1 # 10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 # 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo # 0.0.0.0 external ISP gw 0.0.0.0 UG 0 0 0 eth1 # # ie, internal network is 10.1.1.0/24 on eth0 # our gateway's IP address is 10.1.1.1 # # Additionally: # we have another internal network, a DMZ: 10.1.10.0/24 on eth2 # INTERNAL_IP=10.1.1.1 INTERNAL_NET=10.1.1.0/24 # a routable IP address assigned by ISP INTERNET=xxx.xxx.xxx.xxx DMZ=10.1.10.0/24 #Setting the EXTERNAL and INTERNAL interfaces for the network # # Each IP Masquerade network needs to have at least one # external and one internal network. The external network # is where the natting will occur and the internal network # should preferably be addressed with a RFC1918 private address # scheme. # # For this example, "eth0" is external and "eth1" is internal" # # NOTE: If this doesnt EXACTLY fit your configuration, you must # change the EXTIF or INTIF variables above. For example: # # EXTIF="ppp0" # # if you are a modem user. # EXTIF="eth1" INTIF="eth0" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF" # The location of the iptables and kernel module programs IPTABLES=/sbin/iptables DEPMOD=/sbin/depmod INSMOD=/sbin/insmod # Insert the required kernel modules modprobe iptable_nat modprobe ip_conntrack modprobe ip_conntrack_ftp echo -en " loading modules: " # Need to verify that all modules have all required dependencies # echo " - Verifying that all kernel modules are ok" $DEPMOD -a #Clearing any previous configuration # # Unless specified, the defaults for INPUT and OUTPUT is ACCEPT # The default for FORWARD is DROP # echo " clearing any existing rules and setting default policy.." # Set default policies for packets going through this firewall box iptables -t nat -P PREROUTING DROP iptables -t nat -P POSTROUTING DROP iptables -P FORWARD DROP # Set default policies for packet entering this box iptables -P OUTPUT ALLOW iptables -P INPUT ALLOW # Kill spoofed packets for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done # Anything coming from our internal network should have only our addresses! iptables -A FORWARD -i eth0 -s ! $INTERNAL_NET -j DROP # Anything coming from the Internet should have a real Internet address iptables -A FORWARD -i eth1 -s 192.168.0.0/16 -j DROP iptables -A FORWARD -i eth1 -s 172.16.0.0/12 -j DROP iptables -A FORWARD -i eth1 -s 10.0.0.0/8 -j DROP # Note: There are more reserved networks, but these are the classical ones. # Block outgoing network filesharing protocols that aren't designed # to leave the LAN # SMB / Windows filesharing iptables -A FORWARD -p tcp --sport 137:139 -j DROP iptables -A FORWARD -p udp --sport 137:139 -j DROP # NFS Mount Service (TCP/UDP 635) iptables -A FORWARD -p tcp --sport 635 -j DROP iptables -A FORWARD -p udp --sport 635 -j DROP # NFS (TCP/UDP 2049) iptables -A FORWARD -p tcp --sport 2049 -j DROP iptables -A FORWARD -p udp --sport 2049 -j DROP # Portmapper (TCP/UDP 111) iptables -A FORWARD -p tcp --sport 111 -j DROP iptables -A FORWARD -p udp --sport 111 -j DROP # Block incoming syslog, lpr, rsh, rexec... iptables -A FORWARD -i eth1 -p udp --dport syslog -j DROP iptables -A FORWARD -i eth1 -p tcp --dport 515 -j DROP iptables -A FORWARD -i eth1 -p tcp --dport 514 -j DROP iptables -A FORWARD -i eth1 -p tcp --dport 512 -j DROP ### # Transparently proxy all web-surfing through Squid box (commented out) #$SQUID = 192.168.1.2:8080 #$SQUIDSSL = 192.168.1.2:443 #iptables -t nat -A PREROUTING -i eth1 -tcp --dport 80 -j DNAT --to $SQUID #iptables -t nat -A PREROUTING -i eth1 -tcp --dport 443 -j DNAT --to $SQUIDSSL # Transparently forward all outgoing mail to a relay host (commented out) #$SMTP = 192.168.1.3 #iptables -t nat -A PREROUTING -i eth1 -tcp --dport 25 -j DNAT --to $SMTP # Transparently redirect web connections from outside to the DMZ web # server DMZ_WEB=10.1.10.2 iptables -t nat -A PREROUTING -i eth1 -d xxx.xxx.xxx.xxx -dport 80 -j DNAT --to $DMZ_WEB eth2 # Source NAT to get Internet traffic through iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to $INTERNET # STATEFUL PART! # Allow all remaining packets out of our network iptables -A FORWARD -m state --state NEW -i eth1 -s $INTERNAL_NET -j ACCEPT # Optionally, only allow remaining packets out of network if they're from # known MAC addresses: # # iptables -A FORWARD -m state --state NEW -m mac --mac-source 00:60:08:91:CC:B7 -j ACCEPT # # Allow the associated packets with those connections back in. iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i eth0 -s ! $INTERNAL_NET -j ACCEPT # Activate the forwarding! echo 1 >/proc/sys/net/ipv4/ip_forward # End |
I don't think there's such a thing as ALLOW, it should be....
iptables -P OUTPUT ACCEPT iptables -P INPUT ACCEPT |
iptables v1.2.6a: multiple -d flags not allowed
Thanks niknah. your really know your stuff. i was staring at the screen for hours and missed that. your suggestion eliminated the "bad policy" error.
That leaves only the "iptables v1.2.6a: multiple -d flags not allowed" error. i'm doing google searches to see which -d flags are allowed. for example, is line 139 an example of multiple -d flags? Quote:
also, i wonder if anyone knows the correct way to specify the eth2 interface as a variable. from the HOWTO i used the EXTIF="eth1" format at line 46 and 47 but i don't have a reference to my eth2 nic interface. if you notice, I have a reference to a third NIC at line 139. the way line 139 reads now I have it defined in a policy statement (see quote above). if this was to be a truely portable firewall to be reused by others, we should be consistent in defining the variable across the board. otherwise, it will easily break when others attempt modifications. can i just arbitrarily create a variable for the nic interface for my DMZ like INTIF_DMZ="eth2"? |
yes --dport should fix it.
INTIF_DMZ=eth2 is fine, but there's no usage of EXTIF in your script anyways. |
niknah:
thanks again for your knowledgeable posts (i've seen some of your contributions around the site). i'll post back with results when i get to my linux box late this evening or early tomorrow am. regarding the variables, i'd like to integrate variables (e.g. EXTIF="eth1" and INTIF="eth0") as much as possible within these rules so that someone could basically put all the variables at the top of the file, substitute in the correct variables, place the file on their own firewall and make it fly with a couple of adjustments. i've seen a lot of requests for similar configurations for homeoffices with a apache or webmail server but not a lot of current materials available. making the modular with variables, of course, presupposes tightening up the security afforded by the rules. I'd also like to the file lenght to 100 lines. you seem very knoweldeable about these things. is that a something you would be interested in? |
thank you :)
before you start doing something, you may want to search to see if there's something like what you want out there already, freshmeat.net has lots of them. |
Unknown arg `--dport'
can anyone help me with this error message. the following line in my firewall rule script (please note the xxx.xxx.xxx.xxx = my external IP address):
iptables -t nat -A PREROUTING -i eth1 -d xxx.xxx.xxx.xxx --dport 80 -j DNAT --to $DMZ_WEB eth2 generates this error message: iptables v1.2.6a: Unknown arg `--dport' i edited this line previously to add the extra "-" to the flag because -dport generated the error message: "iptables v1.2.6a: multiple -d flags not allowed" |
Since --dport is a tcp extension, you will have to specify the protocol being used with --protocol.
So try: iptables -t nat -A PREROUTING -i eth1 --protocol tcp -d xxx.xxx.xxx.xxx --dport 80 -j DNAT --to $DMZ_WEB eth2 Good luck. |
iptables error message 80 is an unknown arg
Thanks biosx. that was the solution. thank you to you and all the others who have helped.
now that i've gotten my basic firewall set, i'm still working on some enhancements related to my apache server. i'm trying to add a rule to allow traffic to an apache server attached to my firewall on a third nic interface which i have defined by the variable $DMZ_IFACE. I want the packet to come in through my Internet interface ($INET_IFACE) through the $DMZ_IFACE to my apache server with a static IP defined as a variable called $DMZ_HTTP_IP. When i run the firewall with these two new lines on the script, i get the error message 80 is an "unknown arg." can any one help me with some suggestions? Quote:
|
check the bit before "--dport 80", it's probably an empty variable so the arguments is maybe being processed something like "-d --dport 80"
|
IP tables error message solved: Unknown arg `--to-destination
Thanks Niknah! I had failed to uncomment the variable for the DMZ_HTTP_IP variable.
This same problem caused the destination nat error messages for the following rules. Since I have not yet set up my dns server, i commented out the variable for the $DMZ_DNS_IP and the null value caused the destination error message. $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --dport 80 -j DNAT --to-destination $DMZ_HTTP_IP $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 -j DNAT --to-destination $DMZ_DNS_IP $IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $DNS_IP --dport 53 -j DNAT --to-destination $DMZ_DNS_IP |
All times are GMT -5. The time now is 05:20 AM. |