iptables commands problem

naaman · 02-18-2010, 01:22 PM

Hello,

I try to make my own firewall with iptables but I get a problem.
I only need a very basic kind of firewall, but I decided to add something
else : I want my firewall to be able to log and block portscans... because I experienced some portscans. So, I found an already-made firewall on the web which allows that. Then I modified my own firewall with the one I found and now but I get a problem I don't understand ...

When I run the firewall I get this error :

Code:

* FireWall Starting ... ...
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.

My firewall :

Code:

#!/bin/sh
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -A INPUT -m state --state established -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT

$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD

$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT

$IPTABLES -N check-flags
$IPTABLES -F check-flags
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit \
      --limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit \
      5/minute -j LOG --log-level 1 --log-prefix "XMAS:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \
      -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -m limit \
      --limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit \
      --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit \
      --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

Could you help me ?

thanks,

smoker · 02-18-2010, 02:30 PM

Does the firewall start or just give errors and not start ?

To be honest, $IPTABLES -F INPUT and $IPTABLES -P FORWARD DROP
aren't legal rules.
And deleting a rule just after you made it is silly.
Any other rules with $IPTABLES -F are just deleting rules and need the name of a chain to be effective.

Read man iptables and get rid of the illegal rules.

http://www.netfilter.org/documentation/

Also, that isn't your whole script. You can't just use $iptables unless you define $iptables somewhere.

Notice how there are 6 lines of errors and 6 lines where you use iptables -P or -F ? That's because they aren't legal targets or names of chains. $IPTABLES -F check-flags is legal because it exists - $IPTABLES -F FORWARD/OUTPUT/INPUT are not legal targets or chain names.

naaman · 02-18-2010, 04:11 PM

Indeed it isn't the whole script.
Here the whole init script :

Code:

 #!/sbin/runscript
IPTABLES=/sbin/iptables

opts="${opts} showstatus panic"

depend() {
  need net
}

start() {
  ebegin "FireWall Starting ..."
  $IPTABLES -F INPUT
  $IPTABLES -P INPUT DROP
  $IPTABLES -A INPUT -m state --state established -j ACCEPT
  
  #$IPTABLES -A INPUT -i lo -j ACCEPT

  $IPTABLES -F FORWARD	
  $IPTABLES -P FORWARD DROP

  $IPTABLES -F OUTPUT
  $IPTABLES -P OUTPUT ACCEPT

  # Detect porscans and act  
  $IPTABLES -N check-flags
  $IPTABLES -F check-flags
  $IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:"
  $IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP 
  $IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS:"
  $IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -j DROP
  $IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
  $IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
  $IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
  $IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -j DROP
  $IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
  $IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
  $IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
  $IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

  $IPTABLES -A FORWARD -j check-flags
  $IPTABLES -A OUTPUT -j check-flags
  $IPTABLES -A INPUT -j check-flags

  eend $?
}

stop() {
  ebegin "FireWall Stoping ..."
  $IPTABLES -F
  $IPTABLES -t nat -F
  $IPTABLES -X
  $IPTABLES -P FORWARD ACCEPT
  $IPTABLES -P INPUT   ACCEPT
  $IPTABLES -P OUTPUT  ACCEPT
  eend $?
}

showstatus() {
  ebegin "Statut"
  $IPTABLES -L -n -v --line-numbers
  eend $?
}

panic() {
  ebegin "FireWall panic mode launched ..."
  $IPTABLES -F
  $IPTABLES -X
  $IPTABLES -t nat -F
  $IPTABLES -P FORWARD DROP
  $IPTABLES -P INPUT   DROP
  $IPTABLES -P OUTPUT  DROP
  $IPTABLES -A INPUT -i lo -j ACCEPT
  $IPTABLES -A OUTPUT -o lo -j ACCEPT
  eend $?
}

restart() {
  svc_stop; svc_start
}

showoptions() {
  echo "Usage: $0 {start|panic|stop|showstatus}"
  echo "start) 	    Start the FireWall"      
  echo "stop)       Stop the FireWall"
  echo "showstatus) Display FireWall status."
}

I did'nt know I was using illegal iptables rules ....
I'm going to see is I can fix it although it looks weird to me they are illegal iptables commands

naaman · 02-18-2010, 04:34 PM

Are you sure the lines where -F is used are the real problem ?
although they are not legal they work, because when I comment
the "porscan" bunch of commands everything works fine ....

naaman · 02-18-2010, 04:35 PM

Are you sure the lines where -F is used are the real problem ?
although they are not legal they work, because when I comment
the "porscan" bunch of commands everything works fine ....

linuxgurusa · 02-22-2010, 01:55 AM

The two scripts you have posted doesn't seem to be the same file ?

Anycase ..

The error you are getting is due to a IPTABLES chain that does not exist.

In you firewall script file you are running a IPTABLES command on a chain that does not exist.

$IPTABLES -N CHAINNAME is how you create a chain called "CHAINNAME"

$IPTABLES -F CHAINNAME is to flush any rules Apended to the chain, and like someone said, by creating a new chain and immediately flushing it does make sense.

If you want to "flush" all chains created (normally when you restart your firewall script, rather put the following in the top of your firewall script

$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat

SO go through the whole firewall script file, and maybe check for a misspelled chain name etc.

Quote:

Originally Posted by naaman

Hello,

I try to make my own firewall with iptables but I get a problem.
I only need a very basic kind of firewall, but I decided to add something
else : I want my firewall to be able to log and block portscans... because I experienced some portscans. So, I found an already-made firewall on the web which allows that. Then I modified my own firewall with the one I found and now but I get a problem I don't understand ...

When I run the firewall I get this error :

Code:

* FireWall Starting ... ...
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.

My firewall :

Code:

#!/bin/sh
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -A INPUT -m state --state established -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT

$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD

$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT

$IPTABLES -N check-flags
$IPTABLES -F check-flags
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit \
      --limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit \
      5/minute -j LOG --log-level 1 --log-prefix "XMAS:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \
      -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -m limit \
      --limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit \
      --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit \
      --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

Could you help me ?

thanks,

naaman · 02-23-2010, 02:20 AM

Yes I changed a bit the init script since the last time.

Thanks for your help, I'm gonna check --tce-flags' flags. Maybe one of them is not correct ....

I keep you in touch