Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I try to make my own firewall with iptables but I get a problem.
I only need a very basic kind of firewall, but I decided to add something
else : I want my firewall to be able to log and block portscans... because I experienced some portscans. So, I found an already-made firewall on the web which allows that. Then I modified my own firewall with the one I found and now but I get a problem I don't understand ...
When I run the firewall I get this error :
Code:
* FireWall Starting ... ...
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
My firewall :
Code:
#!/bin/sh
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -A INPUT -m state --state established -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -N check-flags
$IPTABLES -F check-flags
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit \
--limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit \
5/minute -j LOG --log-level 1 --log-prefix "XMAS:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \
-m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -m limit \
--limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit \
--limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit \
--limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
Does the firewall start or just give errors and not start ?
To be honest, $IPTABLES -F INPUT and $IPTABLES -P FORWARD DROP
aren't legal rules.
And deleting a rule just after you made it is silly.
Any other rules with $IPTABLES -F are just deleting rules and need the name of a chain to be effective.
Read man iptables and get rid of the illegal rules.
Also, that isn't your whole script. You can't just use $iptables unless you define $iptables somewhere.
Notice how there are 6 lines of errors and 6 lines where you use iptables -P or -F ? That's because they aren't legal targets or names of chains. $IPTABLES -F check-flags is legal because it exists - $IPTABLES -F FORWARD/OUTPUT/INPUT are not legal targets or chain names.
Last edited by smoker; 02-18-2010 at 02:38 PM.
Reason: update
Indeed it isn't the whole script.
Here the whole init script :
Code:
#!/sbin/runscript
IPTABLES=/sbin/iptables
opts="${opts} showstatus panic"
depend() {
need net
}
start() {
ebegin "FireWall Starting ..."
$IPTABLES -F INPUT
$IPTABLES -P INPUT DROP
$IPTABLES -A INPUT -m state --state established -j ACCEPT
#$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -P FORWARD DROP
$IPTABLES -F OUTPUT
$IPTABLES -P OUTPUT ACCEPT
# Detect porscans and act
$IPTABLES -N check-flags
$IPTABLES -F check-flags
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A FORWARD -j check-flags
$IPTABLES -A OUTPUT -j check-flags
$IPTABLES -A INPUT -j check-flags
eend $?
}
stop() {
ebegin "FireWall Stoping ..."
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
eend $?
}
showstatus() {
ebegin "Statut"
$IPTABLES -L -n -v --line-numbers
eend $?
}
panic() {
ebegin "FireWall panic mode launched ..."
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
eend $?
}
restart() {
svc_stop; svc_start
}
showoptions() {
echo "Usage: $0 {start|panic|stop|showstatus}"
echo "start) Start the FireWall"
echo "stop) Stop the FireWall"
echo "showstatus) Display FireWall status."
}
I did'nt know I was using illegal iptables rules ....
I'm going to see is I can fix it although it looks weird to me they are illegal iptables commands
Are you sure the lines where -F is used are the real problem ?
although they are not legal they work, because when I comment
the "porscan" bunch of commands everything works fine ....
Are you sure the lines where -F is used are the real problem ?
although they are not legal they work, because when I comment
the "porscan" bunch of commands everything works fine ....
The two scripts you have posted doesn't seem to be the same file ?
Anycase ..
The error you are getting is due to a IPTABLES chain that does not exist.
In you firewall script file you are running a IPTABLES command on a chain that does not exist.
$IPTABLES -N CHAINNAME is how you create a chain called "CHAINNAME"
$IPTABLES -F CHAINNAME is to flush any rules Apended to the chain, and like someone said, by creating a new chain and immediately flushing it does make sense.
If you want to "flush" all chains created (normally when you restart your firewall script, rather put the following in the top of your firewall script
SO go through the whole firewall script file, and maybe check for a misspelled chain name etc.
Quote:
Originally Posted by naaman
Hello,
I try to make my own firewall with iptables but I get a problem.
I only need a very basic kind of firewall, but I decided to add something
else : I want my firewall to be able to log and block portscans... because I experienced some portscans. So, I found an already-made firewall on the web which allows that. Then I modified my own firewall with the one I found and now but I get a problem I don't understand ...
When I run the firewall I get this error :
Code:
* FireWall Starting ... ...
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
My firewall :
Code:
#!/bin/sh
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -A INPUT -m state --state established -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -N check-flags
$IPTABLES -F check-flags
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit \
--limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit \
5/minute -j LOG --log-level 1 --log-prefix "XMAS:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \
-m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -m limit \
--limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit \
--limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit \
--limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.