LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-19-2006, 01:31 AM   #1
kramer2718
Member
 
Registered: Jul 2006
Posts: 46

Rep: Reputation: 15
Iptables issues


Hi. I'm trying to configure iptables using iptables-restore and am getting some funny behavior.

When I #iptables-restore < /etc/iptables.config

Where iptables.config is:
Code:
# Generated by iptables-save v1.3.5 on Fri Aug 18 21:43:15 2006
*filter

:INPUT ACCEPT [5:6346]
:FORWARD ACCEPT [6345:6346]
:OUTPUT ACCEPT [1317:211762]

# accept all from localhost
-A INPUT -s 127.0.0.1 -j ACCEPT

# accept all previously established connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# ssh
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT




#Allow limewire
-A INPUT -p tcp --dport 6346 -j ACCEPT
-A INPUT -p udp --dport 6346 -j ACCEPT
-A INPUT -p tcp --dport 6345 -j ACCEPT
-A INPUT -p udp --dport 6345 -j ACCEPT



# reject everything else
-A INPUT -j REJECT --reject-with icmp-port-unreachable

COMMIT
I get
iptables-restore: line 32 failed

Line 32 is the COMMIT. If I put a COMMIT anywhere else, it fails there. If I don't put a commit, it tells me commit expected. I can run the rules individually with the command iptables. I guess that alternatively, I could rewrite this as a shell script, but don't know how to express the rule :INPUT ACCEPT [5:6346] as arguments to iptables.

Any help?

Thanks.
 
Old 08-19-2006, 07:45 AM   #2
SlackDaemon
Member
 
Registered: Mar 2006
Distribution: RedHat, Slackware, Experimenting with FreeBSD
Posts: 222

Rep: Reputation: 30
Hi,

you don't need to worry about the :INPUT ACCEPT[5:6346] entry. These are just recording the packet hits and drops for the particular firewall table in question and can be ignored when writing your rules.

You can rewrite the firewall rules using iptables and then save them permanently with:

service iptables save

Best of luck
 
Old 08-19-2006, 10:49 AM   #3
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by kramer2718
Hi. I'm trying to configure iptables using iptables-restore and am getting some funny behavior.

When I #iptables-restore < /etc/iptables.config

Where iptables.config is:
Code:
# Generated by iptables-save v1.3.5 on Fri Aug 18 21:43:15 2006
*filter

:INPUT ACCEPT [5:6346]
:FORWARD ACCEPT [6345:6346]
:OUTPUT ACCEPT [1317:211762]

# accept all from localhost
-A INPUT -s 127.0.0.1 -j ACCEPT

# accept all previously established connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# ssh
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT




#Allow limewire
-A INPUT -p tcp --dport 6346 -j ACCEPT
-A INPUT -p udp --dport 6346 -j ACCEPT
-A INPUT -p tcp --dport 6345 -j ACCEPT
-A INPUT -p udp --dport 6345 -j ACCEPT



# reject everything else
-A INPUT -j REJECT --reject-with icmp-port-unreachable

COMMIT
I get
iptables-restore: line 32 failed

Line 32 is the COMMIT. If I put a COMMIT anywhere else, it fails there. If I don't put a commit, it tells me commit expected. I can run the rules individually with the command iptables. I guess that alternatively, I could rewrite this as a shell script, but don't know how to express the rule :INPUT ACCEPT [5:6346] as arguments to iptables.

Any help?

Thanks.
it's a very bad idea to edit your iptables config file manually... you should really just stick to a shell script, and then let iptables-save and iptables-restore take care of your config file...

also, keep in mind that, since you have your INPUT policy set to ACCEPT, all your INPUT ACCEPT rules are basically pointless...

here's a script i made for you which will set things the way i think you intended for them to be above:
Code:
#!/bin/sh

IPT="/sbin/iptables"

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPT -A INPUT -i lo -j ACCEPT

$IPT -A INPUT -p TCP -i $IFACE --dport 6345 \
-m state --state NEW -j ACCEPT

$IPT -A INPUT -p UDP -i $IFACE --dport 6345 \
-m state --state NEW -j ACCEPT

$IPT -A INPUT -p TCP -i $IFACE --dport 6346 \
-m state --state NEW -j ACCEPT

$IPT -A INPUT -p UDP -i $IFACE --dport 6346 \
-m state --state NEW -j ACCEPT
after executing the script, do a:
Code:
iptables-save > /etc/iptables.config
to save your new config... remember that you do not want to edit /etc/iptables.config manually!!! if you need to make changes to the configuration, edit the script, execute it, and then use iptables-save to update the config file...

Last edited by win32sux; 08-19-2006 at 11:53 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Issues getting iptables to work keithdj Linux - Newbie 6 04-26-2006 04:34 AM
IPTABLES Issues Soulful93 Linux - Security 21 09-19-2005 07:38 PM
iptables issues TreeHugger Linux - Networking 3 11-15-2004 06:27 AM
Issues with iptables and suse pshepperd Linux - Security 1 05-14-2004 10:35 PM
Iptables & squid issues sedulous Linux - Networking 1 10-05-2003 03:28 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:08 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration