I created an rc.firewall added the following rules

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT

# Get 2 to 3 packets fragments before checking.
iptables -A INPUT -f

# Rules for TCP
iptables -A INPUT -p tcp --dport 22 -j DROP
iptables -A INPUT -p tcp --dport 23 -j DROP
iptables -A INPUT -p tcp --dport 21 -j DROP
iptables -A INPUT -p tcp --dport 489 -j DROP

# Rules for UDP
iptables -A INPUT -p udp --dport 412 -j DROP

# Stop the icmp whores
iptables -A INPUT -p icmp --icmp-type

# Rules for out going packets

and when I rebooted a got a shit load of errors

like what

Hmm, I think they are related to some insmod problems...

The full line (dmesg doesn't show the error) is
modprobe: Can't locate module ip_tables
iptables v1.2.8: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

I have followed the instructions from the iptables 1.2.8 INSTALL file, minus the patch-o-matic part, recompiled my kernel and then it still didn't work.

There were no new config options in my kernel to modulate ipt_filter and all that, and modprobe ipt_filter fails to find anything.

Ok, found the error of the above... didn't add module support for netfilter configuration parts.

But now I get a failure of the rc.firewall file at line 2 and i get
bash-2.05b# iptables -A INPUT -p tcp -j ALLOW
iptables v1.2.8: Couldn't load target `ALLOW':/usr/local/lib/iptables/libipt_ALLOW.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

i believe that should be ACCEPT, not ALLOW.

Ian

I still get a line 2 failed with
# Required Modules
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ipt_REJECT

# Required proc configuration

echo "1" > /proc/sys/net/ipv4/ip_forward

# Start the RULES

# Add chains for tcp packets, udp packets and icmp packets

$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT

# Get 2 to 3 packets fragments before checking.
$IPTABLES -A INPUT -f

# Rules for TCP
$IPTABLES -A INPUT -p tcp --dport 22 -j DROP
$IPTABLES -A INPUT -p tcp --dport 23 -j DROP
$IPTABLES -A INPUT -p tcp --dport 21 -j DROP
$IPTABLES -A INPUT -p tcp --dport 489 -j DROP
$IPTABLES -A INPUT -p tcp --dport 100:65535

# Rules for UDP
$IPTABLES -A INPUT -p udp --dport 412 -j DROP

# Stop the icmp whores
$IPTABLES -A INPUT -p icmp --icmp-type

# Rules for out going packets

# Drop all packets not conforming to the above rules
# $IPTABLES -A INPUT -j DROP

Is ip_tables.o in /lib/modules/*kernel version*/kernel/net/ipv4/netfilter/ ?

line 2 as in this line


/sbin/modprobe ip_conntrack

try running the command from a shell, maybe try them all one at a time to see what the errors are.

also the file format may be corrupted, what editor are you using?

I removed the /sbin/modprobe parts (all of them) and it just ended up giving me errors for each line


bash-2.05b# lsmod
Module Size Used by Tainted: P
nvidia 1539840 20
bcm4400 27040 1
emu10k1 70376 1
ac97_codec 10472 0 [emu10k1]
ppp_synctty 6752 0 (unused)
ppp_async 8064 1
ppp_generic 22144 3 [ppp_synctty ppp_async]
slhc 5472 0 [ppp_generic]
ipt_REJECT 3032 0 (unused)
ipt_state 568 0 (unused)
ipt_limit 1016 0 (unused)
ipt_LOG 3512 0 (unused)
iptable_nat 16632 0 (unused)
iptable_filter 1740 0
ip_conntrack 21312 2 [ipt_state iptable_nat]
ip_tables 12600 8 [ipt_REJECT ipt_state ipt_limit ipt_LOG iptable_nat iptable_filter]
usb-uhci 24236 0 (unused)

try this...

modprobe ip_tables

iptables -L

errors can be generated if rules are already loaded, and other reasons.

you really need to be specific to get much help. saying I get errors is next to useless.

Would it be possibly for you guys to paste part (mostly the beggining) of your rc.firewall / iptables ruleset?

Here ya go. I am using mine for masq, but it could help anyways.

#
#rc.firewall-2.4
FWVER=0.73
#
#
#
echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"
#
#
#
IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmod
INSMOD=/sbin/insmod
#
#
#
#
EXTIF="eth0"
INTIF="eth1"
#
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"
echo -en " Loading Modules: "
echo " - Verifying that all kernel modules are OK"
$DEPMOD -a
#
#
#
echo "-----------------------------------------------------------------------"
#
echo -en "ip_tables, "
$INSMOD ip_tables
#
echo -en "ip_conntrack, "
$INSMOD ip_conntrack
#
echo -en "ip_conntrack_ftp, "
$INSMOD ip_connftack_ftp
#
echo -en "ip_conntrack_irc, "
$INSMOD in_conntrack_irc
#
echo -en "iptable_nat, "
$INSMOD iptable_nat
#
echo -en "ip_nat_ftp, "
$INSMOD ip_nat_ftp
#
echo -en "ip_nat_irc, "
$INSMOD ip_nat_irc
echo "-----------------------------------------------------------------------"
#
#echo -en "
echo -e " Done Loading Modules.\n"
#---------------------------------------------------------------------
echo " Enabling fowarding..."
echo 1 > /proc/sys/net/ipv4/ip_forward
#
echo "Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
#.....

Ian

manually adding the iptable rules works no problem. But loading rc.firewall when the pc boots or with iptables-restore /etc/rc.d/rc.firewall

Also, I can't find any logs of the error so posting the error messege from boot gets a little hard

ok, problem fixed as long as I sh rc.firewall

added #! /usr/sh