[SOLVED] iptables: bad argument "In_RULE_0"

Amarildo · 09-08-2014, 09:06 AM

I'm creating my firewall rules on FirewallBuilder and I noticed it has an "anti spoofing rule" it creates as RULE_0. I'm copying the compiled rules and trying to create a rules file but that rule_0 is not being accepted.

Code:

iptables -A INPUT -i enp0s7 -s $i_enp0s7   -j In_RULE_0 
iptables -A In_RULE_0  -j LOG  --log-level info --log-prefix "RULE 0 -- DENY "
iptables -A In_RULE_0  -j DROP

The output is

Quote:

Bad argument `In_RULE_0'
Try `iptables -h' or 'iptables --help' for more information.

The compiled version with all other commands:

Code:

# ================ Table 'filter', rule set Policy
    # 
    # Rule 0 (enp0s7)
    # 
    echo "Rule 0 (enp0s7)"
    # 
    # anti spoofing rule
    $IPTABLES -N In_RULE_0
    for i_enp0s7 in $i_enp0s7_list
    do
    test -n "$i_enp0s7" && $IPTABLES -A INPUT -i enp0s7   -s $i_enp0s7   -j In_RULE_0 
    done
    for i_enp0s7 in $i_enp0s7_list
    do
    test -n "$i_enp0s7" && $IPTABLES -A FORWARD -i enp0s7   -s $i_enp0s7   -j In_RULE_0 
    done
    $IPTABLES -A In_RULE_0  -j LOG  --log-level info --log-prefix "RULE 0 -- DENY "
    $IPTABLES -A In_RULE_0  -j DROP

keefaz · 09-08-2014, 10:38 AM

Try adding "echo" in place of commands in script, to see what it really does

eg

Code:

echo "Rule 0 (enp0s7)"
echo $IPTABLES -N In_RULE_0
for i_enp0s7 in $i_enp0s7_list
  do
    echo "test -n $i_enp0s7"
    test -n $i_enp0s7 && echo "$IPTABLES -A INPUT -i enp0s7   -s $i_enp0s7   -j In_RULE_0"
  done

# etc...

Amarildo · 09-08-2014, 10:58 AM

Actually the compiled version works fine, but I don't want to run it as a script. I'm trying to enter the commands directly in the terminal, using only 'iptables'.

keefaz · 09-08-2014, 11:54 AM

Do you define $i_enp0s7 and RULE_0 chain in command line then?

Amarildo · 09-08-2014, 07:48 PM

Quote:

Originally Posted by keefaz

Do you define $i_enp0s7 and RULE_0 chain in command line then?

Sorry, I'm note sure I understood what you just said. It's a problem with my English, really :P

keefaz · 09-09-2014, 04:10 AM

Before using In_RULE_0 chain, you have to define it with iptables -N In_RULE_0

and before using $i_enp0s7 variable, you have to assign it a value, like: i_enp0s7=192.168.0.10

Amarildo · 09-09-2014, 09:57 AM

Oh. Yes, of course I do that.

Here's a screenshot.
http://s18.postimg.org/swd06r1zd/snapshot5.png

keefaz · 09-09-2014, 10:16 AM

I don't see any value assigned to $i_enp0s7 in " -s $i_enp0s7 " argument

Amarildo · 09-09-2014, 12:08 PM

Quote:

Originally Posted by keefaz

I don't see any value assigned to $i_enp0s7 in " -s $i_enp0s7 " argument

What value you think I should specify?

Regards.

keefaz · 09-09-2014, 12:24 PM

An IP address for -s option...

man iptables

Code:

       [!] -s, --source address[/mask][,...]
              Source specification. Address can be either a  network  name,  a
              hostname,  a  network  IP  address  (with  /mask), or a plain IP
              address. Hostnames will be resolved once only, before  the  rule
              is  submitted  to  the  kernel.  Please note that specifying any
              name to be resolved with a remote query such as DNS is a  really
              bad idea.  The mask can be either a network mask or a plain num-
              ber, specifying the number of 1's at the left side of  the  net-
              work  mask.   Thus, a mask of 24 is equivalent to 255.255.255.0.
              A "!" argument before  the  address  specification  inverts  the
              sense  of  the  address.  The  flag  --src  is an alias for this
              option.  Multiple addresses can  be  specified,  but  this  will
              expand  to  multiple  rules (when adding with -A), or will cause
              multiple rules to be deleted (with -D).

Amarildo · 09-09-2014, 12:33 PM

Others have suggested I put my IP address there too, but that would be impractical since my IP chances every day. That's why I'm looking for a way to set my card instead of my IP.

I tested that rule with my host name and it worked (I guess). Maybe that provides me with the same protection as if my IP adress was specified?

EDIT: Yes!

My IP is automatically assigned if I specify my host name.

Code:

-A INPUT -s -myIP- -i enp0s7 -j In_RULE_0