LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 07-17-2002, 08:59 AM   #1
X11
Member
 
Registered: Dec 2001
Location: Brisie, Australia
Distribution: Slackware 8.1
Posts: 324

Rep: Reputation: 30
IPTables Error


When I run my iptables script, the following errors pop up on the screen:
Quote:
iptables v1.2.6a: log-level `--log-prefix' unknown
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `1023:65535'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `1023:65535'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `1023:65535'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.6a: log-level `--log-prefix' unknown
Try `iptables -h' or 'iptables --help' for more information.
./iptables-0.1.scr: BAD_FLAG: command not found
iptables v1.2.6a: log-level `--log-prefix' unknown
Try `iptables -h' or 'iptables --help' for more information.
./iptables-0.1.scr: L3
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level --log-prefix
BAD_FLAG ! L4: command not found
iptables v1.2.6a: log-level `--log-prefix' unknown
Try `iptables -h' or 'iptables --help' for more information.
./iptables-0.1.scr: line 89: unexpected EOF while looking for matching `"'
./iptables-0.1.scr: line 98: syntax error: unexpected end of file
 
Old 07-17-2002, 09:00 AM   #2
X11
Member
 
Registered: Dec 2001
Location: Brisie, Australia
Distribution: Slackware 8.1
Posts: 324

Original Poster
Rep: Reputation: 30
Here's the script, BTW

Quote:
#!/bin/sh

#Ethernet card interface to Internet. DHCP Assigned Cable Internet.
INET_IP=""
INET_IFACE="eth0"

#Load iptables/netfilter modules.
/sbin/modprobe ipt_LOG
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack

#Drop all incoming, outgoing and forwarding packets.
iptables -P INPUT DROP #Drops all incoming packets from all interfaces.
iptables -P OUTPUT DROP #Drops all outgoing packets from all interfaces.
iptables -P FORWARD DROP #Drops all forwarding packets from all interfaces.

#The weakest link
iptables -A INPUT -i eth0 -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

#Accept certain incoming ICMP packet types.
iptables -A OUTPUT -o eth0 -p icmp -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type address-mask-reply -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type required-option-missing -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type ip-header-bad -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type TOS-host-unreachable -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type source-route-failed -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type network-unknown -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-reply -j ACCEPT

#Drop certain incoming ICMP packet types.
iptables -A INPUT -i eth0 -p icmp --icmp-type destination-unreachable -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type network-unreachable -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type host-unreachable -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type protocol-unreachable -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type port-unreachable -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type fragmentation-needed -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type host-unknown -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type network-prohibited -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type host-prohibited -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type TOS-network-unreachable -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type communication-prohibited -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type host-precedence-violation -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type precedence-cutoff -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type source-quench -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type redirect -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type network-redirect -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type host-redirect -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type TOS-network-redirect -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type TOS-host-redirect -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 1 -j LOG --log-level --log-prefix PING-REQUEST
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type router-advertisement -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type router-solicitation -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type ttl-zero-during-transit -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type ttl-zero-during-reassembly -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type timestamp-request -j DROP

#Active FTP.
iptables -A INPUT -i eth0 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --sport 53 -d $INET_IP --dport 1023:65535 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED --sport 53 -d $INET_IP --dport 1023:65535 -j ACCEPT
iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -s 0/0 --sport 53 -d $INET_IP --dport 1023:65535 -j ACCEPT
iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -s 0/0 --sport 53 -d 10.50.28.4 --dport 1023:65535 -j ACCEPT

#Syn-flood protection.
iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 4 -j ACCEPT

#Drop nasty flags.
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-level --log-prefix
BAD_FLAG ! L1"
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-level --log-prefix
BAD_FLAG ! L2"
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-level --log-prefix BAD_FLAG
! L3"
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level --log-prefix
BAD_FLAG ! L4"
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-level --log-prefix
BAD_FLAG ! L5"
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

#Stealth port scanner protection.
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
iptables -A syn-flood -j LOG --log-level --log-prefix SYN Flood stopped

#Ping of death protection.
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
Thanks a lot in advance

Last edited by X11; 07-17-2002 at 09:01 AM.
 
Old 07-17-2002, 04:10 PM   #3
krunkwick
Member
 
Registered: Jun 2002
Location: Memphis
Distribution: Suse 8.0 Pro
Posts: 45

Rep: Reputation: 15
I'm not sure if you just want to use your own script or not, but there is some really good scripts already done at www.linuxguruz.org

It might help to look at them for atleast some examples.
 
Old 07-18-2002, 01:18 AM   #4
Half_Elf
LQ Guru
 
Registered: Sep 2001
Location: Montreal, Canada
Distribution: Slackware; Debian; Gentoo...
Posts: 2,163

Rep: Reputation: 45
Wow, what's all that stuff about ICMP? Is it really useful? Can you explain what it's suppose to do? I have very little icmp protection, maybe some of these line can make my firewall stronger
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
An error occured getting IPtables status from the command /etc/rc.d/init.d/iptables s CrazyMAzeY Linux - Newbie 10 08-12-2010 05:25 AM
iptables error moger Slackware 2 06-12-2004 10:51 PM
Need help with iptables error. Anxiety Linux - Networking 1 03-31-2004 03:01 PM
iptables error... HappyDude Linux - Security 4 07-14-2003 07:37 PM
iptables error dat64597 Linux - Security 3 02-03-2003 01:52 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 12:42 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration