IPTables Failing to Apply

rustyz82 · 04-29-2006, 04:42 PM

Ok I have the following iptables file:

Code:

# Generated by webmin
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -o venet0 -j LOG --log-level 7 --log-prefix BANDWIDTH_OUT:
-A FORWARD -i venet0 -j LOG --log-level 7 --log-prefix BANDWIDTH_IN:
-A OUTPUT -o venet0 -j LOG --log-level 7 --log-prefix BANDWIDTH_OUT:
-A INPUT -i venet0 -j LOG --log-level 7 --log-prefix BANDWIDTH_IN:
COMMIT
# Completed
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# SSHD Abuse #1
-A INPUT -s x.x.x.x -j DROP
# SSHD Abuse #2
-A INPUT -s x.x.x.x -j DROP
COMMIT
# Completed

When I try to apply my changes I get the following:

Code:

Failed to apply configuration : 
Flushing firewall rules: [  OK  ]
Setting chains to policy ACCEPT: mangle filter [  OK  ]
Unloading iptables modules: [  OK  ]
Applying iptables firewall rules: iptables-restore: line 10 failed
[FAILED]

I'm using webmin to edit the rules, and if thats the source of the problem i can figure a way around it but I dont see anything that would cause that in the file. Of course the x.x.x.x's are real ip addresses but no one wants to know those

It looks like the line that is failing is COMMIT, but without this the rules wont show up. Any suggestions?

Simon Bridge · 05-01-2006, 01:41 AM

well - your firewall policy looks pretty open. Basically you're accepting everything that you don't know is wrong. Only dropping packets from a specific IP. You will end up with lots of abuses and a long long list of IPs since abusers change IP's frequently.

A better policy is to drop everything and only accept packets that you specify by the rules. You'll know when you need to open something because then it dosn't work. And there ain't nobody gets in without you knowing about it.

The COMMIT in line 10 applies the rules in the previous 9 lines. Take a closer look at those -j LOG lines. I think you'll find those don't work. Try applying the rules without them (you can do without logging the bandwidth for a little while can't you?)

Now me: I don't use these sortf of things to administer iptables. I stick the rules in a bash script...

rustyz82 · 05-01-2006, 03:51 PM

I am aware it is rather open, which is what I was working on fixing. Those log rules do work as they are for a bandwidth monitoring script I am using, but your right if i take those out it works fine. What I don't get is whats wrong with those rules. They do work as the monitoring script has been recording the bandwidth for the last month.

Simon Bridge · 05-01-2006, 08:16 PM

If iptables rules don't load, how do you know the log lines work?