LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   Iptables Script runs but with interface error (https://www.linuxquestions.org/questions/linux-software-2/iptables-script-runs-but-with-interface-error-761786/)

codenjanod 10-14-2009 05:21 AM

Iptables Script runs but with interface error
 
Hi all,

I have implemented an IPTables script, and it runs and implements all the rules, but I get a strange interface error when the script does run.

So when I run the script, I get
The error:
iptables v1.3.5: Bad IP address `eth2'

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.5: Bad IP address `eth2'

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.5: Bad IP address `eth2'

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.5: Bad IP address `eth2'

Try `iptables -h' or 'iptables --help' for more information.


When I check all the rules are implemented ...


The script:
Code:

#!/bin/bash

## Created by: Codenjanod
## Date: 2009-09-22
## Created and modified to work on CentOS 5.2
## and iptables v1.3.5

###########################################################################
#                      Flush all IPTables rules                          #
###########################################################################
# Configurations
IPTABLES="/sbin/iptables"

# reset the default policies in the filter table.
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

# reset the default policies in the nat table.
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT

# reset the default policies in the mangle table.
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT

# flush all the rules in the filter and nat tables.
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

# erase all chains that's not default in filter and nat table.
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X

###########################################################################
#              Script for IPTables with DMZ and Trusted                  #
###########################################################################
# 1. Configuration options.
# 1.1 Internet Configuration.
INET_IFACE="eth0"
INET_IP="192.168.196.134"
SSH_IP="192.168.196.134"

SFTP_EM_IP="192.168.196.137"
SMTP_EM_IP="192.168.196.138"
HTTP_EM_IP="192.168.196.139"
HTTPS_EM_IP="192.168.196.139"
TRACK_EM_IP="192.168.196.140"

SFTP_EB_IP="192.168.196.141"
SMTP_EB_IP="192.168.196.142"
HTTP_EB_IP="192.168.196.143"
HTTPS_EB_IP="192.168.196.143"
TRACK_EB_IP="192.168.196.144"

DNS1_IP="192.168.196.134"
DNS2_IP="192.168.196.134"

# 1.2 Local Area Network configuration.
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP address. the same as netmask 255.255.255.0
TRUSTED_IFACE="eth1"
TRUSTED_IP="192.168.196.135"

EM1_TRUSTED_IP="192.168.196.150"
EB1_TRUSTED_IP="192.168.196.151"

# 1.3 DMZ Configuration.
DMZ_IFACE="eth2"
DMZ_IP="192.168.196.136"

EM1_DMZ_IP="192.168.196.160"
EB1_DMZ_IP="192.168.196.161"

DMZ_SFTP_EM1="192.168.196.162"
DMZ_SFTP_EB1="192.168.196.163"

DMZ_HTTP_EM1="192.168.196.162"
DMZ_HTTP_EB1="192.168.196.163"

DMZ_HTTPS_EM1="192.168.196.162"
DMZ_HTTPS_EB1="192.168.196.163"

DMZ_SMTP_EM1="192.168.196.162"
DMZ_SMTP_EB1="192.168.196.163"

# 1.4 Localhost Configuration.
LO_IFACE="lo"
LO_IP="127.0.0.1"

# 1.5 IPTables Configuration.
#IPTABLES="/usr/sbin/iptables"

# 1.6 Other Configuration.
EXT_CONNECT="192.168.196.200"
EXT_RT="192.168.196.201"

###########################################################################
#                        2. Module loading                              #
###########################################################################
# Needed to initially load modules
/sbin/depmod -a

# 2.1 Required modules
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

# 2.2 Non-Required modules
#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc

###########################################################################
#                              3. /proc set up.                          #
###########################################################################
# 3.1 Required proc configuration
echo "1" > /proc/sys/net/ipv4/ip_forward

# 3.2 Non-Required proc configuration
#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#                            4. rules set up.                            #
###########################################################################
# 4.1 Filter table
# 4.1.1 Set policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

# 4.1.2 Create userspecified chains
# Create chain for bad tcp packets
$IPTABLES -N bad_tcp_packets

# Create separate chains for ICMP, TCP and UDP to traverse
$IPTABLES -N allowed
$IPTABLES -N icmp_packets

# 4.1.3 Create content in userspecified chains
# bad_tcp_packets chain
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

# allowed chain
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

# ICMP rules
# Changed rules totally
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

# 4.1.4 INPUT chain
# Bad TCP packets we don't want
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

# Packets from the Internet to this box
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -m limit --limit  1/s --limit-burst 1 -j icmp_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j DROP

# Packets from TRUSTED, DMZ or LOCALHOST
# From DMZ Interface to DMZ firewall IP
$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT

# From TRUSTED Interface to TRUSTED firewall IP
$IPTABLES -A INPUT -p ALL -i $TRUSTED_IFACE -d $TRUSTED_IP -j ACCEPT

# From Localhost interface to Localhost IP's
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $TRUSTED_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

# Special rule for DHCP requests from LAN, which are not caught properly otherwise.
#$IPTABLES -A INPUT -p UDP -i $TRUSTED_IFACE --dport 67 --sport 68 -j ACCEPT

# Allow SSH to the firewall
$IPTABLES -A INPUT -p tcp -s $EXT_CONNECT -d $SSH_IP --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $EXT_RT -d $SSH_IP --dport 22 -j ACCEPT

# All established and related packets incoming from the internet to the firewall
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

# In Microsoft Networks you will be swamped by broadcasts. These lines will prevent them from showing up in the logs.
#$IPTABLES -A INPUT -p UDP -i $INET_IFACE -d $INET_BROADCAST --destination-port 135:139 -j DROP

# If we get DHCP requests from the Outside of our network, our logs will be swamped as well. This rule will block them from getting logged.
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -d 255.255.255.255 --destination-port 67:68 -j DROP

# If you have a Microsoft Network on the outside of your firewall, you may also get flooded by Multicasts. We drop them so we do not get flooded by
# logs
$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP

# Log weird packets that don't match the above.
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "

# 4.1.5 FORWARD chain
# Bad TCP packets we don't want
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

### CUSTOM RULES BEGIN ###
# From DMZ to TRUSTED for EB and EM
$IPTABLES -A FORWARD -p TCP -s $EM1_DMZ_IP -d $EM1_TRUSTED_IP --dport 1433 -j ACCEPT                       
$IPTABLES -A FORWARD -p TCP -s $EB1_DMZ_IP -d $EB1_TRUSTED_IP --dport 1433 -j ACCEPT

$IPTABLES -A FORWARD -p TCP -s $EM1_DMZ_IP -d $EM1_TRUSTED_IP --dport 5007 -j ACCEPT                       
$IPTABLES -A FORWARD -p TCP -s $EB1_DMZ_IP -d $EB1_TRUSTED_IP --dport 5007 -j ACCEPT

$IPTABLES -A FORWARD -p TCP -s $EM1_DMZ_IP -d $EM1_TRUSTED_IP --dport 5009 -j ACCEPT                       
$IPTABLES -A FORWARD -p TCP -s $EB1_DMZ_IP -d $EB1_TRUSTED_IP --dport 5009 -j ACCEPT

$IPTABLES -A FORWARD -p TCP -s $EM1_DMZ_IP -d $EM1_TRUSTED_IP --dport 5010 -j ACCEPT                       
$IPTABLES -A FORWARD -p TCP -s $EB1_DMZ_IP -d $EB1_TRUSTED_IP --dport 5010 -j ACCEPT

$IPTABLES -A FORWARD -p TCP -s $EM1_DMZ_IP -d $EM1_TRUSTED_IP --dport 5011 -j ACCEPT                       
$IPTABLES -A FORWARD -p TCP -s $EB1_DMZ_IP -d $EB1_TRUSTED_IP --dport 5011 -j ACCEPT

$IPTABLES -A FORWARD -p TCP -s $EM1_DMZ_IP -d $EM1_TRUSTED_IP --dport 5012 -j ACCEPT                       
$IPTABLES -A FORWARD -p TCP -s $EB1_DMZ_IP -d $EB1_TRUSTED_IP --dport 5012 -j ACCEPT

$IPTABLES -A FORWARD -p TCP -s $EM1_DMZ_IP -d $EM1_TRUSTED_IP --dport 5013 -j ACCEPT                       
$IPTABLES -A FORWARD -p TCP -s $EB1_DMZ_IP -d $EB1_TRUSTED_IP --dport 5013 -j ACCEPT

$IPTABLES -A FORWARD -p TCP -s $EM1_DMZ_IP -d $EM1_TRUSTED_IP --dport 5014 -j ACCEPT                       
$IPTABLES -A FORWARD -p TCP -s $EB1_DMZ_IP -d $EB1_TRUSTED_IP --dport 5014 -j ACCEPT

$IPTABLES -A FORWARD -p TCP -s $EM1_DMZ_IP -d $EM1_TRUSTED_IP --dport 5015 -j ACCEPT                       
$IPTABLES -A FORWARD -p TCP -s $EB1_DMZ_IP -d $EB1_TRUSTED_IP --dport 5015 -j ACCEPT

$IPTABLES -A FORWARD -p TCP -s $EM1_DMZ_IP -d $EM1_TRUSTED_IP --dport 5016 -j ACCEPT                       
$IPTABLES -A FORWARD -p TCP -s $EB1_DMZ_IP -d $EB1_TRUSTED_IP --dport 5016 -j ACCEPT

$IPTABLES -A FORWARD -p TCP -s $EM1_DMZ_IP -d $EM1_TRUSTED_IP --dport 5017 -j ACCEPT                       
$IPTABLES -A FORWARD -p TCP -s $EB1_DMZ_IP -d $EB1_TRUSTED_IP --dport 5017 -j ACCEPT

$IPTABLES -A FORWARD -p TCP -s $EM1_DMZ_IP -d $EM1_TRUSTED_IP --dport 5018 -j ACCEPT                       
$IPTABLES -A FORWARD -p TCP -s $EB1_DMZ_IP -d $EB1_TRUSTED_IP --dport 5018 -j ACCEPT

$IPTABLES -A FORWARD -p TCP -s $EM1_DMZ_IP -d $EM1_TRUSTED_IP --dport 5019 -j ACCEPT                       
$IPTABLES -A FORWARD -p TCP -s $EB1_DMZ_IP -d $EB1_TRUSTED_IP --dport 5019 -j ACCEPT

# From TRUSTED to DMZ for EB and EM
$IPTABLES -A FORWARD -p TCP -s $EB1_TRUSTED_IP -d $EB1_DMZ_IP --dport 5005 -j ACCEPT                       
$IPTABLES -A FORWARD -p TCP -s $EM1_TRUSTED_IP -d $EM1_DMZ_IP --dport 5005 -j ACCEPT

$IPTABLES -A FORWARD -p TCP -s $EB1_TRUSTED_IP -d $EB1_DMZ_IP --dport 5030 -j ACCEPT                       
$IPTABLES -A FORWARD -p TCP -s $EM1_TRUSTED_IP -d $EM1_DMZ_IP --dport 5030 -j ACCEPT

### CUSTOM RULES END ###

# DMZ section
# General rules
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $TRUSTED_IFACE -o $DMZ_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $TRUSTED_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

# SFTP Server
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_SFTP_EM1 --dport 22 -j allowed
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_SFTP_EB1 --dport 22 -j allowed

# SMTP server
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_SMTP_EM1 --dport 25 -j allowed
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_SMTP_EB1 --dport 25 -j allowed

# HTTP server
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_EM1 --dport 80 -j allowed
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_EB1 --dport 80 -j allowed

# HTTPS server
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTPS_EM1 --dport 443 -j allowed
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTPS_EB1 --dport 443 -j allowed

# DNS server
$IPTABLES -A FORWARD -p TCP -i $DMZ_IFACE -o $INET_IFACE -d $DNS1_IP --dport 53 -j allowed
$IPTABLES -A FORWARD -p UDP -i $DMZ_IFACE -o $INET_IFACE -d $DNS1_IP --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $DMZ_IFACE -o $INET_IFACE -d $DNS2_IP --dport 53 -j allowed
$IPTABLES -A FORWARD -p UDP -i $DMZ_IFACE -o $INET_IFACE -d $DNS2_IP --dport 53 -j ACCEPT

# TRUSTED section
$IPTABLES -A FORWARD -i $TRUSTED_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log weird packets that don't match the above.
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "

# 4.1.6 OUTPUT chain
# Bad TCP packets we don't want.
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

# Special OUTPUT rules to decide which IP's to allow.
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
#$IPTABLES -A OUTPUT -p ALL -s $TRUSTED_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

# Log weird packets that don't match the above.
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

# 4.2 nat table

# 4.2.1 Set policies

# 4.2.2 Create user specified chains

# 4.2.3 Create content in user specified chains

# 4.2.4 PREROUTING chain
# SFTP server
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $SFTP_EM_IP --dport 22 -j DNAT --to-destination $DMZ_SFTP_EM1
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $SFTP_EB_IP --dport 22 -j DNAT --to-destination $DMZ_SFTP_EB1
# SMTP server
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_EM_IP --dport 25 -j DNAT --to-destination $DMZ_SMTP_EM1
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_EB_IP --dport 25 -j DNAT --to-destination $DMZ_SMTP_EB1
# HTTP server
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_EM_IP --dport 80 -j DNAT --to-destination $DMZ_HTTP_EM1
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_EB_IP --dport 80 -j DNAT --to-destination $DMZ_HTTP_EB1
# Track server
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $TRACK_EM_IP --dport 80 -j DNAT --to-destination $DMZ_HTTP_EM1
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $TRACK_EB_IP --dport 80 -j DNAT --to-destination $DMZ_HTTP_EB1
# HTTPS server
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTPS_EM_IP --dport 443 -j DNAT --to-destination $DMZ_HTTPS_EM1
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTPS_EB_IP --dport 443 -j DNAT --to-destination $DMZ_HTTPS_EB1
# DNS
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS1_IP --dport 53 -j DNAT --to-destination $DMZ_IFACE
$IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $DNS1_IP --dport 53 -j DNAT --to-destination $DMZ_IFACE
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS2_IP --dport 53 -j DNAT --to-destination $DMZ_IFACE
$IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $DNS2_IP --dport 53 -j DNAT --to-destination $DMZ_IFACE

# 4.2.5 POSTROUTING chain
# Enable simple IP Forwarding and Network Address Translation
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

# 4.2.6 OUTPUT chain
$IPTABLES -A OUTPUT -p icmp -j ACCEPT

# 4.3 mangle table

# 4.3.1 Set policies

# 4.3.2 Create user specified chains

# 4.3.3 Create content in user specified chains

# 4.3.4 PREROUTING chain

# 4.3.5 INPUT chain

# 4.3.6 FORWARD chain

# 4.3.7 OUTPUT chain

# 4.3.8 POSTROUTING chain

exit 0



I am not sure what I am missing.


Thanks

Tux-Slack 10-14-2009 05:25 AM

$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS1_IP --dport 53 -j DNAT --to-destination $DMZ_IFACE


This is your error. -j DNAT --to-destination takes IP address and not interface name.


All times are GMT -5. The time now is 11:28 PM.