LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 10-14-2009, 05:21 AM   #1
codenjanod
Member
 
Registered: Oct 2006
Posts: 38

Rep: Reputation: 15
Iptables Script runs but with interface error


Hi all,

I have implemented an IPTables script, and it runs and implements all the rules, but I get a strange interface error when the script does run.

So when I run the script, I get
The error:
iptables v1.3.5: Bad IP address `eth2'

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.5: Bad IP address `eth2'

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.5: Bad IP address `eth2'

Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.5: Bad IP address `eth2'

Try `iptables -h' or 'iptables --help' for more information.


When I check all the rules are implemented ...


The script:
Code:
#!/bin/bash

## Created by: Codenjanod
## Date: 2009-09-22
## Created and modified to work on CentOS 5.2
## and iptables v1.3.5

###########################################################################
#                       Flush all IPTables rules                          #
###########################################################################
# Configurations
IPTABLES="/sbin/iptables"

# reset the default policies in the filter table.
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

# reset the default policies in the nat table.
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT

# reset the default policies in the mangle table.
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT

# flush all the rules in the filter and nat tables.
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

# erase all chains that's not default in filter and nat table.
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X

###########################################################################
#               Script for IPTables with DMZ and Trusted                  #
###########################################################################
# 1. Configuration options.
# 1.1 Internet Configuration.
INET_IFACE="eth0"
INET_IP="192.168.196.134"
SSH_IP="192.168.196.134"

SFTP_EM_IP="192.168.196.137"
SMTP_EM_IP="192.168.196.138"
HTTP_EM_IP="192.168.196.139"
HTTPS_EM_IP="192.168.196.139"
TRACK_EM_IP="192.168.196.140"

SFTP_EB_IP="192.168.196.141"
SMTP_EB_IP="192.168.196.142"
HTTP_EB_IP="192.168.196.143"
HTTPS_EB_IP="192.168.196.143"
TRACK_EB_IP="192.168.196.144"

DNS1_IP="192.168.196.134"
DNS2_IP="192.168.196.134"

# 1.2 Local Area Network configuration.
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP address. the same as netmask 255.255.255.0
TRUSTED_IFACE="eth1"
TRUSTED_IP="192.168.196.135"

EM1_TRUSTED_IP="192.168.196.150"
EB1_TRUSTED_IP="192.168.196.151"

# 1.3 DMZ Configuration.
DMZ_IFACE="eth2"
DMZ_IP="192.168.196.136"

EM1_DMZ_IP="192.168.196.160"
EB1_DMZ_IP="192.168.196.161"

DMZ_SFTP_EM1="192.168.196.162"
DMZ_SFTP_EB1="192.168.196.163"

DMZ_HTTP_EM1="192.168.196.162"
DMZ_HTTP_EB1="192.168.196.163"

DMZ_HTTPS_EM1="192.168.196.162"
DMZ_HTTPS_EB1="192.168.196.163"

DMZ_SMTP_EM1="192.168.196.162"
DMZ_SMTP_EB1="192.168.196.163"

# 1.4 Localhost Configuration.
LO_IFACE="lo"
LO_IP="127.0.0.1"

# 1.5 IPTables Configuration.
#IPTABLES="/usr/sbin/iptables"

# 1.6 Other Configuration.
EXT_CONNECT="192.168.196.200"
EXT_RT="192.168.196.201"

###########################################################################
#                         2. Module loading                               #
###########################################################################
# Needed to initially load modules
/sbin/depmod -a

# 2.1 Required modules
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

# 2.2 Non-Required modules
#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc

###########################################################################
#                              3. /proc set up.                           #
###########################################################################
# 3.1 Required proc configuration
echo "1" > /proc/sys/net/ipv4/ip_forward

# 3.2 Non-Required proc configuration
#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#                            4. rules set up.                             #
###########################################################################
# 4.1 Filter table
# 4.1.1 Set policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

# 4.1.2 Create userspecified chains
# Create chain for bad tcp packets
$IPTABLES -N bad_tcp_packets

# Create separate chains for ICMP, TCP and UDP to traverse
$IPTABLES -N allowed
$IPTABLES -N icmp_packets

# 4.1.3 Create content in userspecified chains
# bad_tcp_packets chain
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

# allowed chain
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

# ICMP rules
# Changed rules totally
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

# 4.1.4 INPUT chain
# Bad TCP packets we don't want
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

# Packets from the Internet to this box
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -m limit --limit  1/s --limit-burst 1 -j icmp_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j DROP

# Packets from TRUSTED, DMZ or LOCALHOST
# From DMZ Interface to DMZ firewall IP
$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT

# From TRUSTED Interface to TRUSTED firewall IP
$IPTABLES -A INPUT -p ALL -i $TRUSTED_IFACE -d $TRUSTED_IP -j ACCEPT

# From Localhost interface to Localhost IP's
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $TRUSTED_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

# Special rule for DHCP requests from LAN, which are not caught properly otherwise.
#$IPTABLES -A INPUT -p UDP -i $TRUSTED_IFACE --dport 67 --sport 68 -j ACCEPT

# Allow SSH to the firewall
$IPTABLES -A INPUT -p tcp -s $EXT_CONNECT -d $SSH_IP --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s $EXT_RT -d $SSH_IP --dport 22 -j ACCEPT

# All established and related packets incoming from the internet to the firewall
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

# In Microsoft Networks you will be swamped by broadcasts. These lines will prevent them from showing up in the logs.
#$IPTABLES -A INPUT -p UDP -i $INET_IFACE -d $INET_BROADCAST --destination-port 135:139 -j DROP

# If we get DHCP requests from the Outside of our network, our logs will be swamped as well. This rule will block them from getting logged.
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -d 255.255.255.255 --destination-port 67:68 -j DROP

# If you have a Microsoft Network on the outside of your firewall, you may also get flooded by Multicasts. We drop them so we do not get flooded by
# logs
$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP

# Log weird packets that don't match the above.
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "

# 4.1.5 FORWARD chain
# Bad TCP packets we don't want
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

### CUSTOM RULES BEGIN ###
# From DMZ to TRUSTED for EB and EM
$IPTABLES -A FORWARD -p TCP -s $EM1_DMZ_IP -d $EM1_TRUSTED_IP --dport 1433 -j ACCEPT			
$IPTABLES -A FORWARD -p TCP -s $EB1_DMZ_IP -d $EB1_TRUSTED_IP --dport 1433 -j ACCEPT

$IPTABLES -A FORWARD -p TCP -s $EM1_DMZ_IP -d $EM1_TRUSTED_IP --dport 5007 -j ACCEPT			
$IPTABLES -A FORWARD -p TCP -s $EB1_DMZ_IP -d $EB1_TRUSTED_IP --dport 5007 -j ACCEPT

$IPTABLES -A FORWARD -p TCP -s $EM1_DMZ_IP -d $EM1_TRUSTED_IP --dport 5009 -j ACCEPT			
$IPTABLES -A FORWARD -p TCP -s $EB1_DMZ_IP -d $EB1_TRUSTED_IP --dport 5009 -j ACCEPT

$IPTABLES -A FORWARD -p TCP -s $EM1_DMZ_IP -d $EM1_TRUSTED_IP --dport 5010 -j ACCEPT			
$IPTABLES -A FORWARD -p TCP -s $EB1_DMZ_IP -d $EB1_TRUSTED_IP --dport 5010 -j ACCEPT

$IPTABLES -A FORWARD -p TCP -s $EM1_DMZ_IP -d $EM1_TRUSTED_IP --dport 5011 -j ACCEPT			
$IPTABLES -A FORWARD -p TCP -s $EB1_DMZ_IP -d $EB1_TRUSTED_IP --dport 5011 -j ACCEPT

$IPTABLES -A FORWARD -p TCP -s $EM1_DMZ_IP -d $EM1_TRUSTED_IP --dport 5012 -j ACCEPT			
$IPTABLES -A FORWARD -p TCP -s $EB1_DMZ_IP -d $EB1_TRUSTED_IP --dport 5012 -j ACCEPT

$IPTABLES -A FORWARD -p TCP -s $EM1_DMZ_IP -d $EM1_TRUSTED_IP --dport 5013 -j ACCEPT			
$IPTABLES -A FORWARD -p TCP -s $EB1_DMZ_IP -d $EB1_TRUSTED_IP --dport 5013 -j ACCEPT

$IPTABLES -A FORWARD -p TCP -s $EM1_DMZ_IP -d $EM1_TRUSTED_IP --dport 5014 -j ACCEPT			
$IPTABLES -A FORWARD -p TCP -s $EB1_DMZ_IP -d $EB1_TRUSTED_IP --dport 5014 -j ACCEPT

$IPTABLES -A FORWARD -p TCP -s $EM1_DMZ_IP -d $EM1_TRUSTED_IP --dport 5015 -j ACCEPT			
$IPTABLES -A FORWARD -p TCP -s $EB1_DMZ_IP -d $EB1_TRUSTED_IP --dport 5015 -j ACCEPT

$IPTABLES -A FORWARD -p TCP -s $EM1_DMZ_IP -d $EM1_TRUSTED_IP --dport 5016 -j ACCEPT			
$IPTABLES -A FORWARD -p TCP -s $EB1_DMZ_IP -d $EB1_TRUSTED_IP --dport 5016 -j ACCEPT

$IPTABLES -A FORWARD -p TCP -s $EM1_DMZ_IP -d $EM1_TRUSTED_IP --dport 5017 -j ACCEPT			
$IPTABLES -A FORWARD -p TCP -s $EB1_DMZ_IP -d $EB1_TRUSTED_IP --dport 5017 -j ACCEPT

$IPTABLES -A FORWARD -p TCP -s $EM1_DMZ_IP -d $EM1_TRUSTED_IP --dport 5018 -j ACCEPT			
$IPTABLES -A FORWARD -p TCP -s $EB1_DMZ_IP -d $EB1_TRUSTED_IP --dport 5018 -j ACCEPT

$IPTABLES -A FORWARD -p TCP -s $EM1_DMZ_IP -d $EM1_TRUSTED_IP --dport 5019 -j ACCEPT			
$IPTABLES -A FORWARD -p TCP -s $EB1_DMZ_IP -d $EB1_TRUSTED_IP --dport 5019 -j ACCEPT

# From TRUSTED to DMZ for EB and EM
$IPTABLES -A FORWARD -p TCP -s $EB1_TRUSTED_IP -d $EB1_DMZ_IP --dport 5005 -j ACCEPT			
$IPTABLES -A FORWARD -p TCP -s $EM1_TRUSTED_IP -d $EM1_DMZ_IP --dport 5005 -j ACCEPT

$IPTABLES -A FORWARD -p TCP -s $EB1_TRUSTED_IP -d $EB1_DMZ_IP --dport 5030 -j ACCEPT			
$IPTABLES -A FORWARD -p TCP -s $EM1_TRUSTED_IP -d $EM1_DMZ_IP --dport 5030 -j ACCEPT

### CUSTOM RULES END ###

# DMZ section
# General rules
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $TRUSTED_IFACE -o $DMZ_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $TRUSTED_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

# SFTP Server
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_SFTP_EM1 --dport 22 -j allowed
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_SFTP_EB1 --dport 22 -j allowed

# SMTP server
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_SMTP_EM1 --dport 25 -j allowed
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_SMTP_EB1 --dport 25 -j allowed

# HTTP server
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_EM1 --dport 80 -j allowed
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_EB1 --dport 80 -j allowed

# HTTPS server
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTPS_EM1 --dport 443 -j allowed
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTPS_EB1 --dport 443 -j allowed

# DNS server
$IPTABLES -A FORWARD -p TCP -i $DMZ_IFACE -o $INET_IFACE -d $DNS1_IP --dport 53 -j allowed
$IPTABLES -A FORWARD -p UDP -i $DMZ_IFACE -o $INET_IFACE -d $DNS1_IP --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $DMZ_IFACE -o $INET_IFACE -d $DNS2_IP --dport 53 -j allowed
$IPTABLES -A FORWARD -p UDP -i $DMZ_IFACE -o $INET_IFACE -d $DNS2_IP --dport 53 -j ACCEPT

# TRUSTED section
$IPTABLES -A FORWARD -i $TRUSTED_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log weird packets that don't match the above.
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "

# 4.1.6 OUTPUT chain
# Bad TCP packets we don't want.
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

# Special OUTPUT rules to decide which IP's to allow.
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
#$IPTABLES -A OUTPUT -p ALL -s $TRUSTED_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

# Log weird packets that don't match the above.
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

# 4.2 nat table

# 4.2.1 Set policies

# 4.2.2 Create user specified chains

# 4.2.3 Create content in user specified chains

# 4.2.4 PREROUTING chain
# SFTP server
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $SFTP_EM_IP --dport 22 -j DNAT --to-destination $DMZ_SFTP_EM1
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $SFTP_EB_IP --dport 22 -j DNAT --to-destination $DMZ_SFTP_EB1
# SMTP server
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_EM_IP --dport 25 -j DNAT --to-destination $DMZ_SMTP_EM1
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_EB_IP --dport 25 -j DNAT --to-destination $DMZ_SMTP_EB1
# HTTP server
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_EM_IP --dport 80 -j DNAT --to-destination $DMZ_HTTP_EM1
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_EB_IP --dport 80 -j DNAT --to-destination $DMZ_HTTP_EB1
# Track server
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $TRACK_EM_IP --dport 80 -j DNAT --to-destination $DMZ_HTTP_EM1
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $TRACK_EB_IP --dport 80 -j DNAT --to-destination $DMZ_HTTP_EB1
# HTTPS server
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTPS_EM_IP --dport 443 -j DNAT --to-destination $DMZ_HTTPS_EM1
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTPS_EB_IP --dport 443 -j DNAT --to-destination $DMZ_HTTPS_EB1
# DNS
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS1_IP --dport 53 -j DNAT --to-destination $DMZ_IFACE
$IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $DNS1_IP --dport 53 -j DNAT --to-destination $DMZ_IFACE
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS2_IP --dport 53 -j DNAT --to-destination $DMZ_IFACE
$IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $DNS2_IP --dport 53 -j DNAT --to-destination $DMZ_IFACE

# 4.2.5 POSTROUTING chain
# Enable simple IP Forwarding and Network Address Translation
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

# 4.2.6 OUTPUT chain
$IPTABLES -A OUTPUT -p icmp -j ACCEPT

# 4.3 mangle table

# 4.3.1 Set policies

# 4.3.2 Create user specified chains

# 4.3.3 Create content in user specified chains

# 4.3.4 PREROUTING chain

# 4.3.5 INPUT chain

# 4.3.6 FORWARD chain

# 4.3.7 OUTPUT chain

# 4.3.8 POSTROUTING chain

exit 0


I am not sure what I am missing.


Thanks
 
Old 10-14-2009, 05:25 AM   #2
Tux-Slack
Member
 
Registered: Nov 2006
Location: Slovenia
Distribution: Slackware 13.37
Posts: 511

Rep: Reputation: 37
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS1_IP --dport 53 -j DNAT --to-destination $DMZ_IFACE


This is your error. -j DNAT --to-destination takes IP address and not interface name.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables script error muditcse@yahoo.com Linux - Software 2 08-25-2009 09:27 AM
Shell Script: want to insert values in database when update script runs ring Programming 2 10-25-2007 10:48 PM
error with script iptables:bad intereptor yousmg Linux - Security 2 05-14-2007 11:16 PM
iptables script error(?) 386 Linux - Networking 1 10-08-2005 01:56 PM
creating shell script that executes as root regardless of who runs the script? m3kgt Linux - General 13 06-04-2004 10:23 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 11:07 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration