Re: Problem with IPTables

To: "Bender, Jeff" <jbender@eschelon.com>, <debian-security@lists.debian.org>
Subject: Re: Problem with IPTables
From: "Daniel Rychlik" <daniel@rychlik.ws>
Date: Mon, 17 Dec 2001 12:44:55 -0600
Message-id: <[🔎] 001001c1872a$f1a78b70$0700000a@mars>
References: <[🔎] E37A7C49F2F2E04EAE60A86D0C570C1804CDF0CA@k2.corp.eschelon.com>

----- Original Message -----
From: "Bender, Jeff" <jbender@eschelon.com>
To: <debian-security@lists.debian.org>
Sent: Monday, December 17, 2001 12:08 PM
Subject: Problem with IPTables


> I am having troubles with IPTables.  My rules are having troubles with
> handling "-m state --state ESTABLISHED" options.  The error I get is
> "iptables: No chain/target/match by that name".  Any ideas?  Here is my
> script below.
>
> # http://www.cs.princeton.edu/~jns/security/iptables/index.html
> # Prepared by James C. Stephens
> # (jns@gfdl.noaa.gov)
>
> #!/bin/bash
> #
> # These lines are here in case rules are already in place and the script
is
> ever rerun on the fly.
> # We want to remove all rules and pre-exisiting user defined chains and
zero
> the counters
> # before we implement new rules.
> iptables -F
> iptables -X
> iptables -Z

Ok, the iptables -X rule needs a chain it can call on.  You have to supply a
name for that chain.  example
iptables -X (foo)
then on your rule set you can call that custom chain that you  have made.
Basically whats happening is Iptables is looking in its defualt directory
for a special chain that doesnt exist.  You have to create it..  No biggy,
just looks like you need to set that option here...

>
> # Set up a default DROP policy for the built-in chains.
> # If we modify and re-run the script mid-session then (because we have a
> default DROP
> # policy), what happens is that there is a small time period when packets
> are denied until
> # the new rules are back in place. There is no period, however small, when
> packets we
> # don't want are allowed.
> iptables -P INPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -P OUTPUT ACCEPT

For a more secure rule set you need to set these to DROP.  ESPECIALLY THE
FORWARD RULE!  What can happen here is someone can use your server to spoof
their own ip...   So im told..

>
> ## ===========================================================
> ## Some definitions:
> IFACE="eth0"
> IPADDR="209.150.196.220"
> LO="lo"
> NAMESERVER_1="209.150.200.15"
> NAMESERVER_2="209.150.200.10"
> NAMESERVER_3="64.65.128.6"
> BROADCAST="209.150.196.255"
> LOOPBACK="127.0.0.0/8"
> CLASS_A="10.0.0.0/8"
> CLASS_B="172.16.0.0/12"
> CLASS_C="192.168.0.0/16"
> CLASS_D_MULTICAST="224.0.0.0/4"
> CLASS_E_RESERVED_NET="240.0.0.0/5"
> P_PORTS="0:1023"
> UP_PORTS="1024:65535"
> TR_SRC_PORTS="32769:65535"
> TR_DEST_PORTS="33434:33523"
>
> ## ============================================================
> # RULES
> echo "Start Rules"
>
> ## LOOPBACK
> # Allow unlimited traffic on the loopback interface.
> iptables -A INPUT  -i $LO -j ACCEPT
> iptables -A OUTPUT -o $LO -j ACCEPT
>
> echo -n "Allow DNS servers incoming traffic..."
>
> ## DNS
> # NOTE: DNS uses tcp for zone transfers, for transfers greater than 512
> bytes (possible, but unusual), and on certain
> # platforms like AIX (I am told), so you might have to add a copy of this
> rule for tcp if you need it
> # Allow UDP packets in for DNS client from nameservers.
> iptables -A INPUT -i $IFACE -p udp -s $NAMESERVER_1 --sport 53 -m state
> --state ESTABLISHED -j ACCEPT

I believe the command is ESTABLISHED,RELATED  May want to double check that.


> #iptables -A INPUT -i $IFACE -p udp -s $NAMESERVER_2 --sport 53 -m state
> --state ESTABLISHED -j ACCEPT
> #iptables -A INPUT -i $IFACE -p udp -s $NAMESERVER_3 --sport 53 -m state
> --state ESTABLISHED -j ACCEPT
> # Allow UDP packets to DNS servers from client.
> #iptables -A OUTPUT -o $IFACE -p udp -d $NAMESERVER_1 --dport 53 -m state
> --state NEW,ESTABLISHED -j ACCEPT
> #iptables -A OUTPUT -o $IFACE -p udp -d $NAMESERVER_2 --dport 53 -m state
> --state NEW,ESTABLISHED -j ACCEPT
> #iptables -A OUTPUT -o $IFACE -p udp -d $NAMESERVER_3 --dport 53 -m state
> --state NEW,ESTABLISHED -j ACCEPT
>
> echo "done"
>
> bash# ./test.firewall
> Start Rules
> Allow DNS servers incoming traffic...iptables: No chain/target/match by
that
> name
> done

It looks like you dont really need to define a new chain.  Try it out.

>
>
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>

Reply to:

References:
- Problem with IPTables
  - From: "Bender, Jeff" <jbender@eschelon.com>

Prev by Date: Re: Problem with IPTables
Next by Date: Re: Problem with IPTables
Previous by thread: Re: Problem with IPTables
Next by thread: Re: Problem with IPTables
Index(es):
- Date
- Thread