RE: Problem with IPTables
Ahh...hah.
I looked a few times in the 'make menuconfig' and saw that I included
everything in the kernel build. I didn't include Connection Tracking which
I thought I only needed for NAT, but it looks like this gave me the option
that I was missing. Thanks.
Oh, yeah I only used the default rules below so I wouldn't lock myself out
and have to run down to the server room. It is a long walk.. heh.
> iptables -P INPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -P OUTPUT ACCEPT
-----Original Message-----
From: Joe Ellis [mailto:joee@lithodyne.net]
Sent: Monday, December 17, 2001 12:43 PM
To: Bender, Jeff
Cc: 'debian-security@lists.debian.org'
Subject: Re: Problem with IPTables
i didn't see anything wrong with it, so i ran it:
bash# ./test.firewall
Start Rules
Allow DNS servers incoming traffic...done
i think your missing an option in your kernel when you compiled it last.
check your kernel config.
these are the commands i ran:
iptables -F
iptables -X
iptables -Z
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
IFACE="eth0"
IPADDR="209.150.196.220"
LO="lo"
NAMESERVER_1="209.150.200.15"
NAMESERVER_2="209.150.200.10"
NAMESERVER_3="64.65.128.6"
BROADCAST="209.150.196.255"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
P_PORTS="0:1023"
UP_PORTS="1024:65535"
TR_SRC_PORTS="32769:65535"
TR_DEST_PORTS="33434:33523"
echo "Start Rules"
iptables -A INPUT -i $LO -j ACCEPT
iptables -A OUTPUT -o $LO -j ACCEPT
echo -n "Allow DNS servers incoming traffic..."
iptables -A INPUT -i $IFACE -p udp -s $NAMESERVER_1 --sport 53 -m state
--state ESTABLISHED -j ACCEPT
echo "done"
run these and see if it works. if not, your going to have to re-compile
your kernel.
Bender, Jeff wrote:
> I am having troubles with IPTables. My rules are having troubles with
> handling "-m state --state ESTABLISHED" options. The error I get is
> "iptables: No chain/target/match by that name". Any ideas? Here is my
> script below.
>
> # http://www.cs.princeton.edu/~jns/security/iptables/index.html
> # Prepared by James C. Stephens
> # (jns@gfdl.noaa.gov)
>
> #!/bin/bash
> #
> # These lines are here in case rules are already in place and the script
is
> ever rerun on the fly.
> # We want to remove all rules and pre-exisiting user defined chains and
zero
> the counters
> # before we implement new rules.
> iptables -F
> iptables -X
> iptables -Z
>
> # Set up a default DROP policy for the built-in chains.
> # If we modify and re-run the script mid-session then (because we have a
> default DROP
> # policy), what happens is that there is a small time period when packets
> are denied until
> # the new rules are back in place. There is no period, however small, when
> packets we
> # don't want are allowed.
> iptables -P INPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -P OUTPUT ACCEPT
>
> ## ===========================================================
> ## Some definitions:
> IFACE="eth0"
> IPADDR="209.150.196.220"
> LO="lo"
> NAMESERVER_1="209.150.200.15"
> NAMESERVER_2="209.150.200.10"
> NAMESERVER_3="64.65.128.6"
> BROADCAST="209.150.196.255"
> LOOPBACK="127.0.0.0/8"
> CLASS_A="10.0.0.0/8"
> CLASS_B="172.16.0.0/12"
> CLASS_C="192.168.0.0/16"
> CLASS_D_MULTICAST="224.0.0.0/4"
> CLASS_E_RESERVED_NET="240.0.0.0/5"
> P_PORTS="0:1023"
> UP_PORTS="1024:65535"
> TR_SRC_PORTS="32769:65535"
> TR_DEST_PORTS="33434:33523"
>
> ## ============================================================
> # RULES
> echo "Start Rules"
>
> ## LOOPBACK
> # Allow unlimited traffic on the loopback interface.
> iptables -A INPUT -i $LO -j ACCEPT
> iptables -A OUTPUT -o $LO -j ACCEPT
>
> echo -n "Allow DNS servers incoming traffic..."
>
> ## DNS
> # NOTE: DNS uses tcp for zone transfers, for transfers greater than 512
> bytes (possible, but unusual), and on certain
> # platforms like AIX (I am told), so you might have to add a copy of this
> rule for tcp if you need it
> # Allow UDP packets in for DNS client from nameservers.
> iptables -A INPUT -i $IFACE -p udp -s $NAMESERVER_1 --sport 53 -m state
> --state ESTABLISHED -j ACCEPT
> #iptables -A INPUT -i $IFACE -p udp -s $NAMESERVER_2 --sport 53 -m state
> --state ESTABLISHED -j ACCEPT
> #iptables -A INPUT -i $IFACE -p udp -s $NAMESERVER_3 --sport 53 -m state
> --state ESTABLISHED -j ACCEPT
> # Allow UDP packets to DNS servers from client.
> #iptables -A OUTPUT -o $IFACE -p udp -d $NAMESERVER_1 --dport 53 -m state
> --state NEW,ESTABLISHED -j ACCEPT
> #iptables -A OUTPUT -o $IFACE -p udp -d $NAMESERVER_2 --dport 53 -m state
> --state NEW,ESTABLISHED -j ACCEPT
> #iptables -A OUTPUT -o $IFACE -p udp -d $NAMESERVER_3 --dport 53 -m state
> --state NEW,ESTABLISHED -j ACCEPT
>
> echo "done"
>
> bash# ./test.firewall
> Start Rules
> Allow DNS servers incoming traffic...iptables: No chain/target/match by
that
> name
> done
>
>
>
>
>
--
Joe Ellis
http://www.lithodyne.net
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
Reply to: