Re: Problem with IPTables

To: "Bender, Jeff" <jbender@eschelon.com>
Cc: "'debian-security@lists.debian.org'" <debian-security@lists.debian.org>
Subject: Re: Problem with IPTables
From: Joe Ellis <joee@lithodyne.net>
Date: Mon, 17 Dec 2001 13:43:19 -0500
Message-id: <[🔎] 3C1E3CC7.7080104@lithodyne.net>
References: <[🔎] E37A7C49F2F2E04EAE60A86D0C570C1804CDF0CA@k2.corp.eschelon.com>

i didn't see anything wrong with it, so i ran it:
bash# ./test.firewall
Start Rules
Allow DNS servers incoming traffic...done

i think your missing an option in your kernel when you compiled it last.check your kernel config.


these are the commands i ran:
iptables -F
iptables -X
iptables -Z
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
IFACE="eth0"
IPADDR="209.150.196.220"
LO="lo"
NAMESERVER_1="209.150.200.15"
NAMESERVER_2="209.150.200.10"
NAMESERVER_3="64.65.128.6"
BROADCAST="209.150.196.255"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
P_PORTS="0:1023"
UP_PORTS="1024:65535"
TR_SRC_PORTS="32769:65535"
TR_DEST_PORTS="33434:33523"
echo "Start Rules"
iptables -A INPUT  -i $LO -j ACCEPT
iptables -A OUTPUT -o $LO -j ACCEPT
echo -n "Allow DNS servers incoming traffic..."

iptables -A INPUT -i $IFACE -p udp -s $NAMESERVER_1 --sport 53 -m state--state ESTABLISHED -j ACCEPT

echo "done"

run these and see if it works. if not, your going to have to re-compileyour kernel.


Bender, Jeff wrote:

I am having troubles with IPTables.  My rules are having troubles with
handling "-m state --state ESTABLISHED" options.  The error I get is
"iptables: No chain/target/match by that name".  Any ideas?  Here is my
script below.

# http://www.cs.princeton.edu/~jns/security/iptables/index.html
# Prepared by James C. Stephens
# (jns@gfdl.noaa.gov)
#!/bin/bash## These lines are here in case rules are already in place and the script isever rerun on the fly.# We want to remove all rules and pre-exisiting user defined chains and zerothe counters# before we implement new rules.iptables -Fiptables -Xiptables -Z# Set up a default DROP policy for the built-in chains.# If we modify and re-run the script mid-session then (because we have adefault DROP# policy), what happens is that there is a small time period when packetsare denied until# the new rules are back in place. There is no period, however small, whenpackets we# don't want are allowed.iptables -P INPUT ACCEPTiptables -P FORWARD ACCEPTiptables -P OUTPUT ACCEPT## ===========================================================## Some definitions:IFACE="eth0"IPADDR="209.150.196.220"LO="lo"NAMESERVER_1="209.150.200.15"NAMESERVER_2="209.150.200.10"NAMESERVER_3="64.65.128.6"BROADCAST="209.150.196.255"LOOPBACK="127.0.0.0/8"CLASS_A="10.0.0.0/8"CLASS_B="172.16.0.0/12"CLASS_C="192.168.0.0/16"CLASS_D_MULTICAST="224.0.0.0/4"CLASS_E_RESERVED_NET="240.0.0.0/5"P_PORTS="0:1023"UP_PORTS="1024:65535"TR_SRC_PORTS="32769:65535"TR_DEST_PORTS="33434:33523"## ============================================================# RULESecho "Start Rules"
## LOOPBACK# Allow unlimited traffic on the loopback interface.iptables -A INPUT -i $LO -j ACCEPTiptables -A OUTPUT -o $LO -j ACCEPT
echo -n "Allow DNS servers incoming traffic..."

## DNS
# NOTE: DNS uses tcp for zone transfers, for transfers greater than 512
bytes (possible, but unusual), and on certain
# platforms like AIX (I am told), so you might have to add a copy of this
rule for tcp if you need it
# Allow UDP packets in for DNS client from nameservers.
iptables -A INPUT -i $IFACE -p udp -s $NAMESERVER_1 --sport 53 -m state
--state ESTABLISHED -j ACCEPT
#iptables -A INPUT -i $IFACE -p udp -s $NAMESERVER_2 --sport 53 -m state
--state ESTABLISHED -j ACCEPT
#iptables -A INPUT -i $IFACE -p udp -s $NAMESERVER_3 --sport 53 -m state
--state ESTABLISHED -j ACCEPT
# Allow UDP packets to DNS servers from client.
#iptables -A OUTPUT -o $IFACE -p udp -d $NAMESERVER_1 --dport 53 -m state
--state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o $IFACE -p udp -d $NAMESERVER_2 --dport 53 -m state
--state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o $IFACE -p udp -d $NAMESERVER_3 --dport 53 -m state
--state NEW,ESTABLISHED -j ACCEPT

echo "done"
bash# ./test.firewallStart Rules
Allow DNS servers incoming traffic...iptables: No chain/target/match by that
name
done



--
Joe Ellis
http://www.lithodyne.net

Reply to:

References:
- Problem with IPTables
  - From: "Bender, Jeff" <jbender@eschelon.com>

Prev by Date: Re: Spam?!?
Next by Date: Re: Problem with IPTables
Previous by thread: Problem with IPTables
Next by thread: Re: Problem with IPTables
Index(es):
- Date
- Thread