i didn't see anything wrong with it, so i ran it:
bash# ./test.firewall
Start Rules
Allow DNS servers incoming traffic...done
i think your missing an option in your kernel when you compiled it last.
check your kernel config.
these are the commands i ran:
iptables -F
iptables -X
iptables -Z
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
IFACE="eth0"
IPADDR="209.150.196.220"
LO="lo"
NAMESERVER_1="209.150.200.15"
NAMESERVER_2="209.150.200.10"
NAMESERVER_3="64.65.128.6"
BROADCAST="209.150.196.255"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
P_PORTS="0:1023"
UP_PORTS="1024:65535"
TR_SRC_PORTS="32769:65535"
TR_DEST_PORTS="33434:33523"
echo "Start Rules"
iptables -A INPUT -i $LO -j ACCEPT
iptables -A OUTPUT -o $LO -j ACCEPT
echo -n "Allow DNS servers incoming traffic..."
iptables -A INPUT -i $IFACE -p udp -s $NAMESERVER_1 --sport 53 -m state
--state ESTABLISHED -j ACCEPT
echo "done"
run these and see if it works. if not, your going to have to re-compile
your kernel.
Bender, Jeff wrote:
I am having troubles with IPTables. My rules are having troubles with
handling "-m state --state ESTABLISHED" options. The error I get is
"iptables: No chain/target/match by that name". Any ideas? Here is my
script below.
# http://www.cs.princeton.edu/~jns/security/iptables/index.html
# Prepared by James C. Stephens
# ([EMAIL PROTECTED])
#!/bin/bash
#
# These lines are here in case rules are already in place and the script is
ever rerun on the fly.
# We want to remove all rules and pre-exisiting user defined chains and zero
the counters
# before we implement new rules.
iptables -F
iptables -X
iptables -Z
# Set up a default DROP policy for the built-in chains.
# If we modify and re-run the script mid-session then (because we have a
default DROP
# policy), what happens is that there is a small time period when packets
are denied until
# the new rules are back in place. There is no period, however small, when
packets we
# don't want are allowed.
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
## ===========================================================
## Some definitions:
IFACE="eth0"
IPADDR="209.150.196.220"
LO="lo"
NAMESERVER_1="209.150.200.15"
NAMESERVER_2="209.150.200.10"
NAMESERVER_3="64.65.128.6"
BROADCAST="209.150.196.255"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
P_PORTS="0:1023"
UP_PORTS="1024:65535"
TR_SRC_PORTS="32769:65535"
TR_DEST_PORTS="33434:33523"
## ============================================================
# RULES
echo "Start Rules"
## LOOPBACK
# Allow unlimited traffic on the loopback interface.
iptables -A INPUT -i $LO -j ACCEPT
iptables -A OUTPUT -o $LO -j ACCEPT
echo -n "Allow DNS servers incoming traffic..."
## DNS
# NOTE: DNS uses tcp for zone transfers, for transfers greater than 512
bytes (possible, but unusual), and on certain
# platforms like AIX (I am told), so you might have to add a copy of this
rule for tcp if you need it
# Allow UDP packets in for DNS client from nameservers.
iptables -A INPUT -i $IFACE -p udp -s $NAMESERVER_1 --sport 53 -m state
--state ESTABLISHED -j ACCEPT
#iptables -A INPUT -i $IFACE -p udp -s $NAMESERVER_2 --sport 53 -m state
--state ESTABLISHED -j ACCEPT
#iptables -A INPUT -i $IFACE -p udp -s $NAMESERVER_3 --sport 53 -m state
--state ESTABLISHED -j ACCEPT
# Allow UDP packets to DNS servers from client.
#iptables -A OUTPUT -o $IFACE -p udp -d $NAMESERVER_1 --dport 53 -m state
--state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o $IFACE -p udp -d $NAMESERVER_2 --dport 53 -m state
--state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o $IFACE -p udp -d $NAMESERVER_3 --dport 53 -m state
--state NEW,ESTABLISHED -j ACCEPT
echo "done"
bash# ./test.firewall
Start Rules
Allow DNS servers incoming traffic...iptables: No chain/target/match by that
name
done
--
Joe Ellis
http://www.lithodyne.net
