----- Original Message ----- From: "Bender, Jeff" <[EMAIL PROTECTED]> To: <debian-security@lists.debian.org> Sent: Monday, December 17, 2001 12:08 PM Subject: Problem with IPTables
> I am having troubles with IPTables. My rules are having troubles with > handling "-m state --state ESTABLISHED" options. The error I get is > "iptables: No chain/target/match by that name". Any ideas? Here is my > script below. > > # http://www.cs.princeton.edu/~jns/security/iptables/index.html > # Prepared by James C. Stephens > # ([EMAIL PROTECTED]) > > #!/bin/bash > # > # These lines are here in case rules are already in place and the script is > ever rerun on the fly. > # We want to remove all rules and pre-exisiting user defined chains and zero > the counters > # before we implement new rules. > iptables -F > iptables -X > iptables -Z Ok, the iptables -X rule needs a chain it can call on. You have to supply a name for that chain. example iptables -X (foo) then on your rule set you can call that custom chain that you have made. Basically whats happening is Iptables is looking in its defualt directory for a special chain that doesnt exist. You have to create it.. No biggy, just looks like you need to set that option here... > > # Set up a default DROP policy for the built-in chains. > # If we modify and re-run the script mid-session then (because we have a > default DROP > # policy), what happens is that there is a small time period when packets > are denied until > # the new rules are back in place. There is no period, however small, when > packets we > # don't want are allowed. > iptables -P INPUT ACCEPT > iptables -P FORWARD ACCEPT > iptables -P OUTPUT ACCEPT For a more secure rule set you need to set these to DROP. ESPECIALLY THE FORWARD RULE! What can happen here is someone can use your server to spoof their own ip... So im told.. > > ## =========================================================== > ## Some definitions: > IFACE="eth0" > IPADDR="209.150.196.220" > LO="lo" > NAMESERVER_1="209.150.200.15" > NAMESERVER_2="209.150.200.10" > NAMESERVER_3="64.65.128.6" > BROADCAST="209.150.196.255" > LOOPBACK="127.0.0.0/8" > CLASS_A="10.0.0.0/8" > CLASS_B="172.16.0.0/12" > CLASS_C="192.168.0.0/16" > CLASS_D_MULTICAST="224.0.0.0/4" > CLASS_E_RESERVED_NET="240.0.0.0/5" > P_PORTS="0:1023" > UP_PORTS="1024:65535" > TR_SRC_PORTS="32769:65535" > TR_DEST_PORTS="33434:33523" > > ## ============================================================ > # RULES > echo "Start Rules" > > ## LOOPBACK > # Allow unlimited traffic on the loopback interface. > iptables -A INPUT -i $LO -j ACCEPT > iptables -A OUTPUT -o $LO -j ACCEPT > > echo -n "Allow DNS servers incoming traffic..." > > ## DNS > # NOTE: DNS uses tcp for zone transfers, for transfers greater than 512 > bytes (possible, but unusual), and on certain > # platforms like AIX (I am told), so you might have to add a copy of this > rule for tcp if you need it > # Allow UDP packets in for DNS client from nameservers. > iptables -A INPUT -i $IFACE -p udp -s $NAMESERVER_1 --sport 53 -m state > --state ESTABLISHED -j ACCEPT I believe the command is ESTABLISHED,RELATED May want to double check that. > #iptables -A INPUT -i $IFACE -p udp -s $NAMESERVER_2 --sport 53 -m state > --state ESTABLISHED -j ACCEPT > #iptables -A INPUT -i $IFACE -p udp -s $NAMESERVER_3 --sport 53 -m state > --state ESTABLISHED -j ACCEPT > # Allow UDP packets to DNS servers from client. > #iptables -A OUTPUT -o $IFACE -p udp -d $NAMESERVER_1 --dport 53 -m state > --state NEW,ESTABLISHED -j ACCEPT > #iptables -A OUTPUT -o $IFACE -p udp -d $NAMESERVER_2 --dport 53 -m state > --state NEW,ESTABLISHED -j ACCEPT > #iptables -A OUTPUT -o $IFACE -p udp -d $NAMESERVER_3 --dport 53 -m state > --state NEW,ESTABLISHED -j ACCEPT > > echo "done" > > bash# ./test.firewall > Start Rules > Allow DNS servers incoming traffic...iptables: No chain/target/match by that > name > done It looks like you dont really need to define a new chain. Try it out. > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
