[WBEL-users] Iptables Not Working

Josh Welch wbl@joshwelch.com
Thu, 15 Jul 2004 21:36:21 -0500 

Quoting Ed Morrison <emorrison@ncen.org>:

> Hi Everyone,
> 
> I'm having a problem with my iptables not working.  Below is my iptables
> file.  If someone could show me what it is I am doing wrong I would
> surely appreciate it.  This is running on WBEL 3.0 and it is my mail
> server.  I have spammers sending directly to it and need to drop those
> packets....
> 
> 
> Thank you,
> 
> Ed
> 
> 
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -i lo  -j ACCEPT
> -A INPUT -s 24.20.253.108 -j DROP
> -A INPUT -s 69.145.105.154 -j DROP
> -A INPUT -s 4.11.196.79 -j DROP
> -A INPUT -s 80.202.20.7 -j DROP
> -A INPUT -s 137.164.158.14 -j DROP
> -A INPUT -s 201.129.85.142 -j DROP
> -A INPUT -s 24.19.7.146 -j DROP
> -A INPUT -s 66.44.140.103 -j DROP
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 106 -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p udp --dport 995 -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
> 
> 
> If I run: service iptables start I receive this error:
> 
> # service iptables start
> Flushing firewall rules: [  OK  ]
> Setting chains to policy ACCEPT: filter [  OK  ]
> Unloading iptables modules: [  OK  ]
> Applying iptables firewall rules: iptables-restore: line 23 failed
> [FAILED]
> 
> It doesn't like the COMMIT line.  
> 
> If I remove the COMMIT.  I see this when start iptables:
>  
> # service iptables start
> Flushing firewall rules: [  OK  ]
> Setting chains to policy ACCEPT: filter [  OK  ]
> Unloading iptables modules: [  OK  ]
> Applying iptables firewall rules: [  OK  ]
> 
> 
> 
> And yet when I run: iptables -L -v   to verify that the tables loaded
> none of the rules show up:
> 
> Chain INPUT (policy ACCEPT 1753 packets, 296K bytes)
>  pkts bytes target     prot opt in     out     source     destination
> 
> 
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source     destination
> 
> 
> Chain OUTPUT (policy ACCEPT 1820 packets, 293K bytes)
>  pkts bytes target     prot opt in     out     source     destination
> 
> 

It's not so much the COMMIT as it is some small syntax error within the rules.
They look good to me, but apparently not. Might I suggest entering in each of
your rules at the command line. If one of them is wrong, you'll find out which
one that way. If they are all entered successfully, you can use iptables-save
to generate a rules file for you.

Josh