[WBEL-users] Iptables Not Working
Bill Davidsen
davidsen@tmr.com
Thu, 29 Jul 2004 14:41:22 -0400
Ed Morrison wrote:
> Hi Everyone,
>
> I'm having a problem with my iptables not working. Below is my iptables
> file. If someone could show me what it is I am doing wrong I would
> surely appreciate it. This is running on WBEL 3.0 and it is my mail
> server. I have spammers sending directly to it and need to drop those
> packets....
I highly suggest putting your rules in a script so you can run them and
see what they are really doing one rule at a time, but that's just for
ease of debugging, as in "bash -xv firewall.cfg" is often very useful.
Other comments on general style, the ESTABLISHED rule should be the very
first thing in the INPUT chain, because it is the most often matched. On
a busy system this will make a visible difference in system time.
It's faster and easier to understand if you set up a table to validate
your tcp --syn packets, and just jump to that with a single rule if it's
a SYN packet. It's safer to set policy on INPUT to DROP, then allow only
what you really must have. Putting your icmp packets in a table makes
this easy to understand as well.
Finally, it looks as if you may have chains rather than tables loaded,
that may or may not be as issue, I assume the tables module gets demand
loaded eventually.
I think you have some syntax error, without COMMIT it does nothing,
which explains your other problem. Hope this helps.
>
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -i lo -j ACCEPT
> -A INPUT -s 24.20.253.108 -j DROP
> -A INPUT -s 69.145.105.154 -j DROP
> -A INPUT -s 4.11.196.79 -j DROP
> -A INPUT -s 80.202.20.7 -j DROP
> -A INPUT -s 137.164.158.14 -j DROP
> -A INPUT -s 201.129.85.142 -j DROP
> -A INPUT -s 24.19.7.146 -j DROP
> -A INPUT -s 66.44.140.103 -j DROP
> -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 106 -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT
> -A INPUT -m state --state NEW -m tcp -p udp --dport 995 -j ACCEPT
> -A INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
>
>
> If I run: service iptables start I receive this error:
>
> # service iptables start
> Flushing firewall rules: [ OK ]
> Setting chains to policy ACCEPT: filter [ OK ]
> Unloading iptables modules: [ OK ]
> Applying iptables firewall rules: iptables-restore: line 23 failed
> [FAILED]
>
> It doesn't like the COMMIT line.
>
> If I remove the COMMIT. I see this when start iptables:
>
> # service iptables start
> Flushing firewall rules: [ OK ]
> Setting chains to policy ACCEPT: filter [ OK ]
> Unloading iptables modules: [ OK ]
> Applying iptables firewall rules: [ OK ]
>
>
>
> And yet when I run: iptables -L -v to verify that the tables loaded
> none of the rules show up:
>
> Chain INPUT (policy ACCEPT 1753 packets, 296K bytes)
> pkts bytes target prot opt in out source destination
>
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
>
>
> Chain OUTPUT (policy ACCEPT 1820 packets, 293K bytes)
> pkts bytes target prot opt in out source destination
>
>
>
>
>
>
>
>
>
> _______________________________________________
> Whitebox-users mailing list
> Whitebox-users@beau.org
> http://beau.org/mailman/listinfo/whitebox-users
>
--
-bill davidsen (davidsen@tmr.com)
"The secret to procrastination is to put things off until the
last possible moment - but no longer" -me