Re: I need help , please

Re: I need help , please

[david]

[-- Attachment #1.1: Type: text/plain, Size: 1499 bytes --]

It was a mistake.What I do is

# service iptables save
after that  I got a new file in /etc/sysconfig/iptables .
and then :
#/etc/rc.d/init.d/iptables restart 2>salida8
.And here you see all the errors.

david





  ----- Original Message ----- 
  From: jesse.linux 
  To: david@aid.inf.cu 
  Sent: Thursday, July 04, 2002 8:13 AM
  Subject: RE: I need help , please


  if u want to use iptables, why did u restart ipchains?...
   
  pls give more info...
   
  From: "david" <david@aid.inf.cu>
  To: <netfilter@lists.samba.org>
  Subject:  I need help , please
  Date: Wed, 3 Jul 2002 08:47:57 +0200

  This is a multi-part message in MIME format.

  ------=_NextPart_000_0053_01C2226E.542764D0
  Content-Type: multipart/alternative;
  boundary="----=_NextPart_001_0054_01C2226E.542764D0"


  ------=_NextPart_001_0054_01C2226E.542764D0
  Content-Type: text/plain;
  charset="iso-8859-1"
  Content-Transfer-Encoding: quoted-printable

  Hi:
  =20
  I have been using ipchains for a long time , but know i want to turn to =
  iptables.
  I have a script file in /etc/rc.d/init.d/iptables

  What I do is :

  # service iptables save
  =20
  after that  I got a new file in /etc/sysconfig/iptables .
  and then :

  #/etc/rc.d/init.d/ipchains restart
  =20
  First I got a lot of errrors and  it does not seem to apply my rules, =
  because if for example ,I comment (#) the rules for http client , it =
  allow me to get the web anyway.

[-- Attachment #1.2: Type: text/html, Size: 2998 bytes --]

[-- Attachment #2: salida8 --]
[-- Type: application/octet-stream, Size: 5807 bytes --]

/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
iptables: No chain/target/match by that name
iptables v1.2.3: can't initialize iptables table `nat\r': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
/etc/rc.d/init.d/iptables: \r: command not found
iptables: Table does not exist (do you need to insmod?)
/etc/rc.d/init.d/iptables: \r: command not found
iptables: Bad policy name
iptables: Bad policy name
iptables: Bad policy name
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
iptables v1.2.3: Invalid target name `ACCEPT\r'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.3: Invalid target name `ACCEPT\r'
Try `iptables -h' or 'iptables --help' for more information.
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
iptables v1.2.3: Invalid target name `ACCEPT\r'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.3: Invalid target name `ACCEPT\r'
Try `iptables -h' or 'iptables --help' for more information.
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
iptables v1.2.3: Invalid target name `DROP\r'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.3: Invalid target name `DROP\r'
Try `iptables -h' or 'iptables --help' for more information.
/etc/rc.d/init.d/iptables: \r: command not found
iptables v1.2.3: Invalid target name `DROP\r'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.3: Invalid target name `DROP\r'
Try `iptables -h' or 'iptables --help' for more information.
/etc/rc.d/init.d/iptables: \r: command not found
iptables v1.2.3: Invalid target name `DROP\r'
Try `iptables -h' or 'iptables --help' for more information.
/etc/rc.d/init.d/iptables: \r: command not found
Try `iptables -h' or 'iptables --help' for more information.
/etc/rc.d/init.d/iptables: -s: command not found
/etc/rc.d/init.d/iptables: \r: command not found
Try `iptables -h' or 'iptables --help' for more information.
/etc/rc.d/init.d/iptables: -i: command not found
/etc/rc.d/init.d/iptables: \r: command not found
iptables v1.2.3: Invalid target name `MASQUERADE\r'
Try `iptables -h' or 'iptables --help' for more information.
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
iptables v1.2.3: Invalid target name `DROP\r'
Try `iptables -h' or 'iptables --help' for more information.
/etc/rc.d/init.d/iptables: \r: command not found
iptables v1.2.3: Invalid target name `DROP\r'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.3: Invalid target name `DROP\r'
Try `iptables -h' or 'iptables --help' for more information.
/etc/rc.d/init.d/iptables: \r: command not found
iptables v1.2.3: Invalid target name `DROP\r'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.3: Invalid target name `DROP\r'
Try `iptables -h' or 'iptables --help' for more information.
/etc/rc.d/init.d/iptables: \r: command not found
iptables v1.2.3: Invalid target name `DROP\r'
Try `iptables -h' or 'iptables --help' for more information.
/etc/rc.d/init.d/iptables: \r: command not found
iptables v1.2.3: Invalid target name `DROP\r'
Try `iptables -h' or 'iptables --help' for more information.
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
iptables v1.2.3: Invalid target name `DROP\r'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.3: Invalid target name `DROP\r'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.3: Invalid target name `DROP\r'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.3: Invalid target name `DROP\r'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.3: Invalid target name `DROP\r'
Try `iptables -h' or 'iptables --help' for more information.
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
Try `iptables -h' or 'iptables --help' for more information.
/etc/rc.d/init.d/iptables: --source-port: command not found
/etc/rc.d/init.d/iptables: -d: command not found
/etc/rc.d/init.d/iptables: \r: command not found
Try `iptables -h' or 'iptables --help' for more information.
/etc/rc.d/init.d/iptables: -s: command not found
/etc/rc.d/init.d/iptables: --destination-port: command not found
/etc/rc.d/init.d/iptables: \r: command not found

Re: I need help , please

[Antony Stone]

On Thursday 04 July 2002 9:38 am, david wrote:

> It was a mistake.What I do is
>
> # service iptables save
> after that  I got a new file in /etc/sysconfig/iptables .
> and then :
> #/etc/rc.d/init.d/iptables restart 2>salida8
> .And here you see all the errors.

What rules are you trying to set ?

Have you compiled all the required bits of iptables into the kernel or are 
you loading modules ?

 

Antony.

Re: I need help , please

[david]

I amtrying to set a dns and proxy server


----- Original Message -----
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: <netfilter@lists.samba.org>
Sent: Thursday, July 04, 2002 4:53 PM
Subject: Re: I need help , please


> On Thursday 04 July 2002 9:38 am, david wrote:
>
> > It was a mistake.What I do is
> >
> > # service iptables save
> > after that  I got a new file in /etc/sysconfig/iptables .
> > and then :
> > #/etc/rc.d/init.d/iptables restart 2>salida8
> > .And here you see all the errors.
>
> What rules are you trying to set ?
>
> Have you compiled all the required bits of iptables into the kernel or are
> you loading modules ?
>
>
>
> Antony.

Re: I need help , please

[Antony Stone]

On Thursday 04 July 2002 1:00 pm, david wrote:

> I amtrying to set a dns and proxy server

I assume this means you want to run DNS and an http proxy such as squid on 
the machine running the Firewall.   If this is not correct, post again and 
tell us what iptables rules you are trying to set up (which is what I was 
trying to ask).

Anyway, if that is the correct assumption, how about a set of rules such as 
this ?

# Standard default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Allow in DNS requests
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
# Allow out DNS requests
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
# Redirect http requests to local proxy
iptables -A PREROUTING -t nat -p tcp --dport 80 -j DNAT 127.0.0.1:80
# Allow proxy requests out of machine
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
# Allow replies etc back in again
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

 

Antony.

> ----- Original Message -----
> From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
> To: <netfilter@lists.samba.org>
> Sent: Thursday, July 04, 2002 4:53 PM
> Subject: Re: I need help , please
>
> > On Thursday 04 July 2002 9:38 am, david wrote:
> > > It was a mistake.What I do is
> > >
> > > # service iptables save
> > > after that  I got a new file in /etc/sysconfig/iptables .
> > > and then :
> > > #/etc/rc.d/init.d/iptables restart 2>salida8
> > > .And here you see all the errors.
> >
> > What rules are you trying to set ?
> >
> > Have you compiled all the required bits of iptables into the kernel or
> > are you loading modules ?
> >
> >
> >
> > Antony.

Re: I need help , please

[Jan Humme]

On Thursday 04 July 2002 20:20, Antony Stone wrote:
> On Thursday 04 July 2002 1:00 pm, david wrote:
> > I amtrying to set a dns and proxy server
>
> I assume this means you want to run DNS and an http proxy such as squid on
> the machine running the Firewall.   If this is not correct, post again and
> tell us what iptables rules you are trying to set up (which is what I was
> trying to ask).
>
> Anyway, if that is the correct assumption, how about a set of rules such as
> this ?
>
> # Standard default policies
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT DROP
> # Allow in DNS requests
> iptables -A INPUT -p tcp --dport 53 -j ACCEPT
> iptables -A INPUT -p udp --dport 53 -j ACCEPT
> # Allow out DNS requests
> iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
> iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
> # Redirect http requests to local proxy
> iptables -A PREROUTING -t nat -p tcp --dport 80 -j DNAT 127.0.0.1:80

Anthony, just for my understanding: is this any different from:

iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT   ?

Jan Humme.

Re: I need help , please

[Antony Stone]

On Thursday 04 July 2002 7:48 pm, Jan Humme wrote:

> On Thursday 04 July 2002 20:20, Antony Stone wrote:

> > # Redirect http requests to local proxy
> > iptables -A PREROUTING -t nat -p tcp --dport 80 -j DNAT 127.0.0.1:80
>
> Antony, just for my understanding: is this any different from:
>
> iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT   ?

No.   I just find the name 'redirect' a bit ambiguous (I mean, it could 
redirect it somewhere else, couldn't it, but no, it only redirects it to the 
local machine...) therefore I use DNAT which I'm familiar with from other 
uses.

 

Antony.

Re: I need help , please

[Jan Humme]

On Thursday 04 July 2002 20:51, Antony Stone wrote:
> On Thursday 04 July 2002 7:48 pm, Jan Humme wrote:
> > On Thursday 04 July 2002 20:20, Antony Stone wrote:
> > > # Redirect http requests to local proxy
> > > iptables -A PREROUTING -t nat -p tcp --dport 80 -j DNAT 127.0.0.1:80
> >
> > Antony, just for my understanding: is this any different from:
> >
> > iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT   ?
>
> No.   I just find the name 'redirect' a bit ambiguous (I mean, it could
> redirect it somewhere else, couldn't it, but no, it only redirects it to
> the local machine...) therefore I use DNAT which I'm familiar with from
> other uses.

OK, and agree.

But I am somewhat surprised to find such redundant syntax at this level.

Jan Humme.

Re: I need help , please

[Antony Stone]

On Thursday 04 July 2002 7:59 pm, Jan Humme wrote:

> On Thursday 04 July 2002 20:51, Antony Stone wrote:
> > On Thursday 04 July 2002 7:48 pm, Jan Humme wrote:
> > > On Thursday 04 July 2002 20:20, Antony Stone wrote:
> > > > # Redirect http requests to local proxy
> > > > iptables -A PREROUTING -t nat -p tcp --dport 80 -j DNAT 127.0.0.1:80
> > >
> > > Antony, just for my understanding: is this any different from:
> > >
> > > iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT   ?
> >
> > No.   I just find the name 'redirect' a bit ambiguous (I mean, it could
> > redirect it somewhere else, couldn't it, but no, it only redirects it to
> > the local machine...) therefore I use DNAT which I'm familiar with from
> > other uses.
>
> OK, and agree.
>
> But I am somewhat surprised to find such redundant syntax at this level.

I could have written it as

iptables -A PREROUTING -t nat -p tcp --dport 80 -j DNAT 127.0.0.1

if you prefer :-)

 

Antony.

Re: I need help , please

[Jan Humme]

On Thursday 04 July 2002 21:01, Antony Stone wrote:
> On Thursday 04 July 2002 7:59 pm, Jan Humme wrote:
> > On Thursday 04 July 2002 20:51, Antony Stone wrote:
> > > On Thursday 04 July 2002 7:48 pm, Jan Humme wrote:
> > > > On Thursday 04 July 2002 20:20, Antony Stone wrote:
> > > > > # Redirect http requests to local proxy
> > > > > iptables -A PREROUTING -t nat -p tcp --dport 80 -j DNAT
> > > > > 127.0.0.1:80
> > > >
> > > > Antony, just for my understanding: is this any different from:
> > > >
> > > > iptables -A PREROUTING -t nat -p tcp --dport 80 -j REDIRECT   ?
> > >
> > > No.   I just find the name 'redirect' a bit ambiguous (I mean, it could
> > > redirect it somewhere else, couldn't it, but no, it only redirects it
> > > to the local machine...) therefore I use DNAT which I'm familiar with
> > > from other uses.
> >
> > OK, and agree.
> >
> > But I am somewhat surprised to find such redundant syntax at this level.
>
> I could have written it as
>
> iptables -A PREROUTING -t nat -p tcp --dport 80 -j DNAT 127.0.0.1
>
> if you prefer :-)

I was in fact refering to the redundant design of the iptables syntax, and 
not to your beautiful piece of nat-art, Anthony ;-) !

Jan Humme. 

Fw: I need help , please

[david]

[-- Attachment #1.1: Type: text/plain, Size: 702 bytes --]

Hi:

George and Jesse:

Here i am sending you all that I have done:
KERNEL
Enable loadble modulo support   Y
Network packet Filtering  Y
IP netfilter configuration   Y
IP table support   Y

everything else as modules.

make bzImage
make modules
make modules_Install
reboot
uname -a
===============================================================================

chkconfig --level 0123456 ipchains off
/etc/rc.d/init.d/ipchains stop
chkconfig --level 2345 iptables on
/etc/rc.d/init.d/iptables start
=============================================================================

Here are my script (/etc/rc.d/init.d/iptables) and the errors.

david

Thanks to all of you

[-- Attachment #1.2: Type: text/html, Size: 2033 bytes --]

[-- Attachment #2: iptables.txt --]
[-- Type: text/plain, Size: 26567 bytes --]

 
#!/bin/sh

#

# Startup script to implement /etc/sysconfig/iptables pre-defined rules.

#

# chkconfig: 2345 08 92

#

# description: Automates a packet filtering firewall with iptables.

#

# by bero@redhat.com, based on the ipchains script:

# Script Author:      Joshua Jensen <joshua@redhat.com>

#   -- hacked up by gafton with help from notting

# modified by Anton Altaparmakov <aia21@cam.ac.uk>:

# modified by Nils Philippsen <nils@redhat.de>

#

# config: /etc/sysconfig/iptables

 

# Source 'em up

. /etc/init.d/functions

 

IPTABLES_CONFIG=/etc/sysconfig/iptables

 

if [ ! -x /sbin/iptables ]; then

      exit 0

fi

 

KERNELMAJ=`uname -r | sed                   -e 's,\..*,,'`

KERNELMIN=`uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'`

 

if [ "$KERNELMAJ" -lt 2 ] ; then

      exit 0

fi

if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ] ; then

      exit 0

fi

 

 

 

if  /sbin/lsmod 2>/dev/null |grep -q ipchains ; then

      # Don't do both

      exit 0

fi

 

start() {

      # don't do squat if we don't have the config file

      if [ -f $IPTABLES_CONFIG ]; then

          # If we don't clear these first, we might be adding to

          #  pre-existing rules.

          action $"Flushing all current rules and user defined chains:" iptables -F

          action $"Clearing all current rules and user defined chains:" iptables -X

          chains=`cat /proc/net/ip_tables_names 2>/dev/null`

            for i in $chains; do iptables -t $i -F; done && \

              success $"Flushing all current rules and user defined chains:" || \

              failure $"Flushing all current rules and user defined chains:"        

            for i in $chains; do iptables -t $i -X; done && \

              success $"Clearing all current rules and user defined chains:" || \

              failure $"Clearing all current rules and user defined chains:"

 

            for i in $chains; do iptables -t $i -Z; done

 

          echo $"Applying iptables firewall rules: "

            grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | grep -v '^[[:space:]]*$' | /sbin/iptables-restore -c && \

                success $"Applying iptables firewall rules" || \

                failure $"Applying iptables firewall rules"

          echo

          touch /var/lock/subsys/iptables

      fi

      

      

# ----------------------------------------------------------------------------


#  Some definitions for easy maintenance.


#  EDIT THESE TO SUIT YOUR SYSTEM AND ISP.


# Este script posee la definiicon de 


# Local_iNTERFACE,intranet 


# PERO NO POSEE LA DEFINICION DEL SMTP SERVER


IPADDR="169.158.129.23/27"


EXTERNAL_INTERFACE="eth0"                       # Internet connected interface


LOOPBACK_INTERFACE="lo"                         # Your local naming convention


LOCAL_INTERFACE_1="eth1"                        # Your Internal LAN interface


INTRANET="10.0.0.0/16"                           # Your Private IP Addr Range


PRIMARY_NAMESERVER="169.158.129.23/27"           # Your Primary Name Server


SECONDARY_NAMESERVER="169.158.129.33/27"         # Your Secondary Name Server


#SYSLOG_SERVER="***.**.**.*"                     # Your Syslog Internal Server


 

 

LOOPBACK="127.0.0.0/8"                          # Reserved loopback address range


CLASS_A="10.0.0.0/8"                            # Class A private networks


CLASS_B="172.16.0.0/12"                         # Class B private networks


CLASS_C="192.168.0.0/16"                        # Class C private networks


CLASS_D_MULTICAST="224.0.0.0/4"                 # Class D multicast addr


CLASS_E_RESERVED_NET="240.0.0.0/5"              # Class E reserved addr


BROADCAST_SRC="0.0.0.0"                         # Broadcast source addr


BROADCAST_DEST="255.255.255.255"                # Broadcast destination addr


PRIVPORTS="0:1023"                              # Privileged port range


UNPRIVPORTS="1024:"                             # Unprivileged port range


 

 

# ----------------------------------------------------------------------------


 

 

# The SSH client starts at 1023 and works down to 513 for each


# additional simultaneous connection originating from a privileged port.


# Clients can optionally be configured to use only unprivileged ports.


SSH_LOCAL_PORTS="1022:65535"                    # Port range for local clients


SSH_REMOTE_PORTS="513:65535"                    # Port range for remote clients


 

 

# traceroute usually uses -S 32769:65535 -D 33434:33523


TRACEROUTE_SRC_PORTS="32769:65535"


TRACEROUTE_DEST_PORTS="33434:33523"


 

 

# ----------------------------------------------------------------------------


 

 

# FIREWALL MODULES


# ----------------


 

 

    # Uncomment all of the following modules lines only


    # for modularized kernel system.


 

 

    # These modules are necessary to masquerade their respective services.


#    /sbin/modprobe ip_tables


#    /sbin/modprobe iptable_nat


#    /sbin/modprobe ip_conntrack


#    /sbin/modprobe ip_conntrack_ftp


#    /sbin/modprobe ip_tables


#    /sbin/modprobe ip_nat_ftp


#    /sbin/modprobe ipt_LOG


#    /sbin/modprobe ipt_MARK


#    /sbin/modprobe ipt_MASQUERADE


#    /sbin/modprobe ipt_REDIRECT


#    /sbin/modprobe ipt_REJECT


#    /sbin/modprobe ipt_TOS


#    /sbin/modprobe ipt_limit


#    /sbin/modprobe ipt_mac


#    /sbin/modprobe ipt_mark


#    /sbin/modprobe ipt_multiport


#    /sbin/modprobe ipt_state


#    /sbin/modprobe ipt_tos


#    /sbin/modprobe iptable_mangle


 

 

# ----------------------------------------------------------------------------


 

 

# Default policy is DENY


# Explicitly accept desired INCOMING & OUTGOING connections



#

#    # Remove all existing rules belonging to this filter


#    iptables -F


#    iptables -F -t nat


#


#    # Remove any existing user-defined chains.


#    iptables -X


#


#    # Set the default policy of the filter to deny.


#    iptables -P INPUT   DROP


#    iptables -P OUTPUT  DROP


#    iptables -P FORWARD DROP


##


# ----------------------------------------------------------------------------


 

 

# LOOPBACK


# --------


 

 

    # Unlimited traffic on the loopback interface.


 

 

    iptables -A INPUT  -i $LOOPBACK_INTERFACE  -j ACCEPT


    iptables -A OUTPUT -o $LOOPBACK_INTERFACE  -j ACCEPT


 

 

# ----------------------------------------------------------------------------


 

 

# Unlimited traffic within the local network.


 

 

    # All internal machines have access to the fireall machine.


 

 

    iptables -A INPUT  -i $LOCAL_INTERFACE_1 -s $INTRANET -j ACCEPT


    iptables -A OUTPUT -o $LOCAL_INTERFACE_1 -d $INTRANET -j ACCEPT


 

 

# ----------------------------------------------------------------------------


# STATEFUL PART!


# --------------


 

 

    # Kill malformed XMAS packets


    iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP


    iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP


 

 

    # Kill malformed NULL packets


    iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP


    iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP


 

 

    # Block faked, or "spoofed," packets from getting through the firewall.


    iptables -A FORWARD -i $LOCAL_INTERFACE_1 -s ! $INTRANET -j DROP


 

 

    # Allow all internal packets out of our network.


    iptables -A FORWARD -m state --state NEW -i $LOCAL_INTERFACE_1 && \


             -s $INTRANET -j ACCEPT


 

 

    # Allow the associated packets with those connections back in.


    iptables -A FORWARD -m state --state ESTABLISHED,RELATED && \


             -i $EXTERNAL_INTERFACE -s ! $INTRANET -j ACCEPT


 

 

    # All internal traffic is masqueraded externally.


    iptables -A POSTROUTING -t nat -o $EXTERNAL_INTERFACE -j MASQUERADE


 

 

# Blocks any forwards that come from Internet connection. Uncomment only for


# users with modem device like "ppp0".


 

 

#    iptables -A FORWARD -i $EXTERNAL_INTERFACE -m state \


#    --state NEW,INVALID -j REJECT


 

 

# ----------------------------------------------------------------------------


# SPOOFING & BAD ADDRESSES


# Refuse spoofed packets.


# Ignore blatantly illegal source addresses.


# Protect yourself from sending to bad addresses.


 

 

    # Refuse incoming packets pretending to be from the external address.


    iptables -A INPUT   -s $IPADDR -j DROP


 

 

    # Refuse incoming packets claiming to be from a Class A, B or C private network


 #  iptables -A INPUT   -s $CLASS_A -j DROP


    iptables -A INPUT   -s $CLASS_B -j DROP


    iptables -A INPUT   -s $CLASS_C -j DROP


 

 

    # Refuse broadcast address SOURCE packets


    iptables -A INPUT   -s $BROADCAST_DEST -j DROP


    iptables -A INPUT   -d $BROADCAST_SRC -j DROP


 

 

    # Refuse Class D multicast addresses


    # Multicast is illegal as a source address.


    # Multicast uses UDP.


    iptables -A INPUT   -s $CLASS_D_MULTICAST -j DROP


 

 

    # Refuse Class E reserved IP  addresses


    iptables -A INPUT   -s $CLASS_E_RESERVED_NET -j DROP


 

 

    # Refuse special addresses defined as reserved by the IANA.


    # Note:  The remaining reserved addresses are not included


    # filtering them causes problems as reserved blocks are


    # being allocated more often now. The following are based on


    # reservations as listed by IANA as of 2001/01/04. Please regularly


    # check at http://www.iana.org/ for the latest status.


 

 

    # Note:  this list includes the loopback, multicast, & reserved addresses.


 

 

    # 0.*.*.*                   - Can't be blocked for DHCP users.


    # 127.*.*.*                 - LoopBack


    # 169.254.*.*               - Link Local Networks


    # 192.0.2.*                 - TEST-NET


    # 224-255.*.*.*             - Classes D & E, plus unallocated.


 

 

    iptables -A INPUT   -s 0.0.0.0/8 -j DROP


    iptables -A INPUT   -s 127.0.0.0/8 -j DROP


    iptables -A INPUT   -s 169.254.0.0/16 -j DROP


    iptables -A INPUT   -s 192.0.2.0/24 -j DROP


    iptables -A INPUT   -s 224.0.0.0/3 -j DROP


 

 

# ----------------------------------------------------------------------------


 

 

    # UDP TRACEROUTE


    # --------------


 

 

    # traceroute usually uses -S 32769:65535 -D 33434:33523


 

 

    iptables -A INPUT  -i $EXTERNAL_INTERFACE -p udp --source-port $TRACEROUTE_SRC_PORTS && \


             -d $IPADDR --destination-port $TRACEROUTE_DEST_PORTS -j DROP


 

 

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp -s $IPADDR --source-port $TRACEROUTE_SRC_PORTS && \


             --destination-port $TRACEROUTE_DEST_PORTS -j ACCEPT


 

 

# ----------------------------------------------------------------------------


 

 

    # DNS forward-only nameserver


    # ---------------------------


#ESTAS PRIMERAS CUATRO LINEAS SON EL COMPARTAMIENTO DE UN CLIENTE dns 


#QUE LO QUE HACE ES CONECTARSE A UN SERVIDOR DNS POR EL PUERTO 53.


#En este caso es servidor es el nameserver1


#


#


#    iptables -A INPUT  -i $EXTERNAL_INTERFACE -p udp  \


#             -s $PRIMARY_NAMESERVER --source-port 53 \


#             -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT


#


#   iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp  \


#             -s $IPADDR --source-port $UNPRIVPORTS \


#             -d $PRIMARY_NAMESERVER --destination-port 53 -j ACCEPT#


#


#    iptables -A INPUT  -i $EXTERNAL_INTERFACE -p tcp ! --syn \


#             -s $PRIMARY_NAMESERVER --source-port 53 \


#             -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT


#


#    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp  \


#             -s $IPADDR --source-port $UNPRIVPORTS \


#             -d $PRIMARY_NAMESERVER --destination-port 53 -j ACCEPT


#


# DNS client


 

 

    iptables -A INPUT  -i $EXTERNAL_INTERFACE -p udp --source-port $UNPRIVPORTS && \


             -d $IPADDR --destination-port 53 -j ACCEPT


 

 

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp -s $IPADDR --source-port 53 && \


             --destination-port $UNPRIVPORTS -j ACCEPT


 

 

    iptables -A INPUT  -i $EXTERNAL_INTERFACE -p udp --source-port 53 && \


             -d $IPADDR --destination-port 53 -j ACCEPT


 

 

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp -s $IPADDR --source-port 53 && \


             --destination-port 53 -j ACCEPT


 

 

 

 

 

 

#ESTO LO VOY A ANADIR YO PORQUE ESTO ES LO QUE HACE UN SERVIDOR DNS, o sea aceptar peticiones 


#desde su puerto 53 y que provienen de puertos no privilegiados en otras maquinas.


 

 

 

 

    iptables -A INPUT  -i $EXTERNAL_INTERFACE -p udp --source-port $UNPRIVPORTS && \


             -d $IPADDR --destination-port 53 -j ACCEPT


 

 

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp -s $IPADDR --source-port 53 && \


             --destination-port $UNPRIVPORTS -j ACCEPT


 

 

    iptables -A INPUT  -i $EXTERNAL_INTERFACE -p udp --source-port 53 && \


             -d $IPADDR --destination-port 53 -j ACCEPT


 

 

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp -s $IPADDR --source-port 53 && \


             --destination-port 53 -j ACCEPT


 

 

 

 

#Esto tambien lo voy a anadir porque el servidor dns tiene que aceptar las 

#transferencias de zona desde el servidor dns2


 # DNS Zone Transfers (53)


 

 

    iptables -A INPUT  -i $EXTERNAL_INTERFACE -p tcp -s $SECONDARY_NAMESERVER --source-port $UNPRIVPORTS && \


             -d $IPADDR --destination-port 53 -j ACCEPT


 

 

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR --source-port 53 && \


             -d $SECONDARY_NAMESERVER --destination-port $UNPRIVPORTS -j ACCEPT


    


# ------------------------------------------------------------------


# HTTP client (80)


# ----------------


 

 

#    iptables -A INPUT  -i $EXTERNAL_INTERFACE -p tcp ! --syn --source-port 80 && \


#             -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT



#

#    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp  -s $IPADDR --source-port $UNPRIVPORTS && \


#             --destination-port 80 -j ACCEPT


#


    # ------------------------------------------------------------------


 

 

    # HTTPS client (443)


    # ------------------


 

 

#    iptables -A INPUT  -i $EXTERNAL_INTERFACE -p tcp ! --syn --source-port 443 && \


#             -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT


#


#    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp  -s $IPADDR --source-port $UNPRIVPORTS && \


#             --destination-port 443 -j ACCEPT


 

 

    # ------------------------------------------------------------------


 

 

    # WWW-CACHE client


    # ----------------


 

 

#    iptables -A INPUT  -i $EXTERNAL_INTERFACE -p tcp ! --syn \


#             --source-port 3128 \


#             -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT


 

 

#    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp  \


#             -s $IPADDR --source-port $UNPRIVPORTS \


#             --destination-port 3128 -j ACCEPT


 

 

    # ------------------------------------------------------------------


 

 

    # NNTP NEWS client (119)


    # ----------------------


 

 

    iptables -A INPUT  -i $EXTERNAL_INTERFACE -p tcp ! --syn --source-port 119 && \


             -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT


 

 

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp  -s $IPADDR --source-port $UNPRIVPORTS && \


             --destination-port 119 -j ACCEPT


 

 

    # ------------------------------------------------------------------


 

 

    # POP client (110)


    # ----------------


 

 

    iptables -A INPUT  -i $EXTERNAL_INTERFACE -p tcp ! --syn --source-port 110 && \


             -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT


 

 

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR --source-port $UNPRIVPORTS && \


             --destination-port 110 -j ACCEPT


 

 

    # ------------------------------------------------------------------


 

 

    # IMAP client (143)


    # -----------------


 

 

#    iptables -A INPUT  -i $EXTERNAL_INTERFACE -p tcp ! --syn \


#             --source-port 143 \


#             -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT


 

 

#    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp \


#             -s $IPADDR --source-port $UNPRIVPORTS \


#             --destination-port 143 -j ACCEPT


 

 

    # ------------------------------------------------------------------


 

 

    # SMTP client (25)


    # ----------------


 

 

    iptables -A INPUT  -i $EXTERNAL_INTERFACE -p tcp ! --syn --source-port 25 && \


             -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT


 

 

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp  -s $IPADDR --source-port $UNPRIVPORTS && \


             --destination-port 25 -j ACCEPT


 

 

    # ------------------------------------------------------------------


 

 

    # SSH server (22)


    # ---------------


 

 

    iptables -A INPUT  -i $EXTERNAL_INTERFACE -p tcp  --source-port $SSH_REMOTE_PORTS && \ 


             -d $IPADDR --destination-port 22 -j ACCEPT


 

 

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn -s $IPADDR --source-port 22 && \


             --destination-port $SSH_REMOTE_PORTS -j ACCEPT


 

 

 

 

    # SSH client (22)


    # ---------------


 

 

    iptables -A INPUT  -i $EXTERNAL_INTERFACE -p tcp ! --syn --source-port 22 && \


             -d $IPADDR --destination-port $SSH_LOCAL_PORTS -j ACCEPT


 

 

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp  -s $IPADDR --source-port $SSH_LOCAL_PORTS && \


             --destination-port 22 -j ACCEPT


 

 

    # ------------------------------------------------------------------


 

 

    # TELNET client (23)


    # ------------------


 

 

#    iptables -A INPUT  -i $EXTERNAL_INTERFACE -p tcp ! --syn \


#            --source-port 23 \


#             -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT


 

 

#    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp  \


#             -s $IPADDR --source-port $UNPRIVPORTS \


#             --destination-port 23 -j ACCEPT


 

 

    # ------------------------------------------------------------------


 

 

    # AUTH server (113)


    # -----------------


 

 

    # Reject, rather than deny, the incoming auth port. (NET-3-HOWTO)


    iptables -A INPUT  -i $EXTERNAL_INTERFACE -p tcp  --source-port $UNPRIVPORTS && \


             -d $IPADDR --destination-port 113 -j REJECT


 

 

 

 

    # AUTH client (113)


    # -----------------


 

 

#    iptables -A INPUT  -i $EXTERNAL_INTERFACE -p tcp ! --syn \


#             --source-port 113 \


#             -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT


 

 

#    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp  \


#             -s $IPADDR --source-port $UNPRIVPORTS \


#             --destination-port 113 -j ACCEPT


 

 

    # ------------------------------------------------------------------


 

 

    # WHOIS client (43)


    # -----------------


 

 

#    iptables -A INPUT  -i $EXTERNAL_INTERFACE -p tcp ! --syn \


#             --source-port 43 \


#             -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT


 

 

#    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp  \


#             -s $IPADDR --source-port $UNPRIVPORTS \


#             --destination-port 43 -j ACCEPT


 

 

    # ------------------------------------------------------------------


 

 

    # FINGER client (79)


    # ------------------


 

 

#    iptables -A INPUT  -i $EXTERNAL_INTERFACE -p tcp ! --syn \


#             --source-port 79 \


#             -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT


 

 

#    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp  \


#             -s $IPADDR --source-port $UNPRIVPORTS \


#             --destination-port 79 -j ACCEPT


 

 

    # ------------------------------------------------------------------


 

 

    # FTP client (21)


    # ---------------


 

 

    # outgoing request


#    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp  \


#             -s $IPADDR --source-port $UNPRIVPORTS \


#             --destination-port 21 -j ACCEPT


#


#    iptables -A INPUT  -i $EXTERNAL_INTERFACE -p tcp ! --syn \


#             --source-port 21 \


#             -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT


 

 

 

 

    # PORT mode data channel


    iptables -A INPUT  -i $EXTERNAL_INTERFACE -p tcp  --source-port 20 && \


             -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT


 

 

    iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn -s $IPADDR --source-port $UNPRIVPORTS && \


             --destination-port 20 -j ACCEPT


 

 

    # ------------------------------------------------------------------


 

      

      

      

      

      

      

      

      

}

 

stop() {

      chains=`cat /proc/net/ip_tables_names 2>/dev/null`

        for i in $chains; do iptables -t $i -F; done && \

                success $"Flushing all chains:" || \

                failure $"Flushing all chains:"

        for i in $chains; do iptables -t $i -X; done && \

                success $"Removing user defined chains:" || \

                failure $"Removing user defined chains:"

        echo -n $"Resetting built-in chains to the default ACCEPT policy:"

      iptables -P INPUT ACCEPT && \

         iptables -P OUTPUT ACCEPT && \

         iptables -P FORWARD ACCEPT && \

         iptables -t nat -P PREROUTING ACCEPT && \

         iptables -t nat -P POSTROUTING ACCEPT && \

         iptables -t nat -P OUTPUT ACCEPT && \

           iptables -t mangle -P PREROUTING ACCEPT && \

           iptables -t mangle -P OUTPUT ACCEPT && \

         success $"Resetting built-in chains to the default ACCEPT policy" || \

         failure $"Resetting built-in chains to the default ACCEPT policy"

      echo

      rm -f /var/lock/subsys/iptables

}

 

case "$1" in

  start)

      start

      ;;

 

  stop)

      stop

      ;;

 

  restart)

      # "restart" is really just "start" as this isn't a daemon,

      #  and "start" clears any pre-defined rules anyway.

      #  This is really only here to make those who expect it happy

      start

      ;;

 

  condrestart)

      [ -e /var/lock/subsys/iptables ] && start

      ;;

 

  status)

      echo $"Table: filter"

      iptables --list

      echo $"Table: nat"

      iptables -t nat --list

      echo $"Table: mangle"

      iptables -t mangle --list

      ;;

 

  panic)

      echo -n $"Changing target policies to DROP: "     

      iptables -P INPUT DROP && \

          iptables -P FORWARD DROP && \

          iptables -P OUTPUT DROP && \

          iptables -t nat -P PREROUTING DROP && \

          iptables -t nat -P POSTROUTING DROP && \

          iptables -t nat -P OUTPUT DROP && \

          iptables -t mangle -P PREROUTING DROP && \

          iptables -t mangle -P OUTPUT DROP && \

          success $"Changing target policies to DROP" || \

          failure $"Changing target policies to DROP"

      echo

        iptables -F INPUT && \

                iptables -F FORWARD && \

                iptables -F OUTPUT && \

                iptables -t nat -F PREROUTING && \

                iptables -t nat -F POSTROUTING && \

                iptables -t nat -F OUTPUT && \

                iptables -t mangle -F PREROUTING && \

                iptables -t mangle -F OUTPUT && \

                success $"Flushing all chains:" || \

                failure $"Flushing all chains:"

        iptables -X INPUT && \

                iptables -X FORWARD && \

                iptables -X OUTPUT && \

                iptables -t nat -X PREROUTING && \

                iptables -t nat -X POSTROUTING && \

                iptables -t nat -X OUTPUT && \

                iptables -t mangle -X PREROUTING && \

                iptables -t mangle -X OUTPUT && \

                success $"Removing user defined chains:" || \

                failure $"Removing user defined chains:"

        ;;

 

  save)

      echo -n $"Saving current rules to $IPTABLES_CONFIG: "

      touch $IPTABLES_CONFIG

      chmod 600 $IPTABLES_CONFIG

      /sbin/iptables-save -c > $IPTABLES_CONFIG  2>/dev/null && \

        success $"Saving current rules to $IPTABLES_CONFIG" || \

        failure $"Saving current rules to $IPTABLES_CONFIG"

      echo

      ;;

 

  *)

      echo $"Usage: $0 {start|stop|restart|condrestart|status|panic|save}"

      exit 1

esac

 

exit 0

 

 

[-- Attachment #3: errors1.txt --]
[-- Type: text/plain, Size: 5809 bytes --]

/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
iptables: No chain/target/match by that name
iptables v1.2.3: can't initialize iptables table `nat\r': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
/etc/rc.d/init.d/iptables: \r: command not found
iptables: Table does not exist (do you need to insmod?)
/etc/rc.d/init.d/iptables: \r: command not found
iptables: Bad policy name
iptables: Bad policy name
iptables: Bad policy name
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
iptables v1.2.3: Invalid target name `ACCEPT\r'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.3: Invalid target name `ACCEPT\r'
Try `iptables -h' or 'iptables --help' for more information.
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
iptables v1.2.3: Invalid target name `ACCEPT\r'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.3: Invalid target name `ACCEPT\r'
Try `iptables -h' or 'iptables --help' for more information.
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
iptables v1.2.3: Invalid target name `DROP\r'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.3: Invalid target name `DROP\r'
Try `iptables -h' or 'iptables --help' for more information.
/etc/rc.d/init.d/iptables: \r: command not found
iptables v1.2.3: Invalid target name `DROP\r'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.3: Invalid target name `DROP\r'
Try `iptables -h' or 'iptables --help' for more information.
/etc/rc.d/init.d/iptables: \r: command not found
iptables v1.2.3: Invalid target name `DROP\r'
Try `iptables -h' or 'iptables --help' for more information.
/etc/rc.d/init.d/iptables: \r: command not found
Try `iptables -h' or 'iptables --help' for more information.
/etc/rc.d/init.d/iptables: -s: command not found
/etc/rc.d/init.d/iptables: \r: command not found
Try `iptables -h' or 'iptables --help' for more information.
/etc/rc.d/init.d/iptables: -i: command not found
/etc/rc.d/init.d/iptables: \r: command not found
iptables v1.2.3: Invalid target name `MASQUERADE\r'
Try `iptables -h' or 'iptables --help' for more information.
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
iptables v1.2.3: Invalid target name `DROP\r'
Try `iptables -h' or 'iptables --help' for more information.
/etc/rc.d/init.d/iptables: \r: command not found
iptables v1.2.3: Invalid target name `DROP\r'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.3: Invalid target name `DROP\r'
Try `iptables -h' or 'iptables --help' for more information.
/etc/rc.d/init.d/iptables: \r: command not found
iptables v1.2.3: Invalid target name `DROP\r'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.3: Invalid target name `DROP\r'
Try `iptables -h' or 'iptables --help' for more information.
/etc/rc.d/init.d/iptables: \r: command not found
iptables v1.2.3: Invalid target name `DROP\r'
Try `iptables -h' or 'iptables --help' for more information.
/etc/rc.d/init.d/iptables: \r: command not found
iptables v1.2.3: Invalid target name `DROP\r'
Try `iptables -h' or 'iptables --help' for more information.
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
iptables v1.2.3: Invalid target name `DROP\r'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.3: Invalid target name `DROP\r'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.3: Invalid target name `DROP\r'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.3: Invalid target name `DROP\r'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.3: Invalid target name `DROP\r'
Try `iptables -h' or 'iptables --help' for more information.
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
/etc/rc.d/init.d/iptables: \r: command not found
Try `iptables -h' or 'iptables --help' for more information.
/etc/rc.d/init.d/iptables: --source-port: command not found
/etc/rc.d/init.d/iptables: -d: command not found
/etc/rc.d/init.d/iptables: \r: command not found
Try `iptables -h' or 'iptables --help' for more information.
/etc/rc.d/init.d/iptables: -s: command not found
/etc/rc.d/init.d/iptables: --destination-port: command not found
/etc/rc.d/init.d/iptables: \r: command not found

RE: I need help , please

[Ed Street]

[-- Attachment #1: Type: text/plain, Size: 1352 bytes --]

Hello,
 
First this script is not coded that well (not clean at all) second I
would recommend changing scripts.  If you are going to keep this script
I would urge you to do some serious house cleaning.  For the errors you
can put breakpoints thru the script to determine the problems (bet
there's several here)
 
This type of script is not something you should just pick up and run
blindly.
 
Ed
 
-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org] On Behalf Of david
Sent: Friday, July 05, 2002 4:01 AM
To: mimom@rcn.com; George Vieira; jesse.linux
Cc: netfilter@lists.samba.org
Subject: Fw: I need help , please
 
Hi:
 
George and Jesse:
 
Here i am sending you all that I have done:
KERNEL
Enable loadble modulo support   Y
Network packet Filtering  Y
IP netfilter configuration   Y
IP table support   Y
 
everything else as modules.
 
make bzImage
make modules
make modules_Install
reboot
uname -a
========================================================================
=======
 
chkconfig --level 0123456 ipchains off
/etc/rc.d/init.d/ipchains stop
chkconfig --level 2345 iptables on
/etc/rc.d/init.d/iptables start
========================================================================
=====
 
Here are my script (/etc/rc.d/init.d/iptables) and the errors.
 
david
 
Thanks to all of you

[-- Attachment #2: Type: text/html, Size: 11454 bytes --]

Re: I need help , please

[david]

[-- Attachment #1: Type: text/plain, Size: 2129 bytes --]

OK , I agree.In fact I  am just trying.
I heve tested a simpler script :

# Standard default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

am here you have the output.
/etc/rc.d/init.d/iptables : command not found
iptables: bad police name
iptables: bad police name
iptables: bad police name
/etc/rc.d/init.d/iptables : command not found


  ----- Original Message ----- 
  From: Ed Street 
  Cc: netfilter@lists.samba.org 
  Sent: Friday, July 05, 2002 4:23 PM
  Subject: RE: I need help , please


  Hello,

   

  First this script is not coded that well (not clean at all) second I would recommend changing scripts.  If you are going to keep this script I would urge you to do some serious house cleaning.  For the errors you can put breakpoints thru the script to determine the problems (bet there's several here)

   

  This type of script is not something you should just pick up and run blindly.

   

  Ed

   

  -----Original Message-----
  From: netfilter-admin@lists.samba.org [mailto:netfilter-admin@lists.samba.org] On Behalf Of david
  Sent: Friday, July 05, 2002 4:01 AM
  To: mimom@rcn.com; George Vieira; jesse.linux
  Cc: netfilter@lists.samba.org
  Subject: Fw: I need help , please

   

  Hi:

   

  George and Jesse:

   

  Here i am sending you all that I have done:

  KERNEL

  Enable loadble modulo support   Y

  Network packet Filtering  Y

  IP netfilter configuration   Y

  IP table support   Y

   

  everything else as modules.

   

  make bzImage

  make modules

  make modules_Install

  reboot

  uname -a

  ===============================================================================

   

  chkconfig --level 0123456 ipchains off

  /etc/rc.d/init.d/ipchains stop

  chkconfig --level 2345 iptables on

  /etc/rc.d/init.d/iptables start

  =============================================================================

   

  Here are my script (/etc/rc.d/init.d/iptables) and the errors.

   

  david

   

  Thanks to all of you


[-- Attachment #2: Type: text/html, Size: 13451 bytes --]

Re: I need help , please

[Antony Stone]

On Friday 05 July 2002 10:25 am, david wrote:

> OK , I agree.In fact I  am just trying.
> I heve tested a simpler script :
>
> # Standard default policies
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT DROP
>
> am here you have the output.
> /etc/rc.d/init.d/iptables : command not found
> iptables: bad police name
> iptables: bad police name
> iptables: bad police name
> /etc/rc.d/init.d/iptables : command not found

Do you have . in your path ???   It looks to me as though you're in 
/etc/rc.d/init.d when you type this, and it's trying to run the iptables 
script in the local directory instead of the iptables binary in /sbin

What happens if you cd to /root and type
iptables -P INPUT DROP

 

Antony.

Re: I need help , please

[david]

iptables:Bad built-in change name

david




 ----- Original Message ----- 
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: <netfilter@lists.samba.org>
Sent: Friday, July 05, 2002 6:00 PM
Subject: Re: I need help , please


> On Friday 05 July 2002 10:25 am, david wrote:
> 
> > OK , I agree.In fact I  am just trying.
> > I heve tested a simpler script :
> >
> > # Standard default policies
> > iptables -P INPUT DROP
> > iptables -P FORWARD DROP
> > iptables -P OUTPUT DROP
> >
> > am here you have the output.
> > /etc/rc.d/init.d/iptables : command not found
> > iptables: bad police name
> > iptables: bad police name
> > iptables: bad police name
> > /etc/rc.d/init.d/iptables : command not found
> 
> Do you have . in your path ???   It looks to me as though you're in 
> /etc/rc.d/init.d when you type this, and it's trying to run the iptables 
> script in the local directory instead of the iptables binary in /sbin
> 
> What happens if you cd to /root and type
> iptables -P INPUT DROP
> 
>  
> 
> Antony.

Re: I need help , please

[Antony Stone]

On Friday 05 July 2002 11:18 am, david wrote:

> iptables:Bad built-in change name

What *exactly* did you type (punctuation as well) and what *exactly* is the 
response ?

The command I want you to try is

iptables -P INPUT DROP

That is:
"iptables" in lower case
a space
a hyphen or minus sign
a capital P
a space
"INPUT" in capitals
a space
"DROP" in capitals
<enter>.

If you really do get an error in response to this, your system is very sick.

 

Antony.

>  ----- Original Message -----
> From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
> To: <netfilter@lists.samba.org>
> Sent: Friday, July 05, 2002 6:00 PM
> Subject: Re: I need help , please
>
> > On Friday 05 July 2002 10:25 am, david wrote:
> > > OK , I agree.In fact I  am just trying.
> > > I heve tested a simpler script :
> > >
> > > # Standard default policies
> > > iptables -P INPUT DROP
> > > iptables -P FORWARD DROP
> > > iptables -P OUTPUT DROP
> > >
> > > am here you have the output.
> > > /etc/rc.d/init.d/iptables : command not found
> > > iptables: bad police name
> > > iptables: bad police name
> > > iptables: bad police name
> > > /etc/rc.d/init.d/iptables : command not found
> >
> > Do you have . in your path ???   It looks to me as though you're in
> > /etc/rc.d/init.d when you type this, and it's trying to run the iptables
> > script in the local directory instead of the iptables binary in /sbin
> >
> > What happens if you cd to /root and type
> > iptables -P INPUT DROP
> >
> >
> >
> > Antony.

Re: I need help , please

[david]

Antony;

#iptables -P INPUD DROP
iptables:Bad built in chain name

if I turn to:
#iptables -P inpud DROP
iptables:Bad built in chain name

if I try:
#iptables -p inpud DROP
iptables v1.2.3: unknown protocol `inpud` specified

thanks again tony

david

----- Original Message -----
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: <netfilter@lists.samba.org>
Sent: Friday, July 05, 2002 6:35 PM
Subject: Re: I need help , please


> On Friday 05 July 2002 11:18 am, david wrote:
>
> > iptables:Bad built-in change name
>
> What *exactly* did you type (punctuation as well) and what *exactly* is
the
> response ?
>
> The command I want you to try is
>
> iptables -P INPUT DROP
>
> That is:
> "iptables" in lower case
> a space
> a hyphen or minus sign
> a capital P
> a space
> "INPUT" in capitals
> a space
> "DROP" in capitals
> <enter>.
>
> If you really do get an error in response to this, your system is very
sick.
>
>
>
> Antony.
>
> >  ----- Original Message -----
> > From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
> > To: <netfilter@lists.samba.org>
> > Sent: Friday, July 05, 2002 6:00 PM
> > Subject: Re: I need help , please
> >
> > > On Friday 05 July 2002 10:25 am, david wrote:
> > > > OK , I agree.In fact I  am just trying.
> > > > I heve tested a simpler script :
> > > >
> > > > # Standard default policies
> > > > iptables -P INPUT DROP
> > > > iptables -P FORWARD DROP
> > > > iptables -P OUTPUT DROP
> > > >
> > > > am here you have the output.
> > > > /etc/rc.d/init.d/iptables : command not found
> > > > iptables: bad police name
> > > > iptables: bad police name
> > > > iptables: bad police name
> > > > /etc/rc.d/init.d/iptables : command not found
> > >
> > > Do you have . in your path ???   It looks to me as though you're in
> > > /etc/rc.d/init.d when you type this, and it's trying to run the
iptables
> > > script in the local directory instead of the iptables binary in /sbin
> > >
> > > What happens if you cd to /root and type
> > > iptables -P INPUT DROP
> > >
> > >
> > >
> > > Antony.

RE: I need help , please

[Joe Patterson]

next tell us the output of these commands:

which iptables
file `which iptables`

and did you mean to mis-spell INPUT as INPUD?

-Joe


> -----Original Message-----
> From: netfilter-admin@lists.samba.org
> [mailto:netfilter-admin@lists.samba.org]On Behalf Of david
> Sent: Friday, July 05, 2002 6:37 AM
> To: Antony Stone
> Cc: netfilter@lists.samba.org
> Subject: Re: I need help , please
> 
> 
> Antony;
> 
> #iptables -P INPUD DROP
> iptables:Bad built in chain name
> 
> if I turn to:
> #iptables -P inpud DROP
> iptables:Bad built in chain name
> 
> if I try:
> #iptables -p inpud DROP
> iptables v1.2.3: unknown protocol `inpud` specified
> 
> thanks again tony
> 
> david
> 
> ----- Original Message -----
> From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
> To: <netfilter@lists.samba.org>
> Sent: Friday, July 05, 2002 6:35 PM
> Subject: Re: I need help , please
> 
> 
> > On Friday 05 July 2002 11:18 am, david wrote:
> >
> > > iptables:Bad built-in change name
> >
> > What *exactly* did you type (punctuation as well) and what *exactly* is
> the
> > response ?
> >
> > The command I want you to try is
> >
> > iptables -P INPUT DROP
> >
> > That is:
> > "iptables" in lower case
> > a space
> > a hyphen or minus sign
> > a capital P
> > a space
> > "INPUT" in capitals
> > a space
> > "DROP" in capitals
> > <enter>.
> >
> > If you really do get an error in response to this, your system is very
> sick.
> >
> >
> >
> > Antony.
> >
> > >  ----- Original Message -----
> > > From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
> > > To: <netfilter@lists.samba.org>
> > > Sent: Friday, July 05, 2002 6:00 PM
> > > Subject: Re: I need help , please
> > >
> > > > On Friday 05 July 2002 10:25 am, david wrote:
> > > > > OK , I agree.In fact I  am just trying.
> > > > > I heve tested a simpler script :
> > > > >
> > > > > # Standard default policies
> > > > > iptables -P INPUT DROP
> > > > > iptables -P FORWARD DROP
> > > > > iptables -P OUTPUT DROP
> > > > >
> > > > > am here you have the output.
> > > > > /etc/rc.d/init.d/iptables : command not found
> > > > > iptables: bad police name
> > > > > iptables: bad police name
> > > > > iptables: bad police name
> > > > > /etc/rc.d/init.d/iptables : command not found
> > > >
> > > > Do you have . in your path ???   It looks to me as though you're in
> > > > /etc/rc.d/init.d when you type this, and it's trying to run the
> iptables
> > > > script in the local directory instead of the iptables 
> binary in /sbin
> > > >
> > > > What happens if you cd to /root and type
> > > > iptables -P INPUT DROP
> > > >
> > > >
> > > >
> > > > Antony.
> 
> 
> 
> 

Re: I need help , please

[david]

which iptables
/sbin/iptables

Let me say you something.I have a smp kernel(simetric multi procesor kernel)
, maybe that is the reason


----- Original Message -----
From: "Joe Patterson" <jpatterson@asgardgroup.com>
To: "david" <david@aid.inf.cu>; "Antony Stone" <Antony@Soft-Solutions.co.uk>
Cc: <netfilter@lists.samba.org>
Sent: Friday, July 05, 2002 6:45 PM
Subject: RE: I need help , please


> next tell us the output of these commands:
>
> which iptables
> file `which iptables`
>
> and did you mean to mis-spell INPUT as INPUD?
>
> -Joe
>
>
> > -----Original Message-----
> > From: netfilter-admin@lists.samba.org
> > [mailto:netfilter-admin@lists.samba.org]On Behalf Of david
> > Sent: Friday, July 05, 2002 6:37 AM
> > To: Antony Stone
> > Cc: netfilter@lists.samba.org
> > Subject: Re: I need help , please
> >
> >
> > Antony;
> >
> > #iptables -P INPUD DROP
> > iptables:Bad built in chain name
> >
> > if I turn to:
> > #iptables -P inpud DROP
> > iptables:Bad built in chain name
> >
> > if I try:
> > #iptables -p inpud DROP
> > iptables v1.2.3: unknown protocol `inpud` specified
> >
> > thanks again tony
> >
> > david
> >
> > ----- Original Message -----
> > From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
> > To: <netfilter@lists.samba.org>
> > Sent: Friday, July 05, 2002 6:35 PM
> > Subject: Re: I need help , please
> >
> >
> > > On Friday 05 July 2002 11:18 am, david wrote:
> > >
> > > > iptables:Bad built-in change name
> > >
> > > What *exactly* did you type (punctuation as well) and what *exactly*
is
> > the
> > > response ?
> > >
> > > The command I want you to try is
> > >
> > > iptables -P INPUT DROP
> > >
> > > That is:
> > > "iptables" in lower case
> > > a space
> > > a hyphen or minus sign
> > > a capital P
> > > a space
> > > "INPUT" in capitals
> > > a space
> > > "DROP" in capitals
> > > <enter>.
> > >
> > > If you really do get an error in response to this, your system is very
> > sick.
> > >
> > >
> > >
> > > Antony.
> > >
> > > >  ----- Original Message -----
> > > > From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
> > > > To: <netfilter@lists.samba.org>
> > > > Sent: Friday, July 05, 2002 6:00 PM
> > > > Subject: Re: I need help , please
> > > >
> > > > > On Friday 05 July 2002 10:25 am, david wrote:
> > > > > > OK , I agree.In fact I  am just trying.
> > > > > > I heve tested a simpler script :
> > > > > >
> > > > > > # Standard default policies
> > > > > > iptables -P INPUT DROP
> > > > > > iptables -P FORWARD DROP
> > > > > > iptables -P OUTPUT DROP
> > > > > >
> > > > > > am here you have the output.
> > > > > > /etc/rc.d/init.d/iptables : command not found
> > > > > > iptables: bad police name
> > > > > > iptables: bad police name
> > > > > > iptables: bad police name
> > > > > > /etc/rc.d/init.d/iptables : command not found
> > > > >
> > > > > Do you have . in your path ???   It looks to me as though you're
in
> > > > > /etc/rc.d/init.d when you type this, and it's trying to run the
> > iptables
> > > > > script in the local directory instead of the iptables
> > binary in /sbin
> > > > >
> > > > > What happens if you cd to /root and type
> > > > > iptables -P INPUT DROP
> > > > >
> > > > >
> > > > >
> > > > > Antony.
> >
> >
> >
> >

Re: I need help , please

[Antony Stone]

On Friday 05 July 2002 1:50 pm, david wrote:

> which iptables
> /sbin/iptables

Okay, and what is the answer to
file `which iptables`

What is the response to
iptables -P INPUT DROP

What is the result of
echo $PATH

> Let me say you something.I have a smp kernel(simetric multi procesor
> kernel) , maybe that is the reason

No, iptables works fine on SMP machines.

 

Antony.

> ----- Original Message -----
> From: "Joe Patterson" <jpatterson@asgardgroup.com>
> To: "david" <david@aid.inf.cu>; "Antony Stone"
> <Antony@Soft-Solutions.co.uk> Cc: <netfilter@lists.samba.org>
> Sent: Friday, July 05, 2002 6:45 PM
> Subject: RE: I need help , please
>
> > next tell us the output of these commands:
> >
> > which iptables
> > file `which iptables`
> >
> > and did you mean to mis-spell INPUT as INPUD?
> >
> > -Joe

Re: I need help , please

[Antony Stone]

On Friday 05 July 2002 5:45 pm, Joe Patterson wrote:

> next tell us the output of these commands:
>
> which iptables
> file `which iptables`

I think we should point out that the ` symbols above are the backtick 
character (probably at the top left of your keyboard), and not the apostrophe.

Also, please can you tell us what you get in response to
echo $PATH

 

Antony.

Re: I need help , please

[david]

Tony:

#echo $PATH
/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:
/root/bin

how you can see iptables is in the PATH


david


----- Original Message -----
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: <netfilter@lists.samba.org>
Sent: Friday, July 05, 2002 6:54 PM
Subject: Re: I need help , please


> On Friday 05 July 2002 5:45 pm, Joe Patterson wrote:
>
> > next tell us the output of these commands:
> >
> > which iptables
> > file `which iptables`
>
> I think we should point out that the ` symbols above are the backtick
> character (probably at the top left of your keyboard), and not the
apostrophe.
>
> Also, please can you tell us what you get in response to
> echo $PATH
>
>
>
> Antony.

Re: I need help , please

[Antony Stone]

On Friday 05 July 2002 1:56 pm, david wrote:

> Tony:
>
> #echo $PATH
> /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin
>: /root/bin
>
> how you can see iptables is in the PATH

Okay, that's good.   I was concerned that you might have . in your path, so 
that commands in the local directory were getting executed instead of the 
ones in /sbin./bin etc.

By the way, did you ever try the list of rules I posted in 
http://lists.samba.org/pipermail/netfilter/2002-July/024548.html ?

 

Antony.

> ----- Original Message -----
> From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
> To: <netfilter@lists.samba.org>
> Sent: Friday, July 05, 2002 6:54 PM
> Subject: Re: I need help , please
>
> > On Friday 05 July 2002 5:45 pm, Joe Patterson wrote:
> > > next tell us the output of these commands:
> > >
> > > which iptables
> > > file `which iptables`
> >
> > I think we should point out that the ` symbols above are the backtick
> > character (probably at the top left of your keyboard), and not the
>
> apostrophe.
>
> > Also, please can you tell us what you get in response to
> > echo $PATH
> >
> >
> >
> > Antony.

Re: I need help , please

[david]

Yes tony ,but I do not know what to do with these rules .I put these in the
/etc/rc.d/init.d/iptables script , in  the start section of the script and
then what i do is :

service iptables save
/etc/rc.d/init.d/iptables restart

and I got all those errors message.

Maybe I am doing something wrong with putting these rules in the script.

Thanks  a lot for all your advise and your time to me.
david





----- Original Message -----
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: <netfilter@lists.samba.org>
Sent: Friday, July 05, 2002 9:14 PM
Subject: Re: I need help , please


> On Friday 05 July 2002 1:56 pm, david wrote:
>
> > Tony:
> >
> > #echo $PATH
> >
/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin
> >: /root/bin
> >
> > how you can see iptables is in the PATH
>
> Okay, that's good.   I was concerned that you might have . in your path,
so
> that commands in the local directory were getting executed instead of the
> ones in /sbin./bin etc.
>
> By the way, did you ever try the list of rules I posted in
> http://lists.samba.org/pipermail/netfilter/2002-July/024548.html ?
>
>
>
> Antony.
>
> > ----- Original Message -----
> > From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
> > To: <netfilter@lists.samba.org>
> > Sent: Friday, July 05, 2002 6:54 PM
> > Subject: Re: I need help , please
> >
> > > On Friday 05 July 2002 5:45 pm, Joe Patterson wrote:
> > > > next tell us the output of these commands:
> > > >
> > > > which iptables
> > > > file `which iptables`
> > >
> > > I think we should point out that the ` symbols above are the backtick
> > > character (probably at the top left of your keyboard), and not the
> >
> > apostrophe.
> >
> > > Also, please can you tell us what you get in response to
> > > echo $PATH
> > >
> > >
> > >
> > > Antony.

Re: I need help , please

[Antony Stone]

On Friday 05 July 2002 2:54 pm, david wrote:

> Yes Antony ,but I do not know what to do with these rules

Simple.   Put them in a script, on their own, and run it.   See if it does 
what you want.

> .I put these in the
> /etc/rc.d/init.d/iptables script , in  the start section of the script and
> then what i do is :
>
> service iptables save
> /etc/rc.d/init.d/iptables restart

I cannot comment on this because I don't do that on my system.   Why do you 
do that on yours ?

> and I got all those errors message.
>
> Maybe I am doing something wrong with putting these rules in the script.

Is there something else in the script which could be causing the problems ?

 

Antony.

Re: I need help , please

[david]

Tony:

When I write these rules in the command line all is OK and  the rules works
fine.
But if I put the same rules in a script :

#!/bin/bash
# Standard default policies
iptables -P INPUT DROP


iptables -P FORWARD DROP
iptables -P OUTPUT DROP

I got these errors

iptables :Bad police name
iptables :Bad police name
iptables :Bad police name


Then what?

david

----- Original Message -----
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: <netfilter@lists.samba.org>
Sent: Friday, July 05, 2002 10:11 PM
Subject: Re: I need help , please


> On Friday 05 July 2002 2:54 pm, david wrote:
>
> > Yes Antony ,but I do not know what to do with these rules
>
> Simple.   Put them in a script, on their own, and run it.   See if it does
> what you want.
>
> > .I put these in the
> > /etc/rc.d/init.d/iptables script , in  the start section of the script
and
> > then what i do is :
> >
> > service iptables save
> > /etc/rc.d/init.d/iptables restart
>
> I cannot comment on this because I don't do that on my system.   Why do
you
> do that on yours ?
>
> > and I got all those errors message.
> >
> > Maybe I am doing something wrong with putting these rules in the script.
>
> Is there something else in the script which could be causing the problems
?
>
>
>
> Antony.

Re: I need help , please

[Antony Stone]

On Friday 05 July 2002 3:44 pm, david wrote:

> Tony:
>
> When I write these rules in the command line all is OK and  the rules works
> fine.

Good.   This is progress.

> But if I put the same rules in a script :
>
> #!/bin/bash
> # Standard default policies
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT DROP
>
> I got these errors
>
> iptables :Bad police name
> iptables :Bad police name
> iptables :Bad police name
>
> Then what?

What is the output of this command ?

find  /  -name  iptables

 

Antony.

Re: I need help , please

[Antony Stone]

On Friday 05 July 2002 3:44 pm, david wrote:

> When I write these rules in the command line all is OK and  the rules works
> fine.
> But if I put the same rules in a script :
>
> #!/bin/bash
> # Standard default policies
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT DROP
>
> I got these errors
>
> iptables :Bad police name
> iptables :Bad police name
> iptables :Bad police name

What name did you call the script ?

Where did you put the script ?

How did you run the script ?

Does the same thing happen if you change all occurences of 'iptables' inside 
the script for '/sbin/iptables' instead ?

 

Antony.

Re: I need help , please

[Wayne Topa]

david(david@aid.inf.cu) is reported to have said:
> Tony:
> 
> When I write these rules in the command line all is OK and  the rules works
> fine.
> But if I put the same rules in a script :
> 
> #!/bin/bash
Add
IPTABLES=/sbin/iptables  #(Or where your iptables binary is)
> # Standard default policies

Change iptables to $IPTABLES

$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P INPUT DROP

> iptables -P INPUT DROP
> 
> 
> iptables -P FORWARD DROP
> iptables -P OUTPUT DROP
> 
-- 
I haven't lost my mind; it's backed up on tape somewhere.
_______________________________________________________

Re: I need help , please

[Antony Stone]

On Friday 05 July 2002 11:37 am, david wrote:

> Antony;
>
> #iptables -P INPUD DROP
> iptables:Bad built in chain name

Okay, now type it with a 'T' next time.

 

Antony.

> ----- Original Message -----
> From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
> To: <netfilter@lists.samba.org>
> Sent: Friday, July 05, 2002 6:35 PM
> Subject: Re: I need help , please
>
> > On Friday 05 July 2002 11:18 am, david wrote:
> > > iptables:Bad built-in change name
> >
> > What *exactly* did you type (punctuation as well) and what *exactly* is
> > the response ?
> >
> > The command I want you to try is
> >
> > iptables -P INPUT DROP
> >
> > That is:
> > "iptables" in lower case
> > a space
> > a hyphen or minus sign
> > a capital P
> > a space
> > "INPUT" in capitals
> > a space
> > "DROP" in capitals
> > <enter>.
> >
> > If you really do get an error in response to this, your system is very
> > sick.
>
> > Antony.

RE: I need help , please

[Ed Street]

Try INPUT
;)

Ed

-----Original Message-----
From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org] On Behalf Of david
Sent: Friday, July 05, 2002 6:37 AM
To: Antony Stone
Cc: netfilter@lists.samba.org
Subject: Re: I need help , please

Antony;

#iptables -P INPUD DROP
iptables:Bad built in chain name

if I turn to:
#iptables -P inpud DROP
iptables:Bad built in chain name

if I try:
#iptables -p inpud DROP
iptables v1.2.3: unknown protocol `inpud` specified

thanks again tony

david

----- Original Message -----
From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
To: <netfilter@lists.samba.org>
Sent: Friday, July 05, 2002 6:35 PM
Subject: Re: I need help , please


> On Friday 05 July 2002 11:18 am, david wrote:
>
> > iptables:Bad built-in change name
>
> What *exactly* did you type (punctuation as well) and what *exactly*
is
the
> response ?
>
> The command I want you to try is
>
> iptables -P INPUT DROP
>
> That is:
> "iptables" in lower case
> a space
> a hyphen or minus sign
> a capital P
> a space
> "INPUT" in capitals
> a space
> "DROP" in capitals
> <enter>.
>
> If you really do get an error in response to this, your system is very
sick.
>
>
>
> Antony.
>
> >  ----- Original Message -----
> > From: "Antony Stone" <Antony@Soft-Solutions.co.uk>
> > To: <netfilter@lists.samba.org>
> > Sent: Friday, July 05, 2002 6:00 PM
> > Subject: Re: I need help , please
> >
> > > On Friday 05 July 2002 10:25 am, david wrote:
> > > > OK , I agree.In fact I  am just trying.
> > > > I heve tested a simpler script :
> > > >
> > > > # Standard default policies
> > > > iptables -P INPUT DROP
> > > > iptables -P FORWARD DROP
> > > > iptables -P OUTPUT DROP
> > > >
> > > > am here you have the output.
> > > > /etc/rc.d/init.d/iptables : command not found
> > > > iptables: bad police name
> > > > iptables: bad police name
> > > > iptables: bad police name
> > > > /etc/rc.d/init.d/iptables : command not found
> > >
> > > Do you have . in your path ???   It looks to me as though you're
in
> > > /etc/rc.d/init.d when you type this, and it's trying to run the
iptables
> > > script in the local directory instead of the iptables binary in
/sbin
> > >
> > > What happens if you cd to /root and type
> > > iptables -P INPUT DROP
> > >
> > >
> > >
> > > Antony.

Re: I need help , please

[Wayne Topa]

david(david@aid.inf.cu) is reported to have said:
> Antony;
> 
> #iptables -P INPUD DROP
               INPUD???  INPUT
> iptables:Bad built in chain name
> 
> if I turn to:
> #iptables -P inpud DROP
> iptables:Bad built in chain name


-- 
Everyone can be taught to sculpt: Michelangelo would have had to be
taught how __not to.  So it is with the great programmers.
_______________________________________________________

Re: I need help , please

[Adam D. Barratt]

Antony Stone wrote:

> On Friday 05 July 2002 11:18 am, david wrote:
>
> > iptables:Bad built-in change name
>
> What *exactly* did you type (punctuation as well) and what *exactly*
is the
> response ?
[..]
> If you really do get an error in response to this, your system is
very sick.

I'm assuming David's translating / mistyping the error messages, or
it's very sick indeed. ;-)

Adam

RE: I need help , please

[George Vieira]

[-- Attachment #1: Type: text/plain, Size: 2037 bytes --]

Check using `lsmod` that ipchains isn't loaded. RedHat starts BOTH ipchains
and iptables in the setup so of course ipchains starts first and then
iptables gives errors..
 
rmmod ipchains
/etc/init.d/iptables restart
 

thanks,
George Vieira
Systems Manager
Citadel Computer Systems P/L
http://www.citadelcomputer.com.au <http://www.citadelcomputer.com.au/> 

-----Original Message-----
From: david [mailto:david@aid.inf.cu]
Sent: Thursday, 04 July 2002 6:39 PM
To: jesse.linux
Cc: netfilter@lists.samba.org
Subject: Re: I need help , please


It was a mistake.What I do is
 
# service iptables save
after that  I got a new file in /etc/sysconfig/iptables .
and then :
#/etc/rc.d/init.d/iptables restart 2>salida8
.And here you see all the errors.
 
david
 
 
 
 
 

----- Original Message ----- 
From: jesse.linux <mailto:jdelima@inq7.net>  
To: david@aid.inf.cu <mailto:david@aid.inf.cu>  
Sent: Thursday, July 04, 2002 8:13 AM
Subject: RE: I need help , please

if u want to use iptables, why did u restart ipchains?...
 
pls give more info...
 
From: "david" < david@aid.inf.cu <mailto:david@aid.inf.cu> >
To: < netfilter@lists.samba.org <mailto:netfilter@lists.samba.org> >
Subject:  I need help , please
Date: Wed, 3 Jul 2002 08:47:57 +0200

This is a multi-part message in MIME format.

------=_NextPart_000_0053_01C2226E.542764D0
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0054_01C2226E.542764D0"


------=_NextPart_001_0054_01C2226E.542764D0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hi:
=20
I have been using ipchains for a long time , but know i want to turn to =
iptables.
I have a script file in /etc/rc.d/init.d/iptables

What I do is :

# service iptables save
=20
after that  I got a new file in /etc/sysconfig/iptables .
and then :

#/etc/rc.d/init.d/ipchains restart
=20
First I got a lot of errrors and  it does not seem to apply my rules, =
because if for example ,I comment (#) the rules for http client , it =
allow me to get the web anyway.


[-- Attachment #2: Type: text/html, Size: 4187 bytes --]

Re: I need help , please

[david]

[-- Attachment #1: Type: text/plain, Size: 1541 bytes --]

Yes , the kernel has  iptable enable:

Network packet filtering Y
IP netfilter configuration Y
IP tables support Y

and all the others components are compiled like modules

  ----- Original Message ----- 
  From: Michael Mimo 
  To: david 
  Sent: Thursday, July 04, 2002 10:10 PM
  Subject: Re: I need help , please


  i am trying to help, but what I need are a copy of the errors you are getting. Also, I need to know if the kernel has iptables enabled. 
    ----- Original Message ----- 
    From: david 
    To: Michael Mimo 
    Sent: Thursday, July 04, 2002 9:43 AM
    Subject: Re: I need help , please


    here they are
    thanks

    david
      ----- Original Message ----- 
      From: Michael Mimo 
      To: david 
      Sent: Thursday, July 04, 2002 9:03 PM
      Subject: Re: I need help , please


      can you print the erros in an e-mail I am having trouble opening the file you sent. by the way did you verify that the kernel has iptables enabled?
        ----- Original Message ----- 
        From: david 
        To: Michael Mimo 
        Sent: Thursday, July 04, 2002 4:51 AM
        Subject: Re: I need help , please


        Here they are.
        thank

        david
          ----- Original Message ----- 
          From: Michael Mimo 
          To: david@aid.inf.cu 
          Sent: Thursday, July 04, 2002 5:48 AM
          Subject: RE: I need help , please


          what errors did you get. Did you compile the kernel of 7.2 with iptables enabled?

[-- Attachment #2: Type: text/html, Size: 5436 bytes --]

I need help , please

[david]

[-- Attachment #1.1: Type: text/plain, Size: 521 bytes --]

Hi:
 
I have been using ipchains for a long time , but know i want to turn to iptables.
I have a script file in /etc/rc.d/init.d/iptables

What I do is :

# service iptables save
 
after that  I got a new file in /etc/sysconfig/iptables .
and then :

#/etc/rc.d/init.d/ipchains restart
 
First I got a lot of errrors and  it does not seem to apply my rules, because if for example ,I comment (#) the rules for http client , it allow me to get the web anyway.
 
I use Red Hat 7.2 and Here's my script,
 

[-- Attachment #1.2: Type: text/html, Size: 1470 bytes --]

[-- Attachment #2: Iptables.zip --]
[-- Type: application/x-compressed, Size: 5119 bytes --]