Why would these rules cause errors only sometimes?

Why would these rules cause errors only sometimes?

[Tasha Smith]

Hiii,

Can someone tell me why these rules will only casue errors "sometimes"? I ran my
script before and it worked fine. But then i added a few more log polocies
and drop rules and then i get errors. I know its these rules casue when i #
commented them out the script it ran properly again and it happened before but
it fixed itself somehow. Here are the rules that are casue the error:

iptables -A OUPUT -o eth0 -p tcp \
         -s eth0 --sport 1024:65535 \
         --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp \
         --sport 80 \
         -d eth0 --dport 1024:65535 -j ACCEPT


iptables -A INPUT -i eth0 -p udp \
         -s 122.xx.xxx.xx  --sport 67 \
         --dport 68 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp \
         -s eth0 --sport 68 \
         -d 122.xx.xxx.xx --dport 67 -j ACCEPT


Here the error i get:
iptables v1.2.7a: host/network  `eth0' not found
Try iptables `iptables -h' or `iptables --help for more infomation'
iptables v1.2.7a: host/network  `eth0' not found
Try iptables `iptables -h' or `iptables --help for more infomation'
iptables v1.2.7a: host/network  `eth0' not found
Try iptables `iptables -h' or `iptables --help for more infomation'

Here are the rules i added and they work fine when i comment out the above
rules!
iptables -t nat --policy PREROUTING -j DROP
iptables -t nat --policy OUPUT -j DROP
iptables -t nat --policy POSTROUTING -j DROP


how can i fix this? thanks guys! i have a dynamic ip address and i cant get pump
to work thats why i using eth0 instaead of an IP adress! 


__________________________________________________
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/

Re: Why would these rules cause errors only sometimes?

[Boryan Yotov]

Hello,

Your problem is very simple:
-s and -d parametres requires IP address(/netmask) or Host Name while 
you use ethernet device.

e.g. eth0, eth1, xl0 and etc. are the available ethernet devices as 
shown when you issue ifconfig at the shell prompt.
IPv4 Address is 192.168.0.0 10.0.0.1 and etc.
Hostname is www.netfilter.org.

In other words use -s (source IP) and -d (destination IP) with IP adress 
or hostname but -o (output device) and -i (input device) with eth0 and 
the other devices.

Your rules must look like the following:

eth0_ip_address="xxx.xxx.xxx.xxx"

iptables -A OUPUT -o eth0 -p tcp \
         -s $eth0_ip_address --sport 1024:65535 \
         --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp \
         --sport 80 \
         -d $eth0_ip_address --dport 1024:65535 -j ACCEPT

iptables -A INPUT -i eth0 -p udp \
         -s 122.xx.xxx.xx  --sport 67 \
         --dport 68 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp \
         -s $eth0_ip_address --sport 68 \
         -d 122.xx.xxx.xx --dport 67 -j ACCEPT

Regards ;)

Tasha Smith wrote:

>Hiii,
>
>Can someone tell me why these rules will only casue errors "sometimes"? I ran my
>script before and it worked fine. But then i added a few more log polocies
>and drop rules and then i get errors. I know its these rules casue when i #
>commented them out the script it ran properly again and it happened before but
>it fixed itself somehow. Here are the rules that are casue the error:
>
>iptables -A OUPUT -o eth0 -p tcp \
>         -s eth0 --sport 1024:65535 \
>         --dport 80 -j ACCEPT
>iptables -A INPUT -i eth0 -p tcp \
>         --sport 80 \
>         -d eth0 --dport 1024:65535 -j ACCEPT
>
>
>iptables -A INPUT -i eth0 -p udp \
>         -s 122.xx.xxx.xx  --sport 67 \
>         --dport 68 -j ACCEPT
>iptables -A OUTPUT -o eth0 -p udp \
>         -s eth0 --sport 68 \
>         -d 122.xx.xxx.xx --dport 67 -j ACCEPT
>
>
>Here the error i get:
>iptables v1.2.7a: host/network  `eth0' not found
>Try iptables `iptables -h' or `iptables --help for more infomation'
>iptables v1.2.7a: host/network  `eth0' not found
>Try iptables `iptables -h' or `iptables --help for more infomation'
>iptables v1.2.7a: host/network  `eth0' not found
>Try iptables `iptables -h' or `iptables --help for more infomation'
>
>Here are the rules i added and they work fine when i comment out the above
>rules!
>iptables -t nat --policy PREROUTING -j DROP
>iptables -t nat --policy OUPUT -j DROP
>iptables -t nat --policy POSTROUTING -j DROP
>
>
>how can i fix this? thanks guys! i have a dynamic ip address and i cant get pump
>to work thats why i using eth0 instaead of an IP adress! 
>
>
>__________________________________________________
>Do you Yahoo!?
>Y! Web Hosting - Let the expert host your web site
>http://webhosting.yahoo.com/
>
>
>
>  
>

Re: Why would these rules cause errors only sometimes?

[Tasha Smith]

---OK...but the only problem is i have a DYNAMIC ip adress. Soo it changes and
soo if i put an Ip adress i have right now in my script where eth0 is it will
change and then it will block me from the net? How can i get it to update my ip
adress in script when it changes!


__________________________________________________
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/

Re: Why would these rules cause errors only sometimes?

[Boryan Yotov]

Sorry I didn't read your mail until the end :)
Concerning the dynamic IP address a little trick should do the work 
until you got "pump" working:

in your /etc/rc.d/rc.iptables or whatever shell script you use to setup 
your firewall you could use the following to retrieve you ipaddress:

#!/bin/sh
....
#The following could work for ppp device as well just change it a little :)
eth0_address=`ifconfig eth0 | grep "inet addr" | awk '{print $2}' | sed 
's/addr://'`

....
#And simple rule should look like:
iptables -A INPUT -p tcp -d $eth0_address --dport 80 -j REJECT 
--reject-with tcp-reset

Note: of course you need to restart your firewall rules after you gain a 
new IP address on that interface but atleast you don't need to edit your 
rules again :)

Tasha Smith wrote:

>Hiii,
>
>Can someone tell me why these rules will only casue errors "sometimes"? I ran my
>script before and it worked fine. But then i added a few more log polocies
>and drop rules and then i get errors. I know its these rules casue when i #
>commented them out the script it ran properly again and it happened before but
>it fixed itself somehow. Here are the rules that are casue the error:
>
>iptables -A OUPUT -o eth0 -p tcp \
>         -s eth0 --sport 1024:65535 \
>         --dport 80 -j ACCEPT
>iptables -A INPUT -i eth0 -p tcp \
>         --sport 80 \
>         -d eth0 --dport 1024:65535 -j ACCEPT
>
>
>iptables -A INPUT -i eth0 -p udp \
>         -s 122.xx.xxx.xx  --sport 67 \
>         --dport 68 -j ACCEPT
>iptables -A OUTPUT -o eth0 -p udp \
>         -s eth0 --sport 68 \
>         -d 122.xx.xxx.xx --dport 67 -j ACCEPT
>
>
>Here the error i get:
>iptables v1.2.7a: host/network  `eth0' not found
>Try iptables `iptables -h' or `iptables --help for more infomation'
>iptables v1.2.7a: host/network  `eth0' not found
>Try iptables `iptables -h' or `iptables --help for more infomation'
>iptables v1.2.7a: host/network  `eth0' not found
>Try iptables `iptables -h' or `iptables --help for more infomation'
>
>Here are the rules i added and they work fine when i comment out the above
>rules!
>iptables -t nat --policy PREROUTING -j DROP
>iptables -t nat --policy OUPUT -j DROP
>iptables -t nat --policy POSTROUTING -j DROP
>
>
>how can i fix this? thanks guys! i have a dynamic ip address and i cant get pump
>to work thats why i using eth0 instaead of an IP adress! 
>
>
>__________________________________________________
>Do you Yahoo!?
>Y! Web Hosting - Let the expert host your web site
>http://webhosting.yahoo.com/
>
>
>
>  
>

Re: Why would these rules cause errors only sometimes?

[Alistair Tonner]

This line will grab your current IP off the ppp0 link --

  INET_IP=`ifconfig ppp0|grep P-t-P|awk -F : '{ print $2 }'|cut -d \  
-f 1`;

this line will grab your current IP off any ethx link

   INET_IP=`ifconfig eth[x]|grep "inet addr"|awk -F : '{ print $2 
}'|cut -d \  -f 1`;

change the above to suit your needs ...


	Alistair



On 2002.10.24 03:44 Tasha Smith wrote:
> 
> ---OK...but the only problem is i have a DYNAMIC ip adress. Soo it
> changes and
> soo if i put an Ip adress i have right now in my script where eth0 is
> it will
> change and then it will block me from the net? How can i get it to
> update my ip
> adress in script when it changes!
> 
> 
> __________________________________________________
> Do you Yahoo!?
> Y! Web Hosting - Let the expert host your web site
> http://webhosting.yahoo.com/
> 
> 

Re: Why would these rules cause errors only sometimes?

[Tasha Smith]

INET_IP=`ifconfig eth0 |grep "inet addr"|awk -F : '{ print $2 }'|cut -d \  -f
1`;

"That lines casues this error:"
 
cut: the delimeter must be a single character 
Try `cut --help' for more information.

#################################################################################

> This line will grab your current IP off the ppp0 link --
> 
>   INET_IP=`ifconfig ppp0|grep P-t-P|awk -F : '{ print $2 }'|cut -d \  
> -f 1`;
> 
> this line will grab your current IP off any ethx link
> 
>    INET_IP=`ifconfig eth[x]|grep "inet addr"|awk -F : '{ print $2 
> }'|cut -d \  -f 1`;
> 
> change the above to suit your needs ...
> 
> 
> 	Alistair
> 
> 
> 
> On 2002.10.24 03:44 Tasha Smith wrote:
> > 
> > ---OK...but the only problem is i have a DYNAMIC ip adress. Soo it
> > changes and
> > soo if i put an Ip adress i have right now in my script where eth0 is
> > it will
> > change and then it will block me from the net? How can i get it to
> > update my ip
> > adress in script when it changes!
> > 
> > 
> > __________________________________________________
> > Do you Yahoo!?
> > Y! Web Hosting - Let the expert host your web site
> > http://webhosting.yahoo.com/
> > 
> > 
> 


__________________________________________________
Do you Yahoo!?
Y! Web Hosting - Let the expert host your web site
http://webhosting.yahoo.com/

Re: Why would these rules cause errors only sometimes?

[Antony Stone]

On Friday 25 October 2002 3:54 am, Tasha Smith wrote:

> INET_IP=`ifconfig eth0 |grep "inet addr"|awk -F : '{ print $2 }'|cut -d \ 
> -f 1`;
>
> "That lines casues this error:"
>
> cut: the delimeter must be a single character
> Try `cut --help' for more information.

What character are you trying to use for a delimiter ?   Presumably space....

Try pputting single quotes around a space instead of predecing it with a 
backslash.

Antony.

-- 

If the human brain were so simple that we could understand it,
we'd be so simple that we couldn't.

Re: Why would these rules cause errors only sometimes?

[Antony Stone]

On Thursday 24 October 2002 11:00 pm, Alistair Tonner wrote:

> On 2002.10.24 03:44 Tasha Smith wrote:
> > ---OK...but the only problem is i have a DYNAMIC ip adress. Soo it
> > changes and
> > soo if i put an Ip adress i have right now in my script where eth0 is
> > it will
> > change and then it will block me from the net? How can i get it to
> > update my ip
> > adress in script when it changes!

> This line will grab your current IP off the ppp0 link --
>
>   INET_IP=`ifconfig ppp0|grep P-t-P|awk -F : '{ print $2 }'|cut -d \
> -f 1`;
>
> this line will grab your current IP off any ethx link
>
>    INET_IP=`ifconfig eth[x]|grep "inet addr"|awk -F : '{ print $2
> }'|cut -d \  -f 1`;
>
> change the above to suit your needs ...

If you are using dhcpcd to get your dynamic address, you can put whatever 
commands you like into /etc/dhcpc/dhcpcd-<interface>.exe which will be 
executed whenever dhcpcd detects a change in the interface address.

Antony.

-- 

What is this talk of software 'release' ?
Our software evolves and matures until it becomes capable of escape,
leaving a bloody trail of designers and quality assurance people in its wake.