Errors on starting of iptables

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Trevor Morrison <trevor@hailix.com>
To: netfilter@lists.netfilter.org
Subject: Errors on starting of iptables
Date: Tue, 29 Apr 2003 16:28:50 -0600	[thread overview]
Message-ID: <3EAEFCA2.FD9B8302@hailix.com> (raw)

[-- Attachment #1: Type: text/plain, Size: 6172 bytes --]

Hi,

I have a RH box 7.1 with a modular 2.4.20 kernel.  I patched the kernel
with the latest iptables patch 1.2.8.  When I run the following command
from a cron job: iptables -t mangle -L  I get the following error:

iptables: libiptc/libip4tc.c:384: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
/etc/rc.d/init.d/iptables: line 170: 17123 Aborted
iptables -t mangle --list

When I run that same command from the command line it prints the mangle
table fine.  I also get this error when the machine reboots and run the
init script for iptables.  I have included that script below if it will
help.

#!/bin/sh
#
# Startup script to implement /etc/sysconfig/iptables pre-defined rules.

#
# chkconfig: 2345 11 92
#
# description: Automates a packet filtering firewall with iptables.
#
# by bero@redhat.com, based on the ipchains script:
# Script Author: Joshua Jensen <joshua@redhat.com>
#   -- hacked up by gafton with help from notting
# modified by Anton Altaparmakov <aia21@cam.ac.uk>:
# modified by Nils Philippsen <nils@redhat.de>
#
# config: /etc/sysconfig/iptables

# Source 'em up
. /etc/init.d/functions

IPTABLES_CONFIG=/etc/sysconfig/iptables

if [ ! -x /usr/local/sbin/iptables ]; then
 exit 0
fi

KERNELMAJ=`uname -r | sed                   -e 's,\..*,,'`
KERNELMIN=`uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'`

if [ "$KERNELMAJ" -lt 2 ] ; then
 exit 0
fi
if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ] ; then
 exit 0
fi



if  /sbin/lsmod 2>/dev/null |grep -q ipchains ; then
 # Don't do both
 exit 0
fi
start() {
 # don't do squat if we don't have the config file
 if [ -f $IPTABLES_CONFIG ]; then
     # If we don't clear these first, we might be adding to
     #  pre-existing rules.
     action $"Flushing all current rules and user defined chains:"
iptables -F
     action $"Clearing all current rules and user defined chains:"
iptables -X
     chains=`cat /proc/net/ip_tables_names 2>/dev/null`
            for i in $chains; do iptables -t $i -F; done && \
              success $"Flushing all current rules and user defined
chains:" || \
              failure $"Flushing all current rules and user defined
chains:"
            for i in $chains; do iptables -t $i -X; done && \
              success $"Clearing all current rules and user defined
chains:" || \
              failure $"Clearing all current rules and user defined
chains:"

            for i in $chains; do iptables -t $i -Z; done

     echo $"Applying iptables firewall rules: "
/etc/sysconfig/iptables
# grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | grep -v '^[[:space:]]*$' |
/usr/local/sbin/iptables-restore -c && \
      success $"Applying iptables firewall rules" || \
      failure $"Applying iptables firewall rules"
     echo
     touch /var/lock/subsys/iptables
 fi
}

stop() {
 chains=`cat /proc/net/ip_tables_names 2>/dev/null`
        for i in $chains; do iptables -t $i -F; done && \
                success $"Flushing all chains:" || \
                failure $"Flushing all chains:"
        for i in $chains; do iptables -t $i -X; done && \
                success $"Removing user defined chains:" || \
                failure $"Removing user defined chains:"
        echo -n $"Resetting built-in chains to the default ACCEPT
policy:"
 iptables -P INPUT ACCEPT && \
    iptables -P OUTPUT ACCEPT && \
    iptables -P FORWARD ACCEPT && \
    iptables -t nat -P PREROUTING ACCEPT && \
    iptables -t nat -P POSTROUTING ACCEPT && \
    iptables -t nat -P OUTPUT ACCEPT && \
           iptables -t mangle -P PREROUTING ACCEPT && \
           iptables -t mangle -P OUTPUT ACCEPT && \
    success $"Resetting built-in chains to the default ACCEPT policy" ||
\
    failure $"Resetting built-in chains to the default ACCEPT policy"
 echo
 rm -f /var/lock/subsys/iptables
}

case "$1" in
  start)
 start
 ;;

  stop)
 stop
 ;;

  restart)
 # "restart" is really just "start" as this isn't a daemon,
 #  and "start" clears any pre-defined rules anyway.
 #  This is really only here to make those who expect it happy
 start
 ;;
condrestart)
 [ -e /var/lock/subsys/iptables ] && start
 ;;

  status)
 echo $"Table: filter"
 iptables --list
 echo $"Table: nat"
 iptables -t nat --list
 echo $"Table: mangle"
 iptables -t mangle --list
 ;;

  panic)
 echo -n $"Changing target policies to DROP: "
 iptables -P INPUT DROP && \
     iptables -P FORWARD DROP && \
     iptables -P OUTPUT DROP && \
     iptables -t nat -P PREROUTING DROP && \
     iptables -t nat -P POSTROUTING DROP && \
     iptables -t nat -P OUTPUT DROP && \
     iptables -t mangle -P PREROUTING DROP && \
     iptables -t mangle -P OUTPUT DROP && \
     success $"Changing target policies to DROP" || \
     failure $"Changing target policies to DROP"
 echo
        iptables -F INPUT && \
                iptables -F FORWARD && \
                iptables -F OUTPUT && \
                iptables -t nat -F PREROUTING && \
                iptables -t nat -F POSTROUTING && \
                iptables -t nat -F OUTPUT && \
                iptables -t mangle -F PREROUTING && \
                iptables -t mangle -F OUTPUT && \
                success $"Flushing all chains:" || \
                failure $"Flushing all chains:"
        iptables -X INPUT && \
                iptables -X FORWARD && \
                iptables -X OUTPUT && \
                iptables -t nat -X PREROUTING && \
                iptables -t nat -X POSTROUTING && \
                iptables -t nat -X OUTPUT && \
                iptables -t mangle -X PREROUTING && \
                iptables -t mangle -X OUTPUT && \
                success $"Removing user defined chains:" || \
                failure $"Removing user defined chains:"
        ;;

  save)
 echo -n $"Saving current rules to $IPTABLES_CONFIG: "
 touch $IPTABLES_CONFIG
 chmod 600 $IPTABLES_CONFIG
 /usr/local/sbin/iptables-save -c > $IPTABLES_CONFIG  2>/dev/null && \
   success $"Saving current rules to $IPTABLES_CONFIG" || \
   failure $"Saving current rules to $IPTABLES_CONFIG"
 echo
 ;;

  *)
 echo $"Usage: $0 {start|stop|restart|condrestart|status|panic|save}"
 exit 1
esac

exit 0


TIA.

--
Trevor Morrison
Hailix, LLC
trevor@hailix.com



[-- Attachment #2: Type: text/html, Size: 10638 bytes --]

next             reply	other threads:[~2003-04-29 22:28 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-04-29 22:28 Trevor Morrison [this message]
     [not found] <20030430032702.12882.6272.Mailman@kashyyyk>
2003-04-30 10:31 ` Errors on starting of iptables Alex Nee

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3EAEFCA2.FD9B8302@hailix.com \
    --to=trevor@hailix.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.