IPTABLES syntax problem.

IPTABLES syntax problem.

[ads nat]

Hi,
I am trying to setup IPTABLES rules. I am newbe to
this.

One of the rule in filter table is 
#######
-A INPUT -p tcp ! --syn -m state --state NEW -j LOG
--log-prefix "New not syn:"
#############

I am getting following error :


[root@allweb root]# /etc/init.d/iptables restart
Flushing all current rules and user defined chains:   
    [  OK  ]
Clearing all current rules and user defined chains:   
    [  OK  ]
Applying iptables firewall rules: iptables-restore
v1.2.6a: Unknown arg `--syn'
Try `iptables-restore -h' or 'iptables-restore --help'
for more information.

I am using /etc/init.d/iptables restart to apply
iptables rules.

I think I have used proper syntax "--syn" from Oskar
Anderson IPTABLES tutorials.

Looking for support.
Thanks

__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree

RE: IPTABLES syntax problem.

[Jan Kaastrup]

What do you want to do with this rule?

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of ads nat
Sent: 23. december 2003 12:47
To: netfilter@lists.netfilter.org
Subject: IPTABLES syntax problem.


Hi,
I am trying to setup IPTABLES rules. I am newbe to
this.

One of the rule in filter table is 
#######
-A INPUT -p tcp ! --syn -m state --state NEW -j LOG
--log-prefix "New not syn:"
#############

I am getting following error :


[root@allweb root]# /etc/init.d/iptables restart
Flushing all current rules and user defined chains:   
    [  OK  ]
Clearing all current rules and user defined chains:   
    [  OK  ]
Applying iptables firewall rules: iptables-restore
v1.2.6a: Unknown arg `--syn'
Try `iptables-restore -h' or 'iptables-restore --help'
for more information.

I am using /etc/init.d/iptables restart to apply
iptables rules.

I think I have used proper syntax "--syn" from Oskar
Anderson IPTABLES tutorials.

Looking for support.
Thanks

__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree

Re: IPTABLES syntax problem.

[Antony Stone]

On Tuesday 23 December 2003 12:31 pm, Jan Kaastrup wrote:

> What do you want to do with this rule?

Presumably the intention is to catch packets which are not part of an existing 
connection, but which are not SYN packets - eg FIN scans?

Antony.

> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of ads nat
> Sent: 23. december 2003 12:47
> To: netfilter@lists.netfilter.org
> Subject: IPTABLES syntax problem.
>
>
> Hi,
> I am trying to setup IPTABLES rules. I am newbe to
> this.
>
> One of the rule in filter table is
> #######
> -A INPUT -p tcp ! --syn -m state --state NEW -j LOG
> --log-prefix "New not syn:"
> #############
>
> I am getting following error :
>
>
> [root@allweb root]# /etc/init.d/iptables restart
> Flushing all current rules and user defined chains:
>     [  OK  ]
> Clearing all current rules and user defined chains:
>     [  OK  ]
> Applying iptables firewall rules: iptables-restore
> v1.2.6a: Unknown arg `--syn'
> Try `iptables-restore -h' or 'iptables-restore --help'
> for more information.
>
> I am using /etc/init.d/iptables restart to apply
> iptables rules.
>
> I think I have used proper syntax "--syn" from Oskar
> Anderson IPTABLES tutorials.
>
> Looking for support.
> Thanks
>
> __________________________________
> Do you Yahoo!?
> Protect your identity with Yahoo! Mail AddressGuard
> http://antispam.yahoo.com/whatsnewfree

-- 
This email was created using 100% recycled electrons.

                                                     Please reply to the list;
                                                           please don't CC me.

RE: IPTABLES syntax problem.

[ads nat]

I have setup initial rules as follows:

*filter
-F INPUT
-F OUTPUT
-F FORWARD

-A INPUT -p tcp ! --syn -m state --state NEW -j LOG
--log-prefix "New not syn:"
-A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state
--state NEW -j REJECT
-A INPUT -p tcp ! --syn -m state --state NEW -j DROP
-A INPUT -p all -s 192.168.0.0/24 -i eth0 -j REJECT
-A INPUT -p all -s 192.168.1.0/24 -i eth0 -j REJECT
-A INPUT -p all -s localhost -i eth0 -j REJECT
-A INPUT -p tcp --syn -j ACCEPT
-A INPUT -p tcp -m state --state ESTABLISHED,RELATED
-j ACCEPT

Rule No. 1) I want to send ! --syn and NEW packet to
log file.
Rule No. 2) New packets from outside should be
rejected.
Rule No.3) To avoid spoofing, packets from 192.168.0.1
and 192.168.1.0 going to eth0 (Internet eth0)
Rule No.4) To avoid packets from localhost going to
eth0 (Internet eth0)
RULE 5) TO accept syn packets initiated form LAN user
and having Estabilshed connection.

Please guide about rules.
Thanks

 
Here I want to reject New packets

--- Jan Kaastrup <jka@protego.dk> wrote:
> What do you want to do with this rule?
> 
> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org
> [mailto:netfilter-admin@lists.netfilter.org] On
> Behalf Of ads nat
> Sent: 23. december 2003 12:47
> To: netfilter@lists.netfilter.org
> Subject: IPTABLES syntax problem.
> 
> 
> Hi,
> I am trying to setup IPTABLES rules. I am newbe to
> this.
> 
> One of the rule in filter table is 
> #######
> -A INPUT -p tcp ! --syn -m state --state NEW -j LOG
> --log-prefix "New not syn:"
> #############
> 
> I am getting following error :
> 
> 
> [root@allweb root]# /etc/init.d/iptables restart
> Flushing all current rules and user defined chains: 
>  
>     [  OK  ]
> Clearing all current rules and user defined chains: 
>  
>     [  OK  ]
> Applying iptables firewall rules: iptables-restore
> v1.2.6a: Unknown arg `--syn'
> Try `iptables-restore -h' or 'iptables-restore
> --help'
> for more information.
> 
> I am using /etc/init.d/iptables restart to apply
> iptables rules.
> 
> I think I have used proper syntax "--syn" from Oskar
> Anderson IPTABLES tutorials.
> 
> Looking for support.
> Thanks
> 
> __________________________________
> Do you Yahoo!?
> Protect your identity with Yahoo! Mail AddressGuard
> http://antispam.yahoo.com/whatsnewfree
> 
> 


__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree

Re: IPTABLES syntax problem.

[Chris Brenton]

On Tue, 2003-12-23 at 06:47, ads nat wrote:
> Hi,
> I am trying to setup IPTABLES rules. I am newbe to
> this.
> 
> One of the rule in filter table is 
> #######
> -A INPUT -p tcp ! --syn -m state --state NEW -j LOG
> --log-prefix "New not syn:"

Try:
iptables -A INPUT -p tcp ! --tcp-flags SYN SYN -m state --state NEW -j
LOG --log-prefix " New not syn: "

Note the change in specifying flags from ipchains to iptables. Also note
I added spaces around your prefix. This will make it easier to read in
the logs.

HTH,
C

Re: IPTABLES syntax problem.

[ads nat]

I modified rules as follows :

###########
-A INPUT -p tcp ! --tcp-flags SYN SYN -m state --state
NEW -j LOG --log-prefix " New not syn: "

-A INPUT -p tcp ! --tcp-flags SYN SYN -m state --state
NEW -j DROP

-A INPUT -p all -s 192.168.0.0/24 -i eth0 -j REJECT
-A INPUT -p all -s 192.168.1.0/24 -i eth0 -j REJECT

-A INPUT -p all -s localhost -i eth0 -j REJECT


#
# allowed chain
#


-A INPUT -p tcp -m state --state ESTABLISHED,RELATED
-j ACCEPT


##########

Get following error :
[root@allweb root]# /etc/init.d/iptables restart
Flushing all current rules and user defined chains:   
    [  OK  ]
Clearing all current rules and user defined chains:   
    [  OK  ]
Applying iptables firewall rules: iptables-restore
v1.2.6a: Unknown arg `--tcp-flags'
Try `iptables-restore -h' or 'iptables-restore --help'
for more information.
                                                      
    [FAILED]


--- Chris Brenton <cbrenton@chrisbrenton.org> wrote:
> On Tue, 2003-12-23 at 06:47, ads nat wrote:
> > Hi,
> > I am trying to setup IPTABLES rules. I am newbe to
> > this.
> > 
> > One of the rule in filter table is 
> > #######
> > -A INPUT -p tcp ! --syn -m state --state NEW -j
> LOG
> > --log-prefix "New not syn:"
> 
> Try:
> iptables -A INPUT -p tcp ! --tcp-flags SYN SYN -m
> state --state NEW -j
> LOG --log-prefix " New not syn: "
> 
> Note the change in specifying flags from ipchains to
> iptables. Also note
> I added spaces around your prefix. This will make it
> easier to read in
> the logs.
> 
> HTH,
> C
> 
> 


__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree

Re: IPTABLES syntax problem.

[Cedric Blancher]

Le mar 23/12/2003 à 14:37, ads nat a écrit :
> Get following error :
> [root@allweb root]# /etc/init.d/iptables restart
> Flushing all current rules and user defined chains:   
>     [  OK  ]
> Clearing all current rules and user defined chains:   
>     [  OK  ]
> Applying iptables firewall rules: iptables-restore
> v1.2.6a: Unknown arg `--tcp-flags'
> Try `iptables-restore -h' or 'iptables-restore --help'
> for more information.

You must need to specify -m tcp to access TCP match options such as
--tcp-flags.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread! 

Re: IPTABLES syntax problem.

[Chris Brenton]

On Tue, 2003-12-23 at 08:37, ads nat wrote:
> I modified rules as follows :
> 
> ###########
> -A INPUT -p tcp ! --tcp-flags SYN SYN -m state --state
> NEW -j LOG --log-prefix " New not syn: "

<snip>

> Applying iptables firewall rules: iptables-restore
> v1.2.6a: Unknown arg `--tcp-flags'

Well this could be your problem. Try upgrading to 1.2.8 or later. Could
be the option is not supported in older version, especially as an
inverse. 

To isolate whether its your script or a version issue, try running the
iptables command straight from the command line and see if you get the
same error.

HTH,
C

Re: IPTABLES syntax problem.

[ads nat]

Ya,
Following worked from command line :
#######
iptables -A INPUT -p tcp ! --tcp-flags SYN SYN -m
state --state NEW -j LOG --log-prefix " New not syn: "

#######


Does this means that I should enter all rules from
command line.
Please guide me.
Thanks

--- Chris Brenton <cbrenton@chrisbrenton.org> wrote:
> On Tue, 2003-12-23 at 08:37, ads nat wrote:
> > I modified rules as follows :
> > 
> > ###########
> > -A INPUT -p tcp ! --tcp-flags SYN SYN -m state
> --state
> > NEW -j LOG --log-prefix " New not syn: "
> 
> <snip>
> 
> > Applying iptables firewall rules: iptables-restore
> > v1.2.6a: Unknown arg `--tcp-flags'
> 
> Well this could be your problem. Try upgrading to
> 1.2.8 or later. Could
> be the option is not supported in older version,
> especially as an
> inverse. 
> 
> To isolate whether its your script or a version
> issue, try running the
> iptables command straight from the command line and
> see if you get the
> same error.
> 
> HTH,
> C
> 
> 


__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree

Re: IPTABLES syntax problem.

[Antony Stone]

On Tuesday 23 December 2003 3:30 pm, ads nat wrote:

> Ya,
> Following worked from command line :
> #######
> iptables -A INPUT -p tcp ! --tcp-flags SYN SYN -m
> state --state NEW -j LOG --log-prefix " New not syn: "
>
> #######
>
>
> Does this means that I should enter all rules from
> command line.

If you are using iptables-save and iptables-restore, then yes, you should 
enter all your rules at the command line, then use iptables-save to keep them 
for restoring later.

The alternative way to preserve your rules is to write them into a script 
which gets executed on bootup (or whenever).

Either is good - different people use each.

Antony.

-- 
It is also possible that putting the birds in a laboratory setting 
inadvertently renders them relatively incompetent.

 - Daniel C Dennet

                                                     Please reply to the list;
                                                           please don't CC me.

Re: IPTABLES syntax problem.

[Cedric Blancher]

Le mar 23/12/2003 à 14:19, Chris Brenton a écrit :
> > -A INPUT -p tcp ! --syn -m state --state NEW -j LOG
> > --log-prefix "New not syn:"
> iptables -A INPUT -p tcp ! --tcp-flags SYN SYN -m state --state NEW -j
> LOG --log-prefix " New not syn: "

"--syn" is equivalent to "--tcp-flags SYN,RST,ACK SYN"

I can confirme that iptables-save generates a --tcp-flag line :

cbr@elendil:~$ sudo iptables -A INPUT -p tcp ! --syn -m state
		--state	NEW -j LOG
cbr@elendil:~$ sudo iptables-save
# Generated by iptables-save v1.2.8 on Tue Dec 23 14:44:17 2003
[...]
*filter
:INPUT DROP [529:81210]
[...]
-A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state
		--state	NEW -j LOG

So, for the OP (ads nat) : you seem to have modified your ruleset by
hand and used a alias (--syn) that iptables-<save/restore> does not
understand.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread! 

Re: IPTABLES syntax problem.

[ads nat]

Yes, I have edited "iptables" manually and copies all
rule sets to it and then restarted with
"/etc/init.d/iptables restart"

Is it not allowed?
Thanks for support


--- Cedric Blancher <blancher@cartel-securite.fr>
wrote:
> Le mar 23/12/2003 à 14:19, Chris Brenton a écrit :
> > > -A INPUT -p tcp ! --syn -m state --state NEW -j
> LOG
> > > --log-prefix "New not syn:"
> > iptables -A INPUT -p tcp ! --tcp-flags SYN SYN -m
> state --state NEW -j
> > LOG --log-prefix " New not syn: "
> 
> "--syn" is equivalent to "--tcp-flags SYN,RST,ACK
> SYN"
> 
> I can confirme that iptables-save generates a
> --tcp-flag line :
> 
> cbr@elendil:~$ sudo iptables -A INPUT -p tcp ! --syn
> -m state
> 		--state	NEW -j LOG
> cbr@elendil:~$ sudo iptables-save
> # Generated by iptables-save v1.2.8 on Tue Dec 23
> 14:44:17 2003
> [...]
> *filter
> :INPUT DROP [529:81210]
> [...]
> -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN
> -m state
> 		--state	NEW -j LOG
> 
> So, for the OP (ads nat) : you seem to have modified
> your ruleset by
> hand and used a alias (--syn) that
> iptables-<save/restore> does not
> understand.
> 
> -- 
> http://www.netexit.com/~sid/
> PGP KeyID: 157E98EE FingerPrint:
> FA62226DA9E72FA8AECAA240008B480E157E98EE
> >> Hi! I'm your friendly neighbourhood signature
> virus.
> >> Copy me to your signature file and help me
> spread! 


__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree

Re: IPTABLES syntax problem.

[Cedric Blancher]

Le mar 23/12/2003 à 14:56, ads nat a écrit :
> Is it not allowed?

When a file is iptables-save generated, it's better not modifying it by
hand. Update your running ruleset then issue an

	iptables-save > iptables

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread! 

Re: IPTABLES syntax problem.

[ads nat]

O.K.
As adviced I have uploaded all rules from command
line. With no error. Thanks.
saved them as follows:
[root@allweb root]# iptables-save > iptables

No error. Thanks.

Now I want to add following error at begining of the
file from command prompt:

###########
IPTABLES -F INPUT
IPTABLES -F OUTPUT
IPTABLES -F FORWARD

IPTABLES -P INPUT DROP
IPTABLES -P OUTPUT DROP
IPTABLES -P FORWARD DROP
###########

Can I upload straight as done earlier and then give
command : 
 iptables-save > iptables

I am adding rules on live network. I don't want it to
stop and create any problems.

After saving all rules, what should be command for
rules to save permenantly so that when I reboot system
Rules should remain. 

I have tried to use iptables-save and iptables-restore
but could not use properly, Therefore asking in
detail.
Please guide me to do.
Thanks for support.


--- Cedric Blancher <blancher@cartel-securite.fr>
wrote:
> Le mar 23/12/2003 à 14:56, ads nat a écrit :
> > Is it not allowed?
> 
> When a file is iptables-save generated, it's better
> not modifying it by
> hand. Update your running ruleset then issue an
> 
> 	iptables-save > iptables
> 
> -- 
> http://www.netexit.com/~sid/
> PGP KeyID: 157E98EE FingerPrint:
> FA62226DA9E72FA8AECAA240008B480E157E98EE
> >> Hi! I'm your friendly neighbourhood signature
> virus.
> >> Copy me to your signature file and help me
> spread! 


__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree

Re: IPTABLES syntax problem.

[ads nat]

O.K.
As adviced I have uploaded all rules from command
line. With no error. Thanks.
saved them as follows:
[root@allweb root]# iptables-save > iptables

No error. Thanks.

Now I want to add following error at begining of the
file from command prompt:

###########
IPTABLES -F INPUT
IPTABLES -F OUTPUT
IPTABLES -F FORWARD

IPTABLES -P INPUT DROP
IPTABLES -P OUTPUT DROP
IPTABLES -P FORWARD DROP
###########

Can I upload straight as done earlier and then give
command : 
 iptables-save > iptables

I am adding rules on live network. I don't want it to
stop and create any problems.

After saving all rules, what should be command for
rules to save permenantly so that when I reboot system
Rules should remain. 

I have tried to use iptables-save and iptables-restore
but could not use properly, Therefore asking in
detail.
Please guide me to do.
Thanks for support.


--- Cedric Blancher <blancher@cartel-securite.fr>
wrote:
> Le mar 23/12/2003 à 14:56, ads nat a écrit :
> > Is it not allowed?
> 
> When a file is iptables-save generated, it's better
> not modifying it by
> hand. Update your running ruleset then issue an
> 
> 	iptables-save > iptables
> 
> -- 
> http://www.netexit.com/~sid/
> PGP KeyID: 157E98EE FingerPrint:
> FA62226DA9E72FA8AECAA240008B480E157E98EE
> >> Hi! I'm your friendly neighbourhood signature
> virus.
> >> Copy me to your signature file and help me
> spread! 


__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree

Re: IPTABLES syntax problem.

[Jeffrey Laramie]

Holy Moly, all the smart people are here today! I can see ads nat is in 
good hands so I'm going to keep my mouth shut for once. ;-)

ads nat wrote:

>Hi,
>I am trying to setup IPTABLES rules. I am newbe to
>this.
>
>One of the rule in filter table is 
>#######
>-A INPUT -p tcp ! --syn -m state --state NEW -j LOG
>--log-prefix "New not syn:"
>#############
>
>I am getting following error :
>
>
>[root@allweb root]# /etc/init.d/iptables restart
>Flushing all current rules and user defined chains:   
>    [  OK  ]
>Clearing all current rules and user defined chains:   
>    [  OK  ]
>Applying iptables firewall rules: iptables-restore
>v1.2.6a: Unknown arg `--syn'
>Try `iptables-restore -h' or 'iptables-restore --help'
>for more information.
>
>I am using /etc/init.d/iptables restart to apply
>iptables rules.
>
>I think I have used proper syntax "--syn" from Oskar
>Anderson IPTABLES tutorials.
>
>Looking for support.
>Thanks
>
>__________________________________
>Do you Yahoo!?
>Protect your identity with Yahoo! Mail AddressGuard
>http://antispam.yahoo.com/whatsnewfree
>
>
>  
>