From: Steve Comfort <steve@4Dllc.com>
To: netfilter@lists.netfilter.org
Subject: Very newB questions
Date: Thu, 24 Jun 2004 14:33:18 +0200 [thread overview]
Message-ID: <40DACA0E.7050808@4Dllc.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 2366 bytes --]
Hi gents,
About all I've done so far is cross-compile iptables for an XScale ARM
based system. And of course read the FAQ a few times, but its still
pretty much Greek to me :) I found the attached script which seemed like
a good place to start.
Running it produces the output below :
iptables v1.2.: can't initialize iptables table `ACC': Table does not
exist (do you need to run insmod. Perhaps iptables or your kernel needs
to be upgraded.
iptables v1.2.: can't initialize iptables table `ACC': Table does not exist
iptables v1.2.: can't initialize iptables table `ACC': Table does not
exist .
iptables v1.2.: Can't use -N with -A
Try `iptables -h' or 'iptables --help' for more information.
/sbin/firewall: -A: command not found
As far as I know, the kernel has been compiled with ip filtering turned
on (I can send the options that I've checked if this would help?).
Question 1: What is table ACC? Perhaps ACCEPT truncated (for some
unknown reason) ?
Question 2: If I want to start off by writing my own extremely simple
tables, where should these be stored, or is there a way to tell iptables
where to look for them?
Running iptables -L -v, produces the following :
Chain INPU (policy DROP 0 packets, 0 bytes
pkts byte targ prot opt sour destinat
0 0 ACCE -- anywhere anywhere
0 0 DROP icmp -- anywhere anywhere
52 4744 ACCE -- ixp1 192.168.200. anywhere
0 0 RETU -- anywhere anywhere
Chain FORW (policy DROP 0 packets, 0 bytes
pkts byte targ prot opt sour destinat
0 0 DROP icmp -- anywhere anywhere
Chain OUTP (policy DROP 14 packets, 8600 bytes
pkts byte targ prot opt sour destinat
0 0 ACCE -- anywhere anywhere
0 0 DROP icmp -- anywhere anywhere
30 4168 ACCE -- ixp1 anywhere
192.168.200.
0 0 RETU -- anywhere anywhere
It seems the table names are being truncated here to 4 characters ??
Best regards
Steve Comfort
[-- Attachment #2: firewall --]
[-- Type: text/plain, Size: 2725 bytes --]
#!/bin/sh
#
# Incoming / \ Outgoing
# -->[Routing ]--->|FORWARD|------->
# [Decision] \_____/ ^
# | |
# v ____
# ___ / \
# / \ |OUTPUT|
# |INPUT| \____/
# \___/ ^
# | |
# `----> Local Process ----'
# lan interface
iface=ixp1
# lan network
network=192.168.200.0/24
# path to iptables
ipt=/sbin/iptables
##############
## Defaults ##
##############
for i in filter nat mangle; do
# flush all tables
$ipt -t $i -F
# zero counters
$ipt -t $i -Z
# delete user-defined chains
$ipt -t $i -X
done
# default policy
$ipt -P INPUT DROP
$ipt -P OUTPUT DROP
$ipt -P FORWARD DROP
##############
## Loopback ##
##############
$ipt -A INPUT -i lo -j ACCEPT
$ipt -A OUTPUT -o lo -j ACCEPT
##########
## ICMP ##
##########
# we allow all ICMP types, but only at a reasonable rate so
# that we don't get flooded.
for i in INPUT OUTPUT FORWARD; do
# accept up to 100 unfragmented icmp packets per second
$ipt -A $i -p icmp ! -f -m limit --limit 100/second -j ACCEPT
# drop any other icmp packets
$ipt -A $i -p icmp -j DROP
done
##################################
## Traffic to/from the firewall ##
##################################
# this can come before all the other stuff because we're very
# paranoid regarding traffic destined/originating from ourselves.
# allow traffic to/from the lan
$ipt -A INPUT -i $iface -s $network -j ACCEPT
$ipt -A OUTPUT -o $iface -d $network -j ACCEPT
# allow traffic originating from pris
$ipt -A INPUT -i ! $iface -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A OUTPUT -o ! $iface -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
for i in INPUT OUTPUT; do
# we're done here
$ipt -A $i -j RETURN
done
#########################
## Traffic to/from LAN ##
#########################
# allow all traffic originating from us
$ipt -A FORWARD -i $iface -s $network -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -o $iface -d $network -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow ssh, ident, smtp, http, https from anywhere
#for i in 22 110 113 25 80 443 3128; do
# $ipt -A FORWARD -i ! $iface -d $network -p tcp --destination-port $i --syn -m state --state NEW -j ACCEPT
# $ipt -A FORWARD -i ! $iface -d $network -p tcp --destination-port $i -m state --state ESTABLISHED,RELATED -j ACCEPT
# $ipt -A FORWARD -o $iface -s $network -p tcp --source-port $i -m state --state ESTABLISHED,RELATED -j ACCEPT
#done
next reply other threads:[~2004-06-24 12:33 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-06-24 12:33 Steve Comfort [this message]
2004-06-24 13:31 ` Very newB questions Antony Stone
2004-06-24 20:29 ` John A. Sullivan III
[not found] ` <40DB26F4.8000808@newkirk.us>
2004-06-25 7:51 ` Steve Comfort
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=40DACA0E.7050808@4Dllc.com \
--to=steve@4dllc.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.