* Very newB questions
@ 2004-06-24 12:33 Steve Comfort
2004-06-24 13:31 ` Antony Stone
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Steve Comfort @ 2004-06-24 12:33 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 2366 bytes --]
Hi gents,
About all I've done so far is cross-compile iptables for an XScale ARM
based system. And of course read the FAQ a few times, but its still
pretty much Greek to me :) I found the attached script which seemed like
a good place to start.
Running it produces the output below :
iptables v1.2.: can't initialize iptables table `ACC': Table does not
exist (do you need to run insmod. Perhaps iptables or your kernel needs
to be upgraded.
iptables v1.2.: can't initialize iptables table `ACC': Table does not exist
iptables v1.2.: can't initialize iptables table `ACC': Table does not
exist .
iptables v1.2.: Can't use -N with -A
Try `iptables -h' or 'iptables --help' for more information.
/sbin/firewall: -A: command not found
As far as I know, the kernel has been compiled with ip filtering turned
on (I can send the options that I've checked if this would help?).
Question 1: What is table ACC? Perhaps ACCEPT truncated (for some
unknown reason) ?
Question 2: If I want to start off by writing my own extremely simple
tables, where should these be stored, or is there a way to tell iptables
where to look for them?
Running iptables -L -v, produces the following :
Chain INPU (policy DROP 0 packets, 0 bytes
pkts byte targ prot opt sour destinat
0 0 ACCE -- anywhere anywhere
0 0 DROP icmp -- anywhere anywhere
52 4744 ACCE -- ixp1 192.168.200. anywhere
0 0 RETU -- anywhere anywhere
Chain FORW (policy DROP 0 packets, 0 bytes
pkts byte targ prot opt sour destinat
0 0 DROP icmp -- anywhere anywhere
Chain OUTP (policy DROP 14 packets, 8600 bytes
pkts byte targ prot opt sour destinat
0 0 ACCE -- anywhere anywhere
0 0 DROP icmp -- anywhere anywhere
30 4168 ACCE -- ixp1 anywhere
192.168.200.
0 0 RETU -- anywhere anywhere
It seems the table names are being truncated here to 4 characters ??
Best regards
Steve Comfort
[-- Attachment #2: firewall --]
[-- Type: text/plain, Size: 2725 bytes --]
#!/bin/sh
#
# Incoming / \ Outgoing
# -->[Routing ]--->|FORWARD|------->
# [Decision] \_____/ ^
# | |
# v ____
# ___ / \
# / \ |OUTPUT|
# |INPUT| \____/
# \___/ ^
# | |
# `----> Local Process ----'
# lan interface
iface=ixp1
# lan network
network=192.168.200.0/24
# path to iptables
ipt=/sbin/iptables
##############
## Defaults ##
##############
for i in filter nat mangle; do
# flush all tables
$ipt -t $i -F
# zero counters
$ipt -t $i -Z
# delete user-defined chains
$ipt -t $i -X
done
# default policy
$ipt -P INPUT DROP
$ipt -P OUTPUT DROP
$ipt -P FORWARD DROP
##############
## Loopback ##
##############
$ipt -A INPUT -i lo -j ACCEPT
$ipt -A OUTPUT -o lo -j ACCEPT
##########
## ICMP ##
##########
# we allow all ICMP types, but only at a reasonable rate so
# that we don't get flooded.
for i in INPUT OUTPUT FORWARD; do
# accept up to 100 unfragmented icmp packets per second
$ipt -A $i -p icmp ! -f -m limit --limit 100/second -j ACCEPT
# drop any other icmp packets
$ipt -A $i -p icmp -j DROP
done
##################################
## Traffic to/from the firewall ##
##################################
# this can come before all the other stuff because we're very
# paranoid regarding traffic destined/originating from ourselves.
# allow traffic to/from the lan
$ipt -A INPUT -i $iface -s $network -j ACCEPT
$ipt -A OUTPUT -o $iface -d $network -j ACCEPT
# allow traffic originating from pris
$ipt -A INPUT -i ! $iface -m state --state ESTABLISHED,RELATED -j ACCEPT
$ipt -A OUTPUT -o ! $iface -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
for i in INPUT OUTPUT; do
# we're done here
$ipt -A $i -j RETURN
done
#########################
## Traffic to/from LAN ##
#########################
# allow all traffic originating from us
$ipt -A FORWARD -i $iface -s $network -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$ipt -A FORWARD -o $iface -d $network -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow ssh, ident, smtp, http, https from anywhere
#for i in 22 110 113 25 80 443 3128; do
# $ipt -A FORWARD -i ! $iface -d $network -p tcp --destination-port $i --syn -m state --state NEW -j ACCEPT
# $ipt -A FORWARD -i ! $iface -d $network -p tcp --destination-port $i -m state --state ESTABLISHED,RELATED -j ACCEPT
# $ipt -A FORWARD -o $iface -s $network -p tcp --source-port $i -m state --state ESTABLISHED,RELATED -j ACCEPT
#done
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Very newB questions
2004-06-24 12:33 Very newB questions Steve Comfort
@ 2004-06-24 13:31 ` Antony Stone
2004-06-24 20:29 ` John A. Sullivan III
[not found] ` <40DB26F4.8000808@newkirk.us>
2 siblings, 0 replies; 4+ messages in thread
From: Antony Stone @ 2004-06-24 13:31 UTC (permalink / raw)
To: netfilter
On Thursday 24 June 2004 1:33 pm, Steve Comfort wrote:
> Hi gents,
>
> About all I've done so far is cross-compile iptables for an XScale ARM
> based system.
That sounds like a pretty advanced place to start...?
> iptables v1.2.: can't initialize iptables table `ACC': Table does not
> exist (do you need to run insmod. Perhaps iptables or your kernel needs
> to be upgraded.
> iptables v1.2.: can't initialize iptables table `ACC': Table does not exist
> iptables v1.2.: can't initialize iptables table `ACC': Table does not
> exist .
> iptables v1.2.: Can't use -N with -A
>
> Question 1: What is table ACC? Perhaps ACCEPT truncated (for some
> unknown reason) ?
The correct table names are "filter", "nat" and "mangle" (newer systems also
have a "raw" table).
The chain names into which you place rules are "INPUT", "OUTPUT", "FORWARD",
"PREROUTING" and "POSTROUTING".
Not all combinations of tables and chains are valid - basically every chain
has a mangle table, INPUT, OUTPUT and FORWARD have a filter table, and
PREROUTING and POSTROUTING have a nat table.
ACCEPT is the name of a "target" (other examples are DROP, LOG, REJECT).
> Question 2: If I want to start off by writing my own extremely simple
> tables, where should these be stored, or is there a way to tell iptables
> where to look for them?
I suggest a few simple rules, stored in a file in your startup scripts
directory, so you can play with them and then get them loaded automatically
on startup once they do what you want.
For a routing firewall, I would suggest the following as a starting ruleset:
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -j ACCEPT
The first rule allows reply packets through the machine (first rule for
efficiency), the next three allow ssh, dns and http packets through the
system, and the last one allows everything else as well. No, it's not at
all secure, but you can extend the idea, having started from something
simple, and once you think you have all the services you need listed in the
ruleset, you can abolish the final -j ACCEPT (everything) rule, and you will
have a firewall.
> Running iptables -L -v, produces the following :
>
> Chain INPU (policy DROP 0 packets, 0 bytes
> pkts byte targ prot opt sour
> destinat
There is clearly something very strange going on with your installation,
indicated by these truncated names - this should not happen.
I suspect it's something to do with the cross-compilation, about which I can
offer no advice at all :(
Regards,
Antony.
--
The difference between theory and practice is that in theory there is no
difference, whereas in practice there is.
Please reply to the list;
please don't CC me.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Very newB questions
2004-06-24 12:33 Very newB questions Steve Comfort
2004-06-24 13:31 ` Antony Stone
@ 2004-06-24 20:29 ` John A. Sullivan III
[not found] ` <40DB26F4.8000808@newkirk.us>
2 siblings, 0 replies; 4+ messages in thread
From: John A. Sullivan III @ 2004-06-24 20:29 UTC (permalink / raw)
To: Steve Comfort; +Cc: netfilter
I suggest you take a tour through Oskar Andreasson's excellent
tutorial. You can find a link to it in the tutorials section of the
netfilter web site. There is also a training slide show in the training
section of http://iscs.sourceforge.net - John
On Thu, 2004-06-24 at 08:33, Steve Comfort wrote:
> Hi gents,
>
> About all I've done so far is cross-compile iptables for an XScale ARM
> based system. And of course read the FAQ a few times, but its still
> pretty much Greek to me :) I found the attached script which seemed like
> a good place to start.
>
> Running it produces the output below :
>
> iptables v1.2.: can't initialize iptables table `ACC': Table does not
> exist (do you need to run insmod. Perhaps iptables or your kernel needs
> to be upgraded.
> iptables v1.2.: can't initialize iptables table `ACC': Table does not exist
> iptables v1.2.: can't initialize iptables table `ACC': Table does not
> exist .
> iptables v1.2.: Can't use -N with -A
>
> Try `iptables -h' or 'iptables --help' for more information.
> /sbin/firewall: -A: command not found
>
> As far as I know, the kernel has been compiled with ip filtering turned
> on (I can send the options that I've checked if this would help?).
>
> Question 1: What is table ACC? Perhaps ACCEPT truncated (for some
> unknown reason) ?
>
> Question 2: If I want to start off by writing my own extremely simple
> tables, where should these be stored, or is there a way to tell iptables
> where to look for them?
>
> Running iptables -L -v, produces the following :
>
> Chain INPU (policy DROP 0 packets, 0 bytes
> pkts byte targ prot opt sour destinat
>
> 0 0 ACCE -- anywhere anywhere
>
> 0 0 DROP icmp -- anywhere anywhere
>
> 52 4744 ACCE -- ixp1 192.168.200. anywhere
>
> 0 0 RETU -- anywhere anywhere
>
>
> Chain FORW (policy DROP 0 packets, 0 bytes
> pkts byte targ prot opt sour destinat
>
> 0 0 DROP icmp -- anywhere anywhere
>
>
> Chain OUTP (policy DROP 14 packets, 8600 bytes
> pkts byte targ prot opt sour destinat
>
> 0 0 ACCE -- anywhere anywhere
>
> 0 0 DROP icmp -- anywhere anywhere
>
> 30 4168 ACCE -- ixp1 anywhere
> 192.168.200.
>
> 0 0 RETU -- anywhere anywhere
>
> It seems the table names are being truncated here to 4 characters ??
>
> Best regards
> Steve Comfort
>
>
>
>
> ______________________________________________________________________
> #!/bin/sh
> #
> # Incoming / \ Outgoing
> # -->[Routing ]--->|FORWARD|------->
> # [Decision] \_____/ ^
> # | |
> # v ____
> # ___ / \
> # / \ |OUTPUT|
> # |INPUT| \____/
> # \___/ ^
> # | |
> # `----> Local Process ----'
>
> # lan interface
> iface=ixp1
>
> # lan network
> network=192.168.200.0/24
>
> # path to iptables
> ipt=/sbin/iptables
>
> ##############
> ## Defaults ##
> ##############
>
> for i in filter nat mangle; do
> # flush all tables
> $ipt -t $i -F
>
> # zero counters
> $ipt -t $i -Z
>
> # delete user-defined chains
> $ipt -t $i -X
> done
>
> # default policy
> $ipt -P INPUT DROP
> $ipt -P OUTPUT DROP
> $ipt -P FORWARD DROP
>
> ##############
> ## Loopback ##
> ##############
> $ipt -A INPUT -i lo -j ACCEPT
> $ipt -A OUTPUT -o lo -j ACCEPT
>
> ##########
> ## ICMP ##
> ##########
>
> # we allow all ICMP types, but only at a reasonable rate so
> # that we don't get flooded.
>
> for i in INPUT OUTPUT FORWARD; do
> # accept up to 100 unfragmented icmp packets per second
> $ipt -A $i -p icmp ! -f -m limit --limit 100/second -j ACCEPT
>
> # drop any other icmp packets
> $ipt -A $i -p icmp -j DROP
> done
>
> ##################################
> ## Traffic to/from the firewall ##
> ##################################
>
> # this can come before all the other stuff because we're very
> # paranoid regarding traffic destined/originating from ourselves.
>
> # allow traffic to/from the lan
> $ipt -A INPUT -i $iface -s $network -j ACCEPT
> $ipt -A OUTPUT -o $iface -d $network -j ACCEPT
>
> # allow traffic originating from pris
> $ipt -A INPUT -i ! $iface -m state --state ESTABLISHED,RELATED -j ACCEPT
> $ipt -A OUTPUT -o ! $iface -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
>
> for i in INPUT OUTPUT; do
> # we're done here
> $ipt -A $i -j RETURN
> done
>
> #########################
> ## Traffic to/from LAN ##
> #########################
>
> # allow all traffic originating from us
> $ipt -A FORWARD -i $iface -s $network -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
> $ipt -A FORWARD -o $iface -d $network -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>
> # allow ssh, ident, smtp, http, https from anywhere
> #for i in 22 110 113 25 80 443 3128; do
> # $ipt -A FORWARD -i ! $iface -d $network -p tcp --destination-port $i --syn -m state --state NEW -j ACCEPT
> # $ipt -A FORWARD -i ! $iface -d $network -p tcp --destination-port $i -m state --state ESTABLISHED,RELATED -j ACCEPT
> # $ipt -A FORWARD -o $iface -s $network -p tcp --source-port $i -m state --state ESTABLISHED,RELATED -j ACCEPT
> #done
--
Open Source Development Corporation
Financially sustainable open source development
http://www.opensourcedevelopmentcorp.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Very newB questions
[not found] ` <40DB26F4.8000808@newkirk.us>
@ 2004-06-25 7:51 ` Steve Comfort
0 siblings, 0 replies; 4+ messages in thread
From: Steve Comfort @ 2004-06-25 7:51 UTC (permalink / raw)
To: Joel Newkirk; +Cc: netfilter
Hi John, gents,
> Have you bookmarked and printed Oscar Andreasson's tutorial at
> http://iptables-tutorial.frozentux.net ? I think it's the hands-down
> best document around regarding iptables.
First off John, thanks for all your suggestions: I won't comment yet,
'cos its early in the morning here and my braincells are still chugging
into life. I started looking at Netfilter yesterday :) Yes, I found the
tutorial and have downloaded it and am busy trying to absorb as much as
I can.
> Out of curiosity, is this an embedded system you are making into a
> firewall/router, or what? I've compiled and used iptables and ip
> commands for ARM-based Sharp Zaurus handhelds. (I actually used one
> of mine as a wireless->GPRS gateway for a few days of DSL outage,
> feeding my LAN traffic and newkirk.us domain traffic over 802.11b to
> the Zaurus, then via IRDA over my cellphone GPRS tunnelled to my
> office, an ISP)
(You must have really needed to be connected :) Yes, the CPU is an
IXP425, with an Atheros wireless chipset and ethernet PHY on the other
side. Obviously the product is a broadband wifi thingy. I've just
finished getting netSNMP working on it, as well as PPPOE, so the
firewalling is about the last piece of the puzzle that needs to be
placed before it can take its first steps into the big bad world out
there :)
> Yep. As Mr Stone mentioned, ACCEPT is a target, NOT a chain.
> However, the way iptables rules work, if the target is NOT a valid
> target (ACCEPT,REJECT,DROP,SNAT,DNAT,MASQUERADE, that sort of thing)
> then it assumes it's the name of a custom rule chain, named ACC in
> this case, and then fails when it can't find said chain. I also
> notice that it seems to be truncating the iptables version number?
> Very odd.
Indeed :) Hopefully I will be able to enlighten myself as to why sooner
rather than later...
Best regards
Steve
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2004-06-25 7:51 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-06-24 12:33 Very newB questions Steve Comfort
2004-06-24 13:31 ` Antony Stone
2004-06-24 20:29 ` John A. Sullivan III
[not found] ` <40DB26F4.8000808@newkirk.us>
2004-06-25 7:51 ` Steve Comfort
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.