Having Issue with iptables on FC4 - can't get it working properly

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Tim P <panterafreak@gmail.com>
To: netfilter@lists.netfilter.org
Subject: Having Issue with iptables on FC4 - can't get it working properly
Date: Fri, 2 Sep 2005 14:01:24 -0400	[thread overview]
Message-ID: <a5abf517050902110130101112@mail.gmail.com> (raw)

Here is the firewall script I am attempting to use/modify to work
The goal is to forward some services/port back to a system on the niternal 
network while allowing everyone on the internal network access to the 
internet.

#
#!/bin/sh
#
# Insert the required kernel modules
# commented modules already loaded by os
#/sbin/modprobe ip_conntrack
#/sbin/modprobe iptable_filter
#/sbin/modprobe iptable_mangle
#/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_tables
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE

# Set default policies for packets going through this firewall box
iptables -N PREROUTING
iptables -N POSTROUTING
iptables -t nat -P PREROUTING DROP
iptables -t nat -P POSTROUTING DROP
iptables -P FORWARD DROP

# Set default policies for packet entering this box

iptables -P OUTPUT ALLOW
iptables -P INPUT ALLOW

# Anything coming from our internal network should have only our addresses!
iptables -A FORWARD -i eth1 -s ! $192.168.8.0/24 -j DROP

# Anything coming from the Internet should have a real Internet address
#iptables -A FORWARD -i eth0 -s 192.168.0.0/16 <http://192.168.0.0/16> -j 
DROP
iptables -A FORWARD -i eth0 -s 172.16.0.0/12 <http://172.16.0.0/12> -j DROP
iptables -A FORWARD -i eth0 -s 10.0.0.0/8 <http://10.0.0.0/8> -j DROP

# Note:There are more "reserved" networks, but these are the classical ones.

# Block outgoing network filesharing protocols that aren't designed 
# to leave the LAN

# SMB / Windows filesharing
iptables -A FORWARD -p tcp --sport 137:139 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -j DROP
# NFS Mount Service (TCP/UDP 635)
iptables -A FORWARD -p tcp --sport 635 -j DROP
iptables -A FORWARD -p udp --sport 635 -j DROP
# NFS (TCP/UDP 2049)
iptables -A FORWARD -p tcp --sport 2049 -j DROP
iptables -A FORWARD -p udp --sport 2049 -j DROP
# Portmapper (TCP/UDP 111)
iptables -A FORWARD -p tcp --sport 111 -j DROP
iptables -A FORWARD -p udp --sport 111 -j DROP

# Block incoming syslog, lpr, rsh, rexec...
iptables -A FORWARD -i eth0 -p udp --dport syslog -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 515 -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 514 -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 512 -j DROP

# Transparently redirect web connections from outside to the web server
iptables -t nat -A PREROUTING -i eth0 -d 192.168.8.1
<http://192.168.8.1>-dport 80 -j DNAT --to
192.168.8.96 <http://192.168.8.96>

# Source NAT to get Internet traffic through
# do i need to do something like this?
#$INTERNET = 10.0.0.1 <http://10.0.0.1>
#iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to $INTERNET

# Activate the forwarding!
echo 1 >/proc/sys/net/ipv4/ip_forward

When running this script as root (chmod 755 permisions) I get the following 
error:
[root@gtds-vpnserver init.d]# ./masqfirewall.sh
not found.le ip_conntrack_ftp
not found.le ip_tables
not found.le ipt_LOG
not found.le ipt_REJECT
not found.le ipt_MASQUERADE
: command not foundline 14:
iptables: Chain already exists
iptables: Chain already exists
iptables: Bad policy name
iptables: Bad policy name
iptables: Bad policy name
: command not foundline 21:
: command not foundline 23:
iptables: Bad policy name
iptables: Bad policy name
: command not foundline 26:
'ptables v1.3.0: Invalid target name `DROP
Try `iptables -h' or 'iptables --help' for more information.
: command not foundline 29:
'ptables v1.3.0: Invalid target name `DROP
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.3.0: Invalid target name `DROP
Try `iptables -h' or 'iptables --help' for more information.
: command not foundline 34:
: command not foundline 36:
: command not foundline 39:
'ptables v1.3.0: Invalid target name `DROP
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.3.0: Invalid target name `DROP
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.3.0: Invalid target name `DROP
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.3.0: Invalid target name `DROP
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.3.0: Invalid target name `DROP
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.3.0: Invalid target name `DROP
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.3.0: Invalid target name `DROP
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.3.0: Invalid target name `DROP
Try `iptables -h' or 'iptables --help' for more information.
: command not foundline 52:
'ptables v1.3.0: Invalid target name `DROP
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.3.0: Invalid target name `DROP
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.3.0: Invalid target name `DROP
Try `iptables -h' or 'iptables --help' for more information.
'ptables v1.3.0: Invalid target name `DROP
Try `iptables -h' or 'iptables --help' for more information.
: command not foundline 58:
iptables v1.3.0: multiple -d flags not allowed
Try `iptables -h' or 'iptables --help' for more information.
: command not foundline 61:
: command not foundline 66:
: No such file or directory /proc/sys/net/ipv4/ip_forward
: command not foundline 69:
[root@gtds-vpnserver init.d]#

These errors don't make sense as the modprobes work fine from the 
commandline 
I have tried about four ready-made firewall scripts from 
http://www.linuxguruz.com/iptables/ just to see if it was something weird in 
my script and encounter very similar problems. Has anyone had any luck with 
this on Fedora Core 4 or is there something I am missing? The last time I 
made a firewall/router was when ipchains was the thing to use so I am not 
entirely unfamiliar with the process.

Thanks!
Tim

next             reply	other threads:[~2005-09-02 18:01 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-09-02 18:01 Tim P [this message]
2005-09-03  5:05 ` Having Issue with iptables on FC4 - can't get it working properly /dev/rob0
  -- strict thread matches above, loose matches on Subject: below --
2005-09-03  4:42 Greg Scott

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=a5abf517050902110130101112@mail.gmail.com \
    --to=panterafreak@gmail.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.