Proof Read

Proof Read

[Nathan Littlepage]

Can anyone proof over the following rc.firewall script and throw some
light as to why I get an 'Invalid Argument' on the two -m physdev upon
bootup. Yet, once the system is active the modules are loaded and I can
execute the script and, aside from the error that the modules are
already loaded, it will not error out on the -m physdev statements.

I've tried this on 2.4.22 and 2.6.4 systems with the same error, so I'm
thinking its the rules.

Thanks.

---rc.firewall script---

# Load kernel modules
modprobe ipt_physdev
modprobe ipt_state

# Defined Variables.
LOCALINT="lo"
ADMININT="eth3"
OUTINT="eth0"
SEG1INT="eth1"
SEG2INT="eth2"

# Flush all Chains.
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT

# Set default Policy for each Chain.
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Setup: INPUT Chain for LOCALINT and ADMININT interfaces.
iptables -A INPUT -i $LOCALINT -m state --state NEW -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $ADMININT -p tcp -s $ADMINSUB --dport 22 -j ACCEPT

# Setup: Allow RELATED and ESTABLISHED connections back in.
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# Setup: Allow all traffic from segments out.
iptables -A FORWARD -m physdev --physdev-in $SEG1INT --physdev-out
$OUTINT -j AC
CEPT
iptables -A FORWARD -m physdev --physdev-in $SEG2INT --physdev-out
$OUTINT -j AC
CEPT

Re: Proof Read

[David Cannings]

> Can anyone proof over the following rc.firewall script and throw some
> light as to why I get an 'Invalid Argument' on the two -m physdev upon
> bootup. Yet, once the system is active the modules are loaded and I can
> execute the script and, aside from the error that the modules are
> already loaded, it will not error out on the -m physdev statements.

I assume you have already checked this but are you sure the interfaces have
been configured and brought up by the point the script is run?  If you're
running it in rcX.d, make sure the iptables script comes after the one that
configures network interfaces.

David

RE: Proof Read

[Nathan Littlepage]

Yes, I'm bringing up the interfaces prior to running the scripts. If you
haven't noticed this is a bridged firewall application. Using brctl I
bring up the bridge interface then add the ethernet interfaces to it.
Thinking that the interfaces needed more time to get active. I at one
time put a sleep in the rc.firewall script right after the modules where
loaded. Alas, same results.

> -----Original Message-----
> From: netfilter-admin@lists.netfilter.org 
> [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of 
> David Canni
> Sent: Friday, April 16, 2004 12:02 PM
> To: netfilter@lists.netfilter.org
> Subject: Re: Proof Read
> 
> 
> > Can anyone proof over the following rc.firewall script and 
> throw some
> > light as to why I get an 'Invalid Argument' on the two -m 
> physdev upon
> > bootup. Yet, once the system is active the modules are 
> loaded and I can
> > execute the script and, aside from the error that the modules are
> > already loaded, it will not error out on the -m physdev statements.
> 
> I assume you have already checked this but are you sure the 
> interfaces have
> been configured and brought up by the point the script is 
> run?  If you're
> running it in rcX.d, make sure the iptables script comes 
> after the one that
> configures network interfaces.
> 
> David
> 
>