Re: Iptables fails on -m state --state!

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Marco <marco.nicoloso@fastwebnet.it>
To: Samuel Jean <sj-netfilter@cookinglinux.org>
Cc: netfilter@lists.netfilter.org
Subject: Re: Iptables fails on -m state --state!
Date: Fri, 18 Feb 2005 21:16:21 +0000	[thread overview]
Message-ID: <42165B25.3010800@fastwebnet.it> (raw)
In-Reply-To: <49063.142.169.215.10.1108661774.squirrel@142.169.215.10>

Samuel Jean wrote:

>On Thu, February 17, 2005 1:07 pm, Marco said:
>  
>
>>Hi there,
>>
>>even if the corresponding module is built into the kernel and loaded,
>>iptables fails (No chain/target/match with that name, or something like
>>that).
>>
>>What can I do?
>>    
>>
>
>Please show us the output of :
>
>cat /proc/net/ip_tables_matches | grep state
>
>And show us the rule you did input.
>
>  
>
>>Thanks
>>
>>Marco Nicoloso
>>
>>
>>    
>>
>
>Best regards,
>Samuel
>
>
>  
>
cat /proc/net/ip_tables_matches | grep state doesn't return anything but 
the contents of ip_tables_matches are:

tcp
udp
icmp

while the rules are (I post my script entirely):
#!/bin/bash
/sbin/iptables -v -P INPUT DROP
/sbin/iptables -v -P OUTPUT DROP
/sbin/iptables -v -P FORWARD DROP
/sbin/iptables -v -N bad_tcp_packets
/sbin/iptables -v -N allowed
/sbin/iptables -v -N tcp_packets
/sbin/iptables -v -N udp_packets
/sbin/iptables -v -N icmp_packets
/sbin/iptables -v -A bad_tcp_packets -p TCP --tcp-flags SYN,ACK SYN,ACK 
-m state --state NEW -j REJECT --reject-with tcp-reset      #Fails
/sbin/iptables -v -A bad_tcp_packets -p TCP ! --syn -m state --state NEW 
-j LOG --log-prefix "New not syn:"                                      
#FAILS
/sbin/iptables -v -A bad_tcp_packets -p TCP ! --syn -m state --state NEW 
-j DROP   #FAILS
/sbin/iptables -v -A allowed -p TCP --syn -j ACCEPT
/sbin/iptables -v -A allowed -p TCP -m state --state ESTABLISHED,RELATED 
-j ACCEPT      #FAILS
/sbin/iptables -v -A allowed -p TCP -j DROP
/sbin/iptables -v -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
/sbin/iptables -v -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
/sbin/iptables -v -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
/sbin/iptables -v -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
/sbin/iptables -v -A udp_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
/sbin/iptables -v -A udp_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
/sbin/iptables -v -A udp_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT
/sbin/iptables -v -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
/sbin/iptables -v -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
/sbin/iptables -v -A INPUT -p ALL -i eth0 -s 192.168.0.240/28 -j ACCEPT
/sbin/iptables -v -A INPUT -p ALL -i lo -j ACCEPT
/sbin/iptables -v -A INPUT -p UDP -i eth0 --dport 67 --sport 68 -j ACCEPT
/sbin/iptables -v -A INPUT -p ALL -i eth1 -m state --state 
ESTABLISHED,RELATED -j ACCEPT   #FAILS
/sbin/iptables -v -A INPUT -p TCP -i eth1 -j tcp_packets
/sbin/iptables -v -A INPUT -p UDP -i eth1 -j udp_packets
/sbin/iptables -v -A INPUT -p ICMP -i eth1 -j icmp_packets
/sbin/iptables -v -A INPUT -m limit --limit 3/minute --limit-burst 3 -j 
LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "   #FAILS
/sbin/iptables -v -A FORWARD -p tcp -j bad_tcp_packets
/sbin/iptables -v -A FORWARD -i eth0 -j ACCEPT
/sbin/iptables -v -A FORWARD -m state --state ESTABLISHED,RELATED -j 
ACCEPT   #FAILS
/sbin/iptables -v -A FORWARD -m limit --limit 3/minute --limit-burst 3 
-j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "   #FAILS
/sbin/iptables -v -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
/sbin/iptables -v -A OUTPUT -p ALL -s 14.0.217.49 -j ACCEPT
/sbin/iptables -v -A OUTPUT -p ALL -o eth1 -j ACCEPT
/sbin/iptables -v -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j 
LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "   #FAILS

next prev parent reply	other threads:[~2005-02-18 21:16 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-02-17 18:07 Iptables fails on -m state --state! Marco
2005-02-17 17:36 ` Samuel Jean
2005-02-18 21:16   ` Marco [this message]
2005-02-18 20:16     ` Jason Opperisano
2005-02-18 21:47       ` Marco

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=42165B25.3010800@fastwebnet.it \
    --to=marco.nicoloso@fastwebnet.it \
    --cc=netfilter@lists.netfilter.org \
    --cc=sj-netfilter@cookinglinux.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox