"bad argument" trouble with iptables-restore (ipt v.1.3.4 + gentoo 2.6.16)

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Eric White <eric.white@ionpipe.com>
To: netfilter@lists.netfilter.org
Subject: "bad argument" trouble with iptables-restore (ipt v.1.3.4 + gentoo 2.6.16)
Date: Wed, 24 May 2006 18:39:48 -0500	[thread overview]
Message-ID: <4474EEC4.4070909@ionpipe.com> (raw)

I've got ~930 rules with which I'd like to initialize via 
iptables-restore.  The file includes rules for nat, filter and mangle 
tables. I've got iptables v1.3.4 running on a Gentoo 2.6.16 kernel, with 
some of my own, in-progress extensions (hence the '-m devset' specifiers).

At the first COMMIT, I get an error:

Bad argument 'COMMIT'
Error occurred at line: 209

I've cut the main file into 3 different files (filter, nat, mangle) and 
get the same results at each file's 'COMMIT'.  I'm including the filter 
list below (since it's relatively small), hoping someone can give it a 
quick glance and note my mistakes.

thanks

=======================


#Filter table
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-N :A:Svc:ABD
-N :X:Abd:Clients:General:Ulog
-N :X:Abd:Clients:Darkspace:Ulog
-N :X:Abd:Clients:PrivAddr:Ulog
-A :A:Svc:ABD -j :X:Abd:Clients:General:Ulog
-A :A:Svc:ABD -j :X:Abd:Clients:Darkspace:Ulog
-A :A:Svc:ABD -j :X:Abd:Clients:PrivAddr:Ulog
-N :A:Global
-A :A:Global -p tcp ! --syn -m state --state NEW -j DROP
-A :A:Global -p tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN -j DROP
-A :A:Global -p tcp --tcp-flags ALL NONE -j DROP
-A :A:Global -s 224.0.0.0/4 -j DROP
-A :A:Global -s 127.0.0.0/8 -j DROP
-N :A:Node:Server
-N :A:Nodes
-N :M:X:ToServer
-N :M:Nodes
-N :M:X:FromServer
-N :D:Global
-N :D:Node:Server
-N :D:Nodes
-A INPUT -j :A:Global
-A OUTPUT -j :A:Global
-A FORWARD -j :A:Global
-A INPUT -j :A:Nodes
-A OUTPUT -j :A:Node:Server
-A FORWARD -j :A:Nodes
-A INPUT -j :M:X:ToServer
-A FORWARD -j :M:Nodes
-A OUTPUT -j :M:X:FromServer
-A INPUT -j :D:Global
-A OUTPUT -j :D:Global
-A FORWARD -j :D:Global
-A INPUT -j :D:Node:Server
-A OUTPUT -j :D:Nodes
-A FORWARD -j :D:Nodes
-N :A:Q:Clients
-N :A:Node:Clients
-A :A:Q:Clients -m devset --set-name 2 --device in -j :A:Node:Clients
-A :A:Nodes -j :A:Q:Clients
-N :D:Q:Clients
-N :D:Node:Clients
-A :D:Q:Clients -m devset --set-name 2 --device out -j :D:Node:Clients
-A :D:Nodes -j :D:Q:Clients
-N :M:Q:Clients
-N :M:X:Clients
-A :M:Q:Clients -m devset --set-name 2 --device in -j :M:X:Clients
-A :M:Nodes -j :M:Q:Clients
-N :M:Q:Clients:Server
-N :M:X:Clients:Server
-A :M:Q:Clients:Server -m devset --set-name 2 --device in -j 
:M:X:Clients:Server
-A :M:X:ToServer -j :M:Q:Clients:Server
-N :M:Q:Clients:Clients
-N :M:X:Clients:Clients
-A :M:Q:Clients:Clients -m devset --set-name 2 --device out -j 
:M:X:Clients:Clients
-A :M:X:Clients -j :M:Q:Clients:Clients
-N :M:Q:Server:Clients
-N :M:X:Server:Clients
-A :M:Q:Server:Clients -m devset --set-name 2 --device out -j 
:M:X:Server:Clients
-A :M:X:FromServer -j :M:Q:Server:Clients
-A :A:Node:Clients -j :A:Svc:ABD
-N :A:Q:WAN
-N :A:Node:WAN
-A :A:Q:WAN -m devset --set-name 3 --device in -j :A:Node:WAN
-A :A:Nodes -j :A:Q:WAN
-N :D:Q:WAN
-N :D:Node:WAN
-A :D:Q:WAN -m devset --set-name 3 --device out -j :D:Node:WAN
-A :D:Nodes -j :D:Q:WAN
-N :M:Q:WAN
-N :M:X:WAN
-A :M:Q:WAN -m devset --set-name 3 --device in -j :M:X:WAN
-A :M:Nodes -j :M:Q:WAN
-N :M:Q:WAN:Server
-N :M:X:WAN:Server
-A :M:Q:WAN:Server -m devset --set-name 3 --device in -j :M:X:WAN:Server
-A :M:X:ToServer -j :M:Q:WAN:Server
-N :M:Q:WAN:Clients
-N :M:X:WAN:Clients
-A :M:Q:WAN:Clients -m devset --set-name 2 --device out -j :M:X:WAN:Clients
-A :M:X:WAN -j :M:Q:WAN:Clients
-N :M:Q:WAN:WAN
-N :M:X:WAN:WAN
-A :M:Q:WAN:WAN -m devset --set-name 3 --device out -j :M:X:WAN:WAN
-A :M:X:WAN -j :M:Q:WAN:WAN
-N :M:Q:Server:WAN
-N :M:X:Server:WAN
-A :M:Q:Server:WAN -m devset --set-name 3 --device out -j :M:X:Server:WAN
-A :M:X:FromServer -j :M:Q:Server:WAN
-N :M:Q:Clients:WAN
-N :M:X:Clients:WAN
-A :M:Q:Clients:WAN -m devset --set-name 3 --device out -j :M:X:Clients:WAN
-A :M:X:Clients -j :M:Q:Clients:WAN
-N :A:Q:VPN
-N :A:Node:VPN
-A :A:Q:VPN -m devset --set-name 4 --device in -j :A:Node:VPN
-A :A:Nodes -j :A:Q:VPN
-N :D:Q:VPN
-N :D:Node:VPN
-A :D:Q:VPN -m devset --set-name 4 --device out -j :D:Node:VPN
-A :D:Nodes -j :D:Q:VPN
-N :M:Q:VPN
-N :M:X:VPN
-A :M:Q:VPN -m devset --set-name 4 --device in -j :M:X:VPN
-A :M:Nodes -j :M:Q:VPN
-N :M:Q:VPN:Server
-N :M:X:VPN:Server
-A :M:Q:VPN:Server -m devset --set-name 4 --device in -j :M:X:VPN:Server
-A :M:X:ToServer -j :M:Q:VPN:Server
-N :M:Q:VPN:Clients
-N :M:X:VPN:Clients
-A :M:Q:VPN:Clients -m devset --set-name 2 --device out -j :M:X:VPN:Clients
-A :M:X:VPN -j :M:Q:VPN:Clients
-N :M:Q:VPN:WAN
-N :M:X:VPN:WAN
-A :M:Q:VPN:WAN -m devset --set-name 3 --device out -j :M:X:VPN:WAN
-A :M:X:VPN -j :M:Q:VPN:WAN
-N :M:Q:VPN:VPN
-N :M:X:VPN:VPN
-A :M:Q:VPN:VPN -m devset --set-name 4 --device out -j :M:X:VPN:VPN
-A :M:X:VPN -j :M:Q:VPN:VPN
-N :M:Q:Server:VPN
-N :M:X:Server:VPN
-A :M:Q:Server:VPN -m devset --set-name 4 --device out -j :M:X:Server:VPN
-A :M:X:FromServer -j :M:Q:Server:VPN
-N :M:Q:Clients:VPN
-N :M:X:Clients:VPN
-A :M:Q:Clients:VPN -m devset --set-name 4 --device out -j :M:X:Clients:VPN
-A :M:X:Clients -j :M:Q:Clients:VPN
-N :M:Q:WAN:VPN
-N :M:X:WAN:VPN
-A :M:Q:WAN:VPN -m devset --set-name 4 --device out -j :M:X:WAN:VPN
-A :M:X:WAN -j :M:Q:WAN:VPN
-A :M:X:Server:Clients -j ACCEPT
-A :M:X:Server:VPN -j ACCEPT
-A :M:X:Server:WAN -j ACCEPT
-A :M:X:Clients:Server -m state --state ESTABLISHED,RELATED -j ACCEPT
-A :M:X:Clients:Server -p udp --dport 29922 -j ACCEPT
-A :M:X:Clients:Server -p tcp --dport 29922 -j ACCEPT
-A :M:X:Clients:Server -p tcp --dport 29924 -j ACCEPT
-A :M:X:Clients:Server -p tcp --dport 29914 -j ACCEPT
-A :M:X:Clients:Server -p udp --dport 53 -j ACCEPT
-A :M:X:Clients:Server -p tcp --dport 53 -j ACCEPT
-A :M:X:Clients:Server -p udp --dport 29923 -j ACCEPT
-A :M:X:Clients:Server -p tcp --dport 29923 -j ACCEPT
-A :M:X:Clients:Server -p tcp --dport 29900 -j ACCEPT
-A :M:X:Clients:Server -p tcp --dport 29901 -j ACCEPT
-A :M:X:Clients:Server -p tcp --dport 29908 -j ACCEPT
-A :M:X:Clients:Server -p tcp --dport 29909 -j ACCEPT
-N :X:DHCP:Accept
-A :M:X:Clients:Server -p udp --sport bootpc -j :X:DHCP:Accept
-N :X:Clients:ToServer:Accept
-A :M:X:Clients:Server -j :X:Clients:ToServer:Accept
-N :X:Abd:Clients:ToServer:Ulog
-N :X:Abd:Clients:ToServer:Uni:Pass
-A :X:Abd:Clients:ToServer:Uni:Pass -d 255.255.255.255 -j RETURN
-A :X:Abd:Clients:ToServer:Uni:Pass -j :X:Abd:Clients:ToServer:Ulog
-A :M:X:Clients:Server -j :X:Abd:Clients:ToServer:Uni:Pass
-N :X:Clients:Clients:Pass
-A :M:X:Clients:Clients -j :X:Clients:Clients:Pass
-N :X:VPNSubnet:FromClients:Pass
-A :X:VPNSubnet:FromClients:Pass -j DROP
-A :M:X:Clients:VPN -j :X:VPNSubnet:FromClients:Pass
-N :X:ClientMark:VPN:Accept
-A :M:X:Clients:VPN -j :X:ClientMark:VPN:Accept
-A :M:X:Clients:VPN -m state --state ESTABLISHED,RELATED -j ACCEPT
-N :X:WalledGarden:Accept
-A :M:X:Clients:WAN -j :X:WalledGarden:Accept
-N :X:Quarantine:Drop
-A :M:X:Clients:WAN -j :X:Quarantine:Drop
-N :X:ClientMark:WAN:Accept
-A :X:ClientMark:WAN:Accept -m markset --set-name 0 -j ACCEPT
-A :M:X:Clients:WAN -j :X:ClientMark:WAN:Accept
-A :M:X:VPN:Server -m state --state ESTABLISHED,RELATED -j ACCEPT
-A :M:X:VPN:Server -p tcp --dport 29910 -j ACCEPT
-A :M:X:VPN:Server -p tcp --dport 29918 -j ACCEPT
-A :M:X:VPN:Server -p udp --dport 161 -j ACCEPT
-A :M:X:VPN:Server -p udp --dport 162 -j ACCEPT
-A :M:X:VPN:Server -p tcp --dport 29903 -j ACCEPT
-A :M:X:VPN:Server -p icmp -j ACCEPT
-N :X:VPN:ToServer:Accept
-A :M:X:VPN:Server -j :X:VPN:ToServer:Accept
-A :M:X:VPN:Clients -m state --state ESTABLISHED,RELATED -j ACCEPT
-N :X:VPNSubnet:ToClients:Pass
-A :X:VPNSubnet:ToClients:Pass -j DROP
-A :M:X:VPN:Clients -j :X:VPNSubnet:ToClients:Pass
-A :M:X:VPN:Clients -j ACCEPT
-A :M:X:VPN:WAN -j DROP
-A :M:X:WAN:Server -p udp --sport 500 --dport 500 -j ACCEPT
-A :M:X:WAN:Server -p tcp --dport 29903 -j ACCEPT
-N :X:WAN:ToServer:Accept
-A :M:X:WAN:Server -j :X:WAN:ToServer:Accept
-A :M:X:WAN:Server -m state --state ESTABLISHED,RELATED -j ACCEPT
-N :X:Abd:WAN:Clients:Ulog
-A :M:X:WAN:Clients -j :X:Abd:WAN:Clients:Ulog
-A :M:X:WAN:Clients -m state --state ESTABLISHED,RELATED -j ACCEPT
-N :X:Network:Accept
-A :M:X:WAN:Clients -j :X:Network:Accept
-N :X:PortXlation:Accept
-A :M:X:WAN:Clients -j :X:PortXlation:Accept
-N :X:PortForwarding:Accept
-A :M:X:WAN:Clients -j :X:PortForwarding:Accept
-A :M:X:WAN:VPN -j DROP
COMMIT

next             reply	other threads:[~2006-05-24 23:39 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-05-24 23:39 Eric White [this message]
2006-05-25 16:39 ` "bad argument" trouble with iptables-restore (ipt v.1.3.4 + gentoo 2.6.16) Eric White
2006-05-25 17:50   ` Patrick McHardy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4474EEC4.4070909@ionpipe.com \
    --to=eric.white@ionpipe.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox