"bad argument" trouble with iptables-restore (ipt v.1.3.4 + gentoo 2.6.16)

"bad argument" trouble with iptables-restore (ipt v.1.3.4 + gentoo 2.6.16)

[Eric White]

I've got ~930 rules with which I'd like to initialize via 
iptables-restore.  The file includes rules for nat, filter and mangle 
tables. I've got iptables v1.3.4 running on a Gentoo 2.6.16 kernel, with 
some of my own, in-progress extensions (hence the '-m devset' specifiers).

At the first COMMIT, I get an error:

Bad argument 'COMMIT'
Error occurred at line: 209

I've cut the main file into 3 different files (filter, nat, mangle) and 
get the same results at each file's 'COMMIT'.  I'm including the filter 
list below (since it's relatively small), hoping someone can give it a 
quick glance and note my mistakes.

thanks

=======================


#Filter table
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-N :A:Svc:ABD
-N :X:Abd:Clients:General:Ulog
-N :X:Abd:Clients:Darkspace:Ulog
-N :X:Abd:Clients:PrivAddr:Ulog
-A :A:Svc:ABD -j :X:Abd:Clients:General:Ulog
-A :A:Svc:ABD -j :X:Abd:Clients:Darkspace:Ulog
-A :A:Svc:ABD -j :X:Abd:Clients:PrivAddr:Ulog
-N :A:Global
-A :A:Global -p tcp ! --syn -m state --state NEW -j DROP
-A :A:Global -p tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN -j DROP
-A :A:Global -p tcp --tcp-flags ALL NONE -j DROP
-A :A:Global -s 224.0.0.0/4 -j DROP
-A :A:Global -s 127.0.0.0/8 -j DROP
-N :A:Node:Server
-N :A:Nodes
-N :M:X:ToServer
-N :M:Nodes
-N :M:X:FromServer
-N :D:Global
-N :D:Node:Server
-N :D:Nodes
-A INPUT -j :A:Global
-A OUTPUT -j :A:Global
-A FORWARD -j :A:Global
-A INPUT -j :A:Nodes
-A OUTPUT -j :A:Node:Server
-A FORWARD -j :A:Nodes
-A INPUT -j :M:X:ToServer
-A FORWARD -j :M:Nodes
-A OUTPUT -j :M:X:FromServer
-A INPUT -j :D:Global
-A OUTPUT -j :D:Global
-A FORWARD -j :D:Global
-A INPUT -j :D:Node:Server
-A OUTPUT -j :D:Nodes
-A FORWARD -j :D:Nodes
-N :A:Q:Clients
-N :A:Node:Clients
-A :A:Q:Clients -m devset --set-name 2 --device in -j :A:Node:Clients
-A :A:Nodes -j :A:Q:Clients
-N :D:Q:Clients
-N :D:Node:Clients
-A :D:Q:Clients -m devset --set-name 2 --device out -j :D:Node:Clients
-A :D:Nodes -j :D:Q:Clients
-N :M:Q:Clients
-N :M:X:Clients
-A :M:Q:Clients -m devset --set-name 2 --device in -j :M:X:Clients
-A :M:Nodes -j :M:Q:Clients
-N :M:Q:Clients:Server
-N :M:X:Clients:Server
-A :M:Q:Clients:Server -m devset --set-name 2 --device in -j 
:M:X:Clients:Server
-A :M:X:ToServer -j :M:Q:Clients:Server
-N :M:Q:Clients:Clients
-N :M:X:Clients:Clients
-A :M:Q:Clients:Clients -m devset --set-name 2 --device out -j 
:M:X:Clients:Clients
-A :M:X:Clients -j :M:Q:Clients:Clients
-N :M:Q:Server:Clients
-N :M:X:Server:Clients
-A :M:Q:Server:Clients -m devset --set-name 2 --device out -j 
:M:X:Server:Clients
-A :M:X:FromServer -j :M:Q:Server:Clients
-A :A:Node:Clients -j :A:Svc:ABD
-N :A:Q:WAN
-N :A:Node:WAN
-A :A:Q:WAN -m devset --set-name 3 --device in -j :A:Node:WAN
-A :A:Nodes -j :A:Q:WAN
-N :D:Q:WAN
-N :D:Node:WAN
-A :D:Q:WAN -m devset --set-name 3 --device out -j :D:Node:WAN
-A :D:Nodes -j :D:Q:WAN
-N :M:Q:WAN
-N :M:X:WAN
-A :M:Q:WAN -m devset --set-name 3 --device in -j :M:X:WAN
-A :M:Nodes -j :M:Q:WAN
-N :M:Q:WAN:Server
-N :M:X:WAN:Server
-A :M:Q:WAN:Server -m devset --set-name 3 --device in -j :M:X:WAN:Server
-A :M:X:ToServer -j :M:Q:WAN:Server
-N :M:Q:WAN:Clients
-N :M:X:WAN:Clients
-A :M:Q:WAN:Clients -m devset --set-name 2 --device out -j :M:X:WAN:Clients
-A :M:X:WAN -j :M:Q:WAN:Clients
-N :M:Q:WAN:WAN
-N :M:X:WAN:WAN
-A :M:Q:WAN:WAN -m devset --set-name 3 --device out -j :M:X:WAN:WAN
-A :M:X:WAN -j :M:Q:WAN:WAN
-N :M:Q:Server:WAN
-N :M:X:Server:WAN
-A :M:Q:Server:WAN -m devset --set-name 3 --device out -j :M:X:Server:WAN
-A :M:X:FromServer -j :M:Q:Server:WAN
-N :M:Q:Clients:WAN
-N :M:X:Clients:WAN
-A :M:Q:Clients:WAN -m devset --set-name 3 --device out -j :M:X:Clients:WAN
-A :M:X:Clients -j :M:Q:Clients:WAN
-N :A:Q:VPN
-N :A:Node:VPN
-A :A:Q:VPN -m devset --set-name 4 --device in -j :A:Node:VPN
-A :A:Nodes -j :A:Q:VPN
-N :D:Q:VPN
-N :D:Node:VPN
-A :D:Q:VPN -m devset --set-name 4 --device out -j :D:Node:VPN
-A :D:Nodes -j :D:Q:VPN
-N :M:Q:VPN
-N :M:X:VPN
-A :M:Q:VPN -m devset --set-name 4 --device in -j :M:X:VPN
-A :M:Nodes -j :M:Q:VPN
-N :M:Q:VPN:Server
-N :M:X:VPN:Server
-A :M:Q:VPN:Server -m devset --set-name 4 --device in -j :M:X:VPN:Server
-A :M:X:ToServer -j :M:Q:VPN:Server
-N :M:Q:VPN:Clients
-N :M:X:VPN:Clients
-A :M:Q:VPN:Clients -m devset --set-name 2 --device out -j :M:X:VPN:Clients
-A :M:X:VPN -j :M:Q:VPN:Clients
-N :M:Q:VPN:WAN
-N :M:X:VPN:WAN
-A :M:Q:VPN:WAN -m devset --set-name 3 --device out -j :M:X:VPN:WAN
-A :M:X:VPN -j :M:Q:VPN:WAN
-N :M:Q:VPN:VPN
-N :M:X:VPN:VPN
-A :M:Q:VPN:VPN -m devset --set-name 4 --device out -j :M:X:VPN:VPN
-A :M:X:VPN -j :M:Q:VPN:VPN
-N :M:Q:Server:VPN
-N :M:X:Server:VPN
-A :M:Q:Server:VPN -m devset --set-name 4 --device out -j :M:X:Server:VPN
-A :M:X:FromServer -j :M:Q:Server:VPN
-N :M:Q:Clients:VPN
-N :M:X:Clients:VPN
-A :M:Q:Clients:VPN -m devset --set-name 4 --device out -j :M:X:Clients:VPN
-A :M:X:Clients -j :M:Q:Clients:VPN
-N :M:Q:WAN:VPN
-N :M:X:WAN:VPN
-A :M:Q:WAN:VPN -m devset --set-name 4 --device out -j :M:X:WAN:VPN
-A :M:X:WAN -j :M:Q:WAN:VPN
-A :M:X:Server:Clients -j ACCEPT
-A :M:X:Server:VPN -j ACCEPT
-A :M:X:Server:WAN -j ACCEPT
-A :M:X:Clients:Server -m state --state ESTABLISHED,RELATED -j ACCEPT
-A :M:X:Clients:Server -p udp --dport 29922 -j ACCEPT
-A :M:X:Clients:Server -p tcp --dport 29922 -j ACCEPT
-A :M:X:Clients:Server -p tcp --dport 29924 -j ACCEPT
-A :M:X:Clients:Server -p tcp --dport 29914 -j ACCEPT
-A :M:X:Clients:Server -p udp --dport 53 -j ACCEPT
-A :M:X:Clients:Server -p tcp --dport 53 -j ACCEPT
-A :M:X:Clients:Server -p udp --dport 29923 -j ACCEPT
-A :M:X:Clients:Server -p tcp --dport 29923 -j ACCEPT
-A :M:X:Clients:Server -p tcp --dport 29900 -j ACCEPT
-A :M:X:Clients:Server -p tcp --dport 29901 -j ACCEPT
-A :M:X:Clients:Server -p tcp --dport 29908 -j ACCEPT
-A :M:X:Clients:Server -p tcp --dport 29909 -j ACCEPT
-N :X:DHCP:Accept
-A :M:X:Clients:Server -p udp --sport bootpc -j :X:DHCP:Accept
-N :X:Clients:ToServer:Accept
-A :M:X:Clients:Server -j :X:Clients:ToServer:Accept
-N :X:Abd:Clients:ToServer:Ulog
-N :X:Abd:Clients:ToServer:Uni:Pass
-A :X:Abd:Clients:ToServer:Uni:Pass -d 255.255.255.255 -j RETURN
-A :X:Abd:Clients:ToServer:Uni:Pass -j :X:Abd:Clients:ToServer:Ulog
-A :M:X:Clients:Server -j :X:Abd:Clients:ToServer:Uni:Pass
-N :X:Clients:Clients:Pass
-A :M:X:Clients:Clients -j :X:Clients:Clients:Pass
-N :X:VPNSubnet:FromClients:Pass
-A :X:VPNSubnet:FromClients:Pass -j DROP
-A :M:X:Clients:VPN -j :X:VPNSubnet:FromClients:Pass
-N :X:ClientMark:VPN:Accept
-A :M:X:Clients:VPN -j :X:ClientMark:VPN:Accept
-A :M:X:Clients:VPN -m state --state ESTABLISHED,RELATED -j ACCEPT
-N :X:WalledGarden:Accept
-A :M:X:Clients:WAN -j :X:WalledGarden:Accept
-N :X:Quarantine:Drop
-A :M:X:Clients:WAN -j :X:Quarantine:Drop
-N :X:ClientMark:WAN:Accept
-A :X:ClientMark:WAN:Accept -m markset --set-name 0 -j ACCEPT
-A :M:X:Clients:WAN -j :X:ClientMark:WAN:Accept
-A :M:X:VPN:Server -m state --state ESTABLISHED,RELATED -j ACCEPT
-A :M:X:VPN:Server -p tcp --dport 29910 -j ACCEPT
-A :M:X:VPN:Server -p tcp --dport 29918 -j ACCEPT
-A :M:X:VPN:Server -p udp --dport 161 -j ACCEPT
-A :M:X:VPN:Server -p udp --dport 162 -j ACCEPT
-A :M:X:VPN:Server -p tcp --dport 29903 -j ACCEPT
-A :M:X:VPN:Server -p icmp -j ACCEPT
-N :X:VPN:ToServer:Accept
-A :M:X:VPN:Server -j :X:VPN:ToServer:Accept
-A :M:X:VPN:Clients -m state --state ESTABLISHED,RELATED -j ACCEPT
-N :X:VPNSubnet:ToClients:Pass
-A :X:VPNSubnet:ToClients:Pass -j DROP
-A :M:X:VPN:Clients -j :X:VPNSubnet:ToClients:Pass
-A :M:X:VPN:Clients -j ACCEPT
-A :M:X:VPN:WAN -j DROP
-A :M:X:WAN:Server -p udp --sport 500 --dport 500 -j ACCEPT
-A :M:X:WAN:Server -p tcp --dport 29903 -j ACCEPT
-N :X:WAN:ToServer:Accept
-A :M:X:WAN:Server -j :X:WAN:ToServer:Accept
-A :M:X:WAN:Server -m state --state ESTABLISHED,RELATED -j ACCEPT
-N :X:Abd:WAN:Clients:Ulog
-A :M:X:WAN:Clients -j :X:Abd:WAN:Clients:Ulog
-A :M:X:WAN:Clients -m state --state ESTABLISHED,RELATED -j ACCEPT
-N :X:Network:Accept
-A :M:X:WAN:Clients -j :X:Network:Accept
-N :X:PortXlation:Accept
-A :M:X:WAN:Clients -j :X:PortXlation:Accept
-N :X:PortForwarding:Accept
-A :M:X:WAN:Clients -j :X:PortForwarding:Accept
-A :M:X:WAN:VPN -j DROP
COMMIT   

Re: "bad argument" trouble with iptables-restore (ipt v.1.3.4 + gentoo 2.6.16)

[Eric White]

With a little more experimentation, I see that manually poking a new 
chain definition (e.g., "iptables -t filter -N :A:Svc:ABD ") and then 
issuing iptables-save generates a

::A:Svc:ABD - [0:0]

line in the output.  So, I modified the ruleset, replacing all -N 
occurrences with the corresponding ":" prefix and added the "- [0:0]' 
suffix, with the same result; i.e., the COMMIT line generates a "bad 
argument" error.

So, I can poke these things in with the iptables call (which is what the 
current script does at an agonizing rate), but I can't seem to get 
iptables-restore to behave the same.


Eric White wrote:

> I've got ~930 rules with which I'd like to initialize via 
> iptables-restore.  The file includes rules for nat, filter and mangle 
> tables. I've got iptables v1.3.4 running on a Gentoo 2.6.16 kernel, 
> with some of my own, in-progress extensions (hence the '-m devset' 
> specifiers).
>
> At the first COMMIT, I get an error:
>
> Bad argument 'COMMIT'
> Error occurred at line: 209
>
> I've cut the main file into 3 different files (filter, nat, mangle) 
> and get the same results at each file's 'COMMIT'.  I'm including the 
> filter list below (since it's relatively small), hoping someone can 
> give it a quick glance and note my mistakes.
>
> thanks
>
> =======================
>
>
> #Filter table
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [0:0]
> -N :A:Svc:ABD
> -N :X:Abd:Clients:General:Ulog
> -N :X:Abd:Clients:Darkspace:Ulog
> -N :X:Abd:Clients:PrivAddr:Ulog
> -A :A:Svc:ABD -j :X:Abd:Clients:General:Ulog
> -A :A:Svc:ABD -j :X:Abd:Clients:Darkspace:Ulog
> -A :A:Svc:ABD -j :X:Abd:Clients:PrivAddr:Ulog
> -N :A:Global
> -A :A:Global -p tcp ! --syn -m state --state NEW -j DROP
> -A :A:Global -p tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN -j DROP
> -A :A:Global -p tcp --tcp-flags ALL NONE -j DROP
> -A :A:Global -s 224.0.0.0/4 -j DROP
> -A :A:Global -s 127.0.0.0/8 -j DROP
> -N :A:Node:Server
> -N :A:Nodes
> -N :M:X:ToServer
> -N :M:Nodes
> -N :M:X:FromServer
> -N :D:Global
> -N :D:Node:Server
> -N :D:Nodes
> -A INPUT -j :A:Global
> -A OUTPUT -j :A:Global
> -A FORWARD -j :A:Global
> -A INPUT -j :A:Nodes
> -A OUTPUT -j :A:Node:Server
> -A FORWARD -j :A:Nodes
> -A INPUT -j :M:X:ToServer
> -A FORWARD -j :M:Nodes
> -A OUTPUT -j :M:X:FromServer
> -A INPUT -j :D:Global
> -A OUTPUT -j :D:Global
> -A FORWARD -j :D:Global
> -A INPUT -j :D:Node:Server
> -A OUTPUT -j :D:Nodes
> -A FORWARD -j :D:Nodes
> -N :A:Q:Clients
> -N :A:Node:Clients
> -A :A:Q:Clients -m devset --set-name 2 --device in -j :A:Node:Clients
> -A :A:Nodes -j :A:Q:Clients
> -N :D:Q:Clients
> -N :D:Node:Clients
> -A :D:Q:Clients -m devset --set-name 2 --device out -j :D:Node:Clients
> -A :D:Nodes -j :D:Q:Clients
> -N :M:Q:Clients
> -N :M:X:Clients
> -A :M:Q:Clients -m devset --set-name 2 --device in -j :M:X:Clients
> -A :M:Nodes -j :M:Q:Clients
> -N :M:Q:Clients:Server
> -N :M:X:Clients:Server
> -A :M:Q:Clients:Server -m devset --set-name 2 --device in -j 
> :M:X:Clients:Server
> -A :M:X:ToServer -j :M:Q:Clients:Server
> -N :M:Q:Clients:Clients
> -N :M:X:Clients:Clients
> -A :M:Q:Clients:Clients -m devset --set-name 2 --device out -j 
> :M:X:Clients:Clients
> -A :M:X:Clients -j :M:Q:Clients:Clients
> -N :M:Q:Server:Clients
> -N :M:X:Server:Clients
> -A :M:Q:Server:Clients -m devset --set-name 2 --device out -j 
> :M:X:Server:Clients
> -A :M:X:FromServer -j :M:Q:Server:Clients
> -A :A:Node:Clients -j :A:Svc:ABD
> -N :A:Q:WAN
> -N :A:Node:WAN
> -A :A:Q:WAN -m devset --set-name 3 --device in -j :A:Node:WAN
> -A :A:Nodes -j :A:Q:WAN
> -N :D:Q:WAN
> -N :D:Node:WAN
> -A :D:Q:WAN -m devset --set-name 3 --device out -j :D:Node:WAN
> -A :D:Nodes -j :D:Q:WAN
> -N :M:Q:WAN
> -N :M:X:WAN
> -A :M:Q:WAN -m devset --set-name 3 --device in -j :M:X:WAN
> -A :M:Nodes -j :M:Q:WAN
> -N :M:Q:WAN:Server
> -N :M:X:WAN:Server
> -A :M:Q:WAN:Server -m devset --set-name 3 --device in -j :M:X:WAN:Server
> -A :M:X:ToServer -j :M:Q:WAN:Server
> -N :M:Q:WAN:Clients
> -N :M:X:WAN:Clients
> -A :M:Q:WAN:Clients -m devset --set-name 2 --device out -j 
> :M:X:WAN:Clients
> -A :M:X:WAN -j :M:Q:WAN:Clients
> -N :M:Q:WAN:WAN
> -N :M:X:WAN:WAN
> -A :M:Q:WAN:WAN -m devset --set-name 3 --device out -j :M:X:WAN:WAN
> -A :M:X:WAN -j :M:Q:WAN:WAN
> -N :M:Q:Server:WAN
> -N :M:X:Server:WAN
> -A :M:Q:Server:WAN -m devset --set-name 3 --device out -j :M:X:Server:WAN
> -A :M:X:FromServer -j :M:Q:Server:WAN
> -N :M:Q:Clients:WAN
> -N :M:X:Clients:WAN
> -A :M:Q:Clients:WAN -m devset --set-name 3 --device out -j 
> :M:X:Clients:WAN
> -A :M:X:Clients -j :M:Q:Clients:WAN
> -N :A:Q:VPN
> -N :A:Node:VPN
> -A :A:Q:VPN -m devset --set-name 4 --device in -j :A:Node:VPN
> -A :A:Nodes -j :A:Q:VPN
> -N :D:Q:VPN
> -N :D:Node:VPN
> -A :D:Q:VPN -m devset --set-name 4 --device out -j :D:Node:VPN
> -A :D:Nodes -j :D:Q:VPN
> -N :M:Q:VPN
> -N :M:X:VPN
> -A :M:Q:VPN -m devset --set-name 4 --device in -j :M:X:VPN
> -A :M:Nodes -j :M:Q:VPN
> -N :M:Q:VPN:Server
> -N :M:X:VPN:Server
> -A :M:Q:VPN:Server -m devset --set-name 4 --device in -j :M:X:VPN:Server
> -A :M:X:ToServer -j :M:Q:VPN:Server
> -N :M:Q:VPN:Clients
> -N :M:X:VPN:Clients
> -A :M:Q:VPN:Clients -m devset --set-name 2 --device out -j 
> :M:X:VPN:Clients
> -A :M:X:VPN -j :M:Q:VPN:Clients
> -N :M:Q:VPN:WAN
> -N :M:X:VPN:WAN
> -A :M:Q:VPN:WAN -m devset --set-name 3 --device out -j :M:X:VPN:WAN
> -A :M:X:VPN -j :M:Q:VPN:WAN
> -N :M:Q:VPN:VPN
> -N :M:X:VPN:VPN
> -A :M:Q:VPN:VPN -m devset --set-name 4 --device out -j :M:X:VPN:VPN
> -A :M:X:VPN -j :M:Q:VPN:VPN
> -N :M:Q:Server:VPN
> -N :M:X:Server:VPN
> -A :M:Q:Server:VPN -m devset --set-name 4 --device out -j :M:X:Server:VPN
> -A :M:X:FromServer -j :M:Q:Server:VPN
> -N :M:Q:Clients:VPN
> -N :M:X:Clients:VPN
> -A :M:Q:Clients:VPN -m devset --set-name 4 --device out -j 
> :M:X:Clients:VPN
> -A :M:X:Clients -j :M:Q:Clients:VPN
> -N :M:Q:WAN:VPN
> -N :M:X:WAN:VPN
> -A :M:Q:WAN:VPN -m devset --set-name 4 --device out -j :M:X:WAN:VPN
> -A :M:X:WAN -j :M:Q:WAN:VPN
> -A :M:X:Server:Clients -j ACCEPT
> -A :M:X:Server:VPN -j ACCEPT
> -A :M:X:Server:WAN -j ACCEPT
> -A :M:X:Clients:Server -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A :M:X:Clients:Server -p udp --dport 29922 -j ACCEPT
> -A :M:X:Clients:Server -p tcp --dport 29922 -j ACCEPT
> -A :M:X:Clients:Server -p tcp --dport 29924 -j ACCEPT
> -A :M:X:Clients:Server -p tcp --dport 29914 -j ACCEPT
> -A :M:X:Clients:Server -p udp --dport 53 -j ACCEPT
> -A :M:X:Clients:Server -p tcp --dport 53 -j ACCEPT
> -A :M:X:Clients:Server -p udp --dport 29923 -j ACCEPT
> -A :M:X:Clients:Server -p tcp --dport 29923 -j ACCEPT
> -A :M:X:Clients:Server -p tcp --dport 29900 -j ACCEPT
> -A :M:X:Clients:Server -p tcp --dport 29901 -j ACCEPT
> -A :M:X:Clients:Server -p tcp --dport 29908 -j ACCEPT
> -A :M:X:Clients:Server -p tcp --dport 29909 -j ACCEPT
> -N :X:DHCP:Accept
> -A :M:X:Clients:Server -p udp --sport bootpc -j :X:DHCP:Accept
> -N :X:Clients:ToServer:Accept
> -A :M:X:Clients:Server -j :X:Clients:ToServer:Accept
> -N :X:Abd:Clients:ToServer:Ulog
> -N :X:Abd:Clients:ToServer:Uni:Pass
> -A :X:Abd:Clients:ToServer:Uni:Pass -d 255.255.255.255 -j RETURN
> -A :X:Abd:Clients:ToServer:Uni:Pass -j :X:Abd:Clients:ToServer:Ulog
> -A :M:X:Clients:Server -j :X:Abd:Clients:ToServer:Uni:Pass
> -N :X:Clients:Clients:Pass
> -A :M:X:Clients:Clients -j :X:Clients:Clients:Pass
> -N :X:VPNSubnet:FromClients:Pass
> -A :X:VPNSubnet:FromClients:Pass -j DROP
> -A :M:X:Clients:VPN -j :X:VPNSubnet:FromClients:Pass
> -N :X:ClientMark:VPN:Accept
> -A :M:X:Clients:VPN -j :X:ClientMark:VPN:Accept
> -A :M:X:Clients:VPN -m state --state ESTABLISHED,RELATED -j ACCEPT
> -N :X:WalledGarden:Accept
> -A :M:X:Clients:WAN -j :X:WalledGarden:Accept
> -N :X:Quarantine:Drop
> -A :M:X:Clients:WAN -j :X:Quarantine:Drop
> -N :X:ClientMark:WAN:Accept
> -A :X:ClientMark:WAN:Accept -m markset --set-name 0 -j ACCEPT
> -A :M:X:Clients:WAN -j :X:ClientMark:WAN:Accept
> -A :M:X:VPN:Server -m state --state ESTABLISHED,RELATED -j ACCEPT
> -A :M:X:VPN:Server -p tcp --dport 29910 -j ACCEPT
> -A :M:X:VPN:Server -p tcp --dport 29918 -j ACCEPT
> -A :M:X:VPN:Server -p udp --dport 161 -j ACCEPT
> -A :M:X:VPN:Server -p udp --dport 162 -j ACCEPT
> -A :M:X:VPN:Server -p tcp --dport 29903 -j ACCEPT
> -A :M:X:VPN:Server -p icmp -j ACCEPT
> -N :X:VPN:ToServer:Accept
> -A :M:X:VPN:Server -j :X:VPN:ToServer:Accept
> -A :M:X:VPN:Clients -m state --state ESTABLISHED,RELATED -j ACCEPT
> -N :X:VPNSubnet:ToClients:Pass
> -A :X:VPNSubnet:ToClients:Pass -j DROP
> -A :M:X:VPN:Clients -j :X:VPNSubnet:ToClients:Pass
> -A :M:X:VPN:Clients -j ACCEPT
> -A :M:X:VPN:WAN -j DROP
> -A :M:X:WAN:Server -p udp --sport 500 --dport 500 -j ACCEPT
> -A :M:X:WAN:Server -p tcp --dport 29903 -j ACCEPT
> -N :X:WAN:ToServer:Accept
> -A :M:X:WAN:Server -j :X:WAN:ToServer:Accept
> -A :M:X:WAN:Server -m state --state ESTABLISHED,RELATED -j ACCEPT
> -N :X:Abd:WAN:Clients:Ulog
> -A :M:X:WAN:Clients -j :X:Abd:WAN:Clients:Ulog
> -A :M:X:WAN:Clients -m state --state ESTABLISHED,RELATED -j ACCEPT
> -N :X:Network:Accept
> -A :M:X:WAN:Clients -j :X:Network:Accept
> -N :X:PortXlation:Accept
> -A :M:X:WAN:Clients -j :X:PortXlation:Accept
> -N :X:PortForwarding:Accept
> -A :M:X:WAN:Clients -j :X:PortForwarding:Accept
> -A :M:X:WAN:VPN -j DROP
> COMMIT  
>
>

Re: "bad argument" trouble with iptables-restore (ipt v.1.3.4 + gentoo 2.6.16)

[Patrick McHardy]

Eric White wrote:
> With a little more experimentation, I see that manually poking a new
> chain definition (e.g., "iptables -t filter -N :A:Svc:ABD ") and then
> issuing iptables-save generates a
> 
> ::A:Svc:ABD - [0:0]
> 
> line in the output.  So, I modified the ruleset, replacing all -N
> occurrences with the corresponding ":" prefix and added the "- [0:0]'
> suffix, with the same result; i.e., the COMMIT line generates a "bad
> argument" error.


This usually means that a previously used match/target didn't
ignore unknown arguments as it ought to do. I suggest to
try the latest iptables version (there are a couple of these
fixes in each release), if that doesn't help please try to
find out which match or target is responsible by removing
individual lines until the error goes away.