Adding variables to iptables file

Adding variables to iptables file

[Veena Etcell]

Hi,

I am hoping someone can help with the following:
I am at a point where I require advice/direction with regards to adding
variables (manually or otherwise) to a standard iptables file.
I am not sure how to add them/where to add them or the syntax that is
required.

In the example below I have manually added one variable (Line 2) to see
would happen to /etc/sysconfig/iptables (Redhat FC3 install).

When I iptables-restore < /etc/sysconfig/iptables I get "error at line 2
failed"


# Generated by iptables-save v1.2.11 on Mon Mar  7 22:18:56 2005
EXT_INTERFACE="eth0"
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p tcp -j REJECT --reject-with icmp-port-unreachable 
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable 
-A INPUT -i lo -j ACCEPT 
-A OUTPUT -o lo -j ACCEPT 
-A mine -j ACCEPT 
COMMIT
# Completed on Mon Mar  7 22:18:56 2005

Any advice would be appreciated
Thanks and regards
michael

Re: Adding variables to iptables file

[richard hauswald]

Hello,

i do not know what a syntax the iptables restore programm uses. But i 
know that you should write a shell script containing your iptables 
system calls.
Ok, a verry short example:

(I use this script for disabling my firewall and enabling routing and Nat.)
---------------------------------------------------------------------
#! /bin/bash

ext_int="ppp0"

iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

iptables -t nat -A POSTROUTING -o $ext_int -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
---------------------------------------------------------------------

After you started this script, you can do an iptables-save and the you 
are able to restore your rules.
But i would prefer starting this script instead of using iptables-save 
and iptables-restore.

If you have a dial in account with dynamic ipadresses an a huge 
firewallscript i would prefer the use of 3 files:
static.var
dynamic.var
rc.firewall

static.var contains static definitions of your network, for example your 
internal ip adsress, internal interfacename, .....
dynamic.var contains dynamicly changing informations like external ip, 
dns servers, external interfacename, ...
rc.firewall contains the following 2 lines:
. /path/to/file/static.var
. /path/to/file/dynamic.var

and your firewall rules.
if you want i can provide an example how to get the dynamic information.

regards
richard hauswald

Re: Adding variables to iptables file

[Petrisor Bobalca]

Hello,

iptables-save and iptables-restore don't work with variables. for
example if run the script:

-------------
#!/bin/bash
ext_if="eth0"
ipt="/usr/sbin/iptables"

$ipt -A INPUT -i $ext_if -j DROP
-------------

iptables-save will output:

-------------
#Generated by .....
*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
-A INPUT -i eth0 -j DROP
COMMIT
#Completed...
-------------

so, if you really need variables use a script!


On Tuesday, March 8, 2005, 12:25:36 PM, Veena Etcell wrote:

> Hi,

> I am hoping someone can help with the following:
> I am at a point where I require advice/direction with regards to adding
> variables (manually or otherwise) to a standard iptables file.
> I am not sure how to add them/where to add them or the syntax that is
> required.

> In the example below I have manually added one variable (Line 2) to see
> would happen to /etc/sysconfig/iptables (Redhat FC3 install).

> When I iptables-restore < /etc/sysconfig/iptables I get "error at line 2
> failed"


> # Generated by iptables-save v1.2.11 on Mon Mar  7 22:18:56 2005
> EXT_INTERFACE="eth0"
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A INPUT -p tcp -j REJECT --reject-with icmp-port-unreachable 
> -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable 
> -A INPUT -i lo -j ACCEPT 
> -A OUTPUT -o lo -j ACCEPT 
> -A mine -j ACCEPT 
> COMMIT
> # Completed on Mon Mar  7 22:18:56 2005

> Any advice would be appreciated
> Thanks and regards
> michael


-- 
Best regards,
 Petrisor                            mailto:petry.b@gmail.com

RE: Adding variables to iptables file

[Veena Etcell]

Ahh... The format of the example is skewiff.

It should read:
# Generated by iptables-save v1.2.11 on Mon Mar  7 22:18:56 2005
EXT_INTERFACE="eth0"
*filter
....

EXT_INTERFACE="eth0" being the variable noted in the original email.

Regards

-----Original Message-----
From: R. DuFresne [mailto:dufresne@sysinfo.com] 
Sent: Tuesday, 8 March 2005 9:31 PM
To: Veena Etcell
Subject: Re: Adding variables to iptables file

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



What variable?  <inline>

On Tue, 8 Mar 2005, Veena Etcell wrote:

> Hi,
>
> I am hoping someone can help with the following:
> I am at a point where I require advice/direction with regards to adding
> variables (manually or otherwise) to a standard iptables file.
> I am not sure how to add them/where to add them or the syntax that is
> required.
>
> In the example below I have manually added one variable (Line 2) to see
> would happen to /etc/sysconfig/iptables (Redhat FC3 install).
>
> When I iptables-restore < /etc/sysconfig/iptables I get "error at line 2
> failed"
>
>
> # Generated by iptables-save v1.2.11 on Mon Mar  7 22:18:56 2005
> EXT_INTERFACE="eth0"
> *filter


*filter is not a variable, basically what you are doing is creating a 
shell script, so variables are declared as they are in a shell script;;

var=something

Hope that helps.


Thanks,

Ron DuFresne
- -- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant:  sysinfo.com
                         http://sysinfo.com

...Love is the ultimate outlaw.  It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice.  Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question.  The words
"make" and "stay" become inappropriate.  My love for you has no
strings attached.  I love you for free...
                         -Tom Robins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCLX7gst+vzJSwZikRAhmvAKCjvyPLX1KG1lYA7AiCxpcUlAflxgCfQ9HB
loDTSmVLzLdfOiozS+uP9mE=
=fuNo
-----END PGP SIGNATURE-----

RE: Adding variables to iptables file

[John A. Sullivan III]

On Tue, 2005-03-08 at 21:36 +1100, Veena Etcell wrote:
> Ahh... The format of the example is skewiff.
> 
> It should read:
> # Generated by iptables-save v1.2.11 on Mon Mar  7 22:18:56 2005
> EXT_INTERFACE="eth0"
> *filter
> ....
> 
> EXT_INTERFACE="eth0" being the variable noted in the original email.
> 
> Regards
> 
> -----Original Message-----
> From: R. DuFresne [mailto:dufresne@sysinfo.com] 
> Sent: Tuesday, 8 March 2005 9:31 PM
> To: Veena Etcell
> Subject: Re: Adding variables to iptables file
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> 
> What variable?  <inline>
> 
> On Tue, 8 Mar 2005, Veena Etcell wrote:
> 
> > Hi,
> >
> > I am hoping someone can help with the following:
> > I am at a point where I require advice/direction with regards to adding
> > variables (manually or otherwise) to a standard iptables file.
> > I am not sure how to add them/where to add them or the syntax that is
> > required.
> >
> > In the example below I have manually added one variable (Line 2) to see
> > would happen to /etc/sysconfig/iptables (Redhat FC3 install).
> >
> > When I iptables-restore < /etc/sysconfig/iptables I get "error at line 2
> > failed"
> >
> >
> > # Generated by iptables-save v1.2.11 on Mon Mar  7 22:18:56 2005
> > EXT_INTERFACE="eth0"
> > *filter
> 
> 
> *filter is not a variable, basically what you are doing is creating a 
> shell script, so variables are declared as they are in a shell script;;
> 
> var=something
> 
<snip>
Hmmm . . . perhaps I am misinformed but I thought one could not use a
variable in a file passed to iptables-restore although one can use them
in a regular script which uses the iptables command.  Of course,
iptables-restore is the way to go for loading large rule sets.

-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net

RE: Adding variables to iptables file

[Dimitri Yioulos]

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of John A. Sullivan
III
Sent: Tuesday, March 08, 2005 5:19 PM
To: Veena Etcell
Cc: Netfilter users list
Subject: RE: Adding variables to iptables file

On Tue, 2005-03-08 at 21:36 +1100, Veena Etcell wrote:
> Ahh... The format of the example is skewiff.
> 
> It should read:
> # Generated by iptables-save v1.2.11 on Mon Mar  7 22:18:56 2005
> EXT_INTERFACE="eth0"
> *filter
> ....
> 
> EXT_INTERFACE="eth0" being the variable noted in the original email.
> 
> Regards
> 
> -----Original Message-----
> From: R. DuFresne [mailto:dufresne@sysinfo.com] 
> Sent: Tuesday, 8 March 2005 9:31 PM
> To: Veena Etcell
> Subject: Re: Adding variables to iptables file
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> 
> What variable?  <inline>
> 
> On Tue, 8 Mar 2005, Veena Etcell wrote:
> 
> > Hi,
> >
> > I am hoping someone can help with the following:
> > I am at a point where I require advice/direction with regards to adding
> > variables (manually or otherwise) to a standard iptables file.
> > I am not sure how to add them/where to add them or the syntax that is
> > required.
> >
> > In the example below I have manually added one variable (Line 2) to see
> > would happen to /etc/sysconfig/iptables (Redhat FC3 install).
> >
> > When I iptables-restore < /etc/sysconfig/iptables I get "error at line 2
> > failed"
> >
> >
> > # Generated by iptables-save v1.2.11 on Mon Mar  7 22:18:56 2005
> > EXT_INTERFACE="eth0"
> > *filter
> 
> 
> *filter is not a variable, basically what you are doing is creating a 
> shell script, so variables are declared as they are in a shell script;;
> 
> var=something
> 
<snip>
>Hmmm . . . perhaps I am misinformed but I thought one could not use a
>variable in a file passed to iptables-restore although one can use them
>in a regular script which uses the iptables command.  Of course,
>iptables-restore is the way to go for loading large rule sets.


This may not be related, but I'm also getting this error.  I upgraded from
iptables-1.2.8-12.3 to iptables-1.2.11-3.2 on a CentOS 3.4 box.  I created
the new version from src.rpm.  Now, when I fire off iptables, I get the
"error at line 2", which in my iptables is nat, and iptables fails to load.
Further exploration and experimentation shows that when I try to load
iptable_nat.o, I get symbol errors.  However, when I run a iptables script I
created, despite a little complaining, iptables does load.

Any help to get this fixed (which hopefully helps the OP, too) would be
greatly appreciated.

RE: Adding variables to iptables file

[Jason Opperisano]

On Tue, 2005-03-08 at 17:50, Dimitri Yioulos wrote:
> This may not be related, but I'm also getting this error.  

it's not.

> I upgraded from
> iptables-1.2.8-12.3 to iptables-1.2.11-3.2 on a CentOS 3.4 box.  I created
> the new version from src.rpm.  Now, when I fire off iptables, I get the
> "error at line 2", which in my iptables is nat, and iptables fails to load.
> Further exploration and experimentation shows that when I try to load
> iptable_nat.o, I get symbol errors.  However, when I run a iptables script I
> created, despite a little complaining, iptables does load.

that's the classic symptom of kernel & userspace being out of sync. 
i.e. your kernel has patches applied to it that your userspace iptables
command is not aware of.

> Any help to get this fixed (which hopefully helps the OP, too) would be
> greatly appreciated.

when you apply patches from PoM, make sure you specify KERNEL_DIR and
IPTABLES_DIR and that you then compile the iptables userspace against
that kernel source tree.

the error indicates that the conntrack structures of the iptables binary
and the kernel are different sizes.

-j

--
"The lesson is: Our God is vengeful! O spiteful one, show me who to
 smite and they shall be smoten!!!"
	--The Simpsons

RE: Adding variables to iptables file

[Dimitri Yioulos]

>that's the classic symptom of kernel & userspace being out of sync. 
>i.e. your kernel has patches applied to it that your userspace iptables
>command is not aware of.
 
OK.  I'm a noob, and that's useful info., tough I wish I hadn't gotten to
that point in the first place :-)
Question:  if I uninstall the current version, and role back to the previous
version, which worked just fine, should I be OK?  There have been a number
of kernel updates since I first installed it from rpm.
 
>when you apply patches from PoM, make sure you specify KERNEL_DIR and
>IPTABLES_DIR and that you then compile the iptables userspace against
>that kernel source tree.
> 
>the error indicates that the conntrack structures of the iptables binary
>and the kernel are different sizes.
 

Thanks for this.  Since I've never used PoM, I'll rtfm and any how-to's
(suggestions?) before moving forward.  Are there any tips/tricks/gotchas you
can suggest?

 

Many thanks!

 

Dimitri