You are not logged in.
Hey all,
I tried to modify my iptables rules and I think there was an update and now it's giving me a weird error...
iptables-save < /etc/iptables/iptables.rules
/etc/rc.d/iptables restart
iptables --list
My Rules File...
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [216:14865]
:BRUTEGUARD - [0:0]
:interfaces - [0:0]
:open - [0:0]
-A INPUT -p icmp -m icmp --icmp-type 18 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 10 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 9 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 5 -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j interfaces
-A INPUT -j open
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -f -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -i eth+ -p icmp -m icmp --icmp-type 8 -j DROP
-A BRUTEGUARD -m recent --set --name BF --rsource
-A BRUTEGUARD -m recent --update --seconds 600 --hitcount 20 --name BF --rsource -j LOG --log-prefix "[BRUTEFORCE ATTEMPT] " --log-level 6
-A BRUTEGUARD -m recent --update --seconds 600 --hitcount 20 --name BF --rsource -j DROP
-A interfaces -i lo -j ACCEPT
-A open -p tcp -m tcp --dport 80 -j ACCEPT
#-A open -p tcp -m tcp --dport 443 -j ACCEPT
-A open -p tcp -m tcp --dport 22 -j BRUTEGUARD
COMMIT
After I run iptables-save < /etc/iptables/iptables.rules, it says it generates the following (which I believe is wrong)
# Generated by iptables-save v1.4.12 on Tue Aug 23 11:56:44 2011
*mangle
:PREROUTING ACCEPT [101:7144]
:INPUT ACCEPT [101:7144]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [90:7944]
:POSTROUTING ACCEPT [90:7944]
COMMIT
# Completed on Tue Aug 23 11:56:44 2011
# Generated by iptables-save v1.4.12 on Tue Aug 23 11:56:44 2011
*filter
:INPUT ACCEPT [101:7144]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [92:8192]
COMMIT
# Completed on Tue Aug 23 11:56:44 2011
# Generated by iptables-save v1.4.12 on Tue Aug 23 11:56:44 2011
*nat
:PREROUTING ACCEPT [258631:13050076]
:POSTROUTING ACCEPT [607982:32942287]
:OUTPUT ACCEPT [422276:25514047]
COMMIT
# Completed on Tue Aug 23 11:56:44 2011
/etc/rc.d/iptables restart
iptables-restore v1.4.12: Can't set policy `ACCEPT' on `INPUT' line 4: Bad built-in chain name
Any help would be much appreciated and any criticism on my configuration as well as it probably isn't the best...
Thanks
Last edited by mike55 (2011-08-23 16:03:26)
Offline
Don't you mean 'iptables-save > /etc/iptables/iptables.rules' ? And why not use '/etc/rc.d/iptables save' or 'rc.d save iptables' to save the status?
R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K
Offline
Still not working.
Yeah... I guess that's effectually the same thing. I tried it anyway though...
/etc/rc.d/iptables save
:: Saving IP Tables [DONE]
/etc/rc.d/iptables restart
:: Stopping IP Tables [BUSY]
iptables-restore v1.4.12: Can't set policy `ACCEPT' on `INPUT' line 4: Bad built-in chain name [FAIL]
:: Starting IP Tables [FAIL]
The "save" part isn't actually saving my rules, instead it's making that craptastic configuration I pasted in the above post and then erroring on it?
I'm still like WTF? I tried downgrading the package via the cache, but I didn't have much older of a version as it is only 3 versions behind and I hadn't touched the ruleset in a while.
Last edited by mike55 (2011-08-23 17:13:29)
Offline
Your /etc/iptables/iptables.rules probably has something that iptables-restore doesn't like. I would also check file permissions since you say saving is not working.
If you still have the script you used to input all the rules into iptables then maybe starting fresh can help, remove iptables, delete any backup configuration file, reinstall iptables and use your script.
Your rules file looks ok _to me_ but I may be missing something and if you don't have much time to spend on trying to find out what the problem is take the easy way out or you may want to wait for someone else to chime in and maybe spot the problem.
R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K
Offline
I'm screwed, I spent half my night trying to fix it. It's just using the default rule set, so it's not going off the rules I give it, then it errors off of those. It's like a bug or something. The permissions are there for reading across the board and I'm running it as root. I already reinstalled IP tables, then went back a couple versions (only a few though, didn't have older ones). The script I used is posted above, the version also.
Offline
What happens if you use /etc/iptables/empty.rules as iptables.rules and then add lines in your original script one by one from command line?
Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd
Offline
Okay even using a basic configuration with nothing, it WILL not save. In fact it still gives that error even if I use :INPUT DROP [0:0]
So it's clearly not saving whatever I try to put into it. Is there another way to save it besides "iptables-save > /etc/iptables/iptables.rules" ??
Another example... (Using default ruleset, nothing specified)
# iptables-save
# /etc/rc.d/iptables restart
:: Stopping IP Tables [BUSY]
iptables-restore v1.4.12: Can't set policy `ACCEPT' on `INPUT' line 4: Bad built-in chain name
[FAIL]
:: Starting IP Tables [FAIL]
Update: Tried using the simple firewall as well under the file iptables.rules which is in conf.d, still fails.
Also used /etc/rc.d/iptables save and stop and restore all fails.
Last edited by mike55 (2011-08-24 11:55:08)
Offline
Wait, iptables-save returns nothing? It should dump the rules into tty iptables-save just displays the existing rules in a format acceptable for the config file. You can out these by hand by translating the output of iptables -L -v. BTW, with empty.rules, what does this command output?
What arch are you on? And how did you reinstall iptables, which pacman -Sf?
Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd
Offline
Sorry, "iptables-save" returns this...
# iptables-save
# Generated by iptables-save v1.4.12 on Wed Aug 24 19:03:21 2011
*mangle
:PREROUTING ACCEPT [99359:7600276]
:INPUT ACCEPT [99359:7600276]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [100683:10693111]
:POSTROUTING ACCEPT [100683:10693111]
COMMIT
# Completed on Wed Aug 24 19:03:21 2011
# Generated by iptables-save v1.4.12 on Wed Aug 24 19:03:21 2011
*filter
:INPUT ACCEPT [99359:7600276]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [100685:10693359]
COMMIT
# Completed on Wed Aug 24 19:03:21 2011
# Generated by iptables-save v1.4.12 on Wed Aug 24 19:03:21 2011
*nat
:PREROUTING ACCEPT [3020:158095]
:POSTROUTING ACCEPT [2003:126283]
:OUTPUT ACCEPT [2003:126283]
COMMIT
It errors the same when I try to substitute empty.rules inside iptables.rules.
# uname -a -i -m -n -p -r -s -v
Linux 2.6.18-194.26.1.el5.028stab070.14 #1 SMP Thu Nov 18 16:34:01 MSK 2010 x86_64 Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz GenuineIntel GNU/Linux
I believe I'm using this VZ Template: http://dev.archlinux.org/~ibiru/openvz/2010.05/
I reinstalled iptables like so...
pacman -R iptables
pacman -S iptables
I will try what you said to attempt when I get some more time, thanks
Last edited by mike55 (2011-08-24 23:11:25)
Offline
Solution to this problem:
Edit /var/lib/iptables/empty-nat.rules and comment out line #4
# Empty iptables nat table rules file
*nat
:PREROUTING ACCEPT [0:0]
# :INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
Offline
THANK YOU! That was it!
It didn't work right away, but however AFTER I added a newline after my COMMIT, it worked... seriously. I saved the file, without one, then with one, then without one and it worked.
Thanks all
Last edited by mike55 (2011-09-18 19:38:14)
Offline