You are not logged in.

Pages: 1

#1 2011-08-23 16:02:31

mike55
Member
Registered: 2010-08-13
Posts: 16

iptables fails to save after update

Hey all,

I tried to modify my iptables rules and I think there was an update and now it's giving me a weird error...

iptables-save < /etc/iptables/iptables.rules
/etc/rc.d/iptables restart
iptables --list


My Rules File...

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [216:14865]
:BRUTEGUARD - [0:0]
:interfaces - [0:0]
:open - [0:0]
-A INPUT -p icmp -m icmp --icmp-type 18 -j DROP 
-A INPUT -p icmp -m icmp --icmp-type 17 -j DROP 
-A INPUT -p icmp -m icmp --icmp-type 10 -j DROP 
-A INPUT -p icmp -m icmp --icmp-type 9 -j DROP 
-A INPUT -p icmp -m icmp --icmp-type 5 -j DROP 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -j interfaces 
-A INPUT -j open 
-A INPUT -p tcp -j REJECT --reject-with tcp-reset 
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable 
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP 
-A INPUT -f -j DROP 
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP 
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP 
-A INPUT -i eth+ -p icmp -m icmp --icmp-type 8 -j DROP 
-A BRUTEGUARD -m recent --set --name BF --rsource 
-A BRUTEGUARD -m recent --update --seconds 600 --hitcount 20 --name BF --rsource -j LOG --log-prefix "[BRUTEFORCE ATTEMPT] " --log-level 6 
-A BRUTEGUARD -m recent --update --seconds 600 --hitcount 20 --name BF --rsource -j DROP 
-A interfaces -i lo -j ACCEPT 
-A open -p tcp -m tcp --dport 80 -j ACCEPT 
#-A open -p tcp -m tcp --dport 443 -j ACCEPT 
-A open -p tcp -m tcp --dport 22 -j BRUTEGUARD 
COMMIT

After I run iptables-save < /etc/iptables/iptables.rules, it says it generates the following (which I believe is wrong)

# Generated by iptables-save v1.4.12 on Tue Aug 23 11:56:44 2011
*mangle
:PREROUTING ACCEPT [101:7144]
:INPUT ACCEPT [101:7144]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [90:7944]
:POSTROUTING ACCEPT [90:7944]
COMMIT
# Completed on Tue Aug 23 11:56:44 2011
# Generated by iptables-save v1.4.12 on Tue Aug 23 11:56:44 2011
*filter
:INPUT ACCEPT [101:7144]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [92:8192]
COMMIT
# Completed on Tue Aug 23 11:56:44 2011
# Generated by iptables-save v1.4.12 on Tue Aug 23 11:56:44 2011
*nat
:PREROUTING ACCEPT [258631:13050076]
:POSTROUTING ACCEPT [607982:32942287]
:OUTPUT ACCEPT [422276:25514047]
COMMIT
# Completed on Tue Aug 23 11:56:44 2011

/etc/rc.d/iptables restart

iptables-restore v1.4.12: Can't set policy `ACCEPT' on `INPUT' line 4: Bad built-in chain name

Any help would be much appreciated and any criticism on my configuration as well as it probably isn't the best...

Thanks

Last edited by mike55 (2011-08-23 16:03:26)

Offline

#2 2011-08-23 16:21:48

R00KIE
Forum Fellow
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 4,734

Re: iptables fails to save after update

Don't you mean 'iptables-save > /etc/iptables/iptables.rules' ? And why not use '/etc/rc.d/iptables save' or 'rc.d save iptables' to save the status?

R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

#3 2011-08-23 16:43:05

mike55
Member
Registered: 2010-08-13
Posts: 16

Re: iptables fails to save after update

Still not working.

Yeah... I guess that's effectually the same thing.  I tried it anyway though...

/etc/rc.d/iptables save
:: Saving IP Tables [DONE]
/etc/rc.d/iptables restart
:: Stopping IP Tables [BUSY]
iptables-restore v1.4.12: Can't set policy `ACCEPT' on `INPUT' line 4: Bad built-in chain name [FAIL]
:: Starting IP Tables [FAIL]

The "save" part isn't actually saving my rules, instead it's making that craptastic configuration I pasted in the above post and then erroring on it?

I'm still like WTF?  I tried downgrading the package via the cache, but I didn't have much older of a version as it is only 3 versions behind and I hadn't touched the ruleset in a while.

Last edited by mike55 (2011-08-23 17:13:29)

Offline

#4 2011-08-23 17:47:36

R00KIE
Forum Fellow
From: Between a computer and a chair
Registered: 2008-09-14
Posts: 4,734

Re: iptables fails to save after update

Your /etc/iptables/iptables.rules probably has something that iptables-restore doesn't like. I would also check file permissions since you say saving is not working.

If you still have the script you used to input all the rules into iptables then maybe starting fresh can help, remove iptables, delete any backup configuration file, reinstall iptables and use your script.

Your rules file looks ok _to me_ but I may be missing something and if you don't have much time to spend on trying to find out what the problem is take the easy way out tongue or you may want to wait for someone else to chime in and maybe spot the problem.

R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K

Offline

#5 2011-08-23 19:52:43

mike55
Member
Registered: 2010-08-13
Posts: 16

Re: iptables fails to save after update

I'm screwed, I spent half my night trying to fix it.  It's just using the default rule set, so it's not going off the rules I give it, then it errors off of those.  It's like a bug or something.  The permissions are there for reading across the board and I'm running it as root.  I already reinstalled IP tables, then went back a couple versions (only a few though, didn't have older ones).   The script I used is posted above, the version also.

Offline

#6 2011-08-23 22:47:41

Leonid.I
Member
From: Aethyr
Registered: 2009-03-22
Posts: 999

Re: iptables fails to save after update

What happens if you use /etc/iptables/empty.rules as iptables.rules and then add lines in your original script one by one from command line?

Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd

Offline

#7 2011-08-24 07:38:03

mike55
Member
Registered: 2010-08-13
Posts: 16

Re: iptables fails to save after update

Okay even using a basic configuration with nothing, it WILL not save.  In fact it still gives that error even if I use :INPUT DROP [0:0]

So it's clearly not saving whatever I try to put into it.  Is there another way to save it besides "iptables-save > /etc/iptables/iptables.rules" ??

Another example... (Using default ruleset, nothing specified)

# iptables-save
# /etc/rc.d/iptables restart
:: Stopping IP Tables                                                    [BUSY] 
iptables-restore v1.4.12: Can't set policy `ACCEPT' on `INPUT' line 4: Bad built-in chain name

                                                                         [FAIL]
:: Starting IP Tables                                                    [FAIL]

Update: Tried using the simple firewall as well under the file iptables.rules which is in conf.d, still fails.
Also used /etc/rc.d/iptables save and stop and restore all fails.

Last edited by mike55 (2011-08-24 11:55:08)

Offline

#8 2011-08-24 17:00:10

Leonid.I
Member
From: Aethyr
Registered: 2009-03-22
Posts: 999

Re: iptables fails to save after update

Wait, iptables-save returns nothing? It should dump the rules into tty hmm iptables-save just displays the existing rules in a format acceptable for the config file. You can out these by hand by translating the output of iptables -L -v. BTW, with empty.rules, what does this command output?

What arch are you on? And how did you reinstall iptables, which pacman -Sf?

Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd

Offline

#9 2011-08-24 23:11:01

mike55
Member
Registered: 2010-08-13
Posts: 16

Re: iptables fails to save after update

Sorry, "iptables-save" returns this...

# iptables-save
# Generated by iptables-save v1.4.12 on Wed Aug 24 19:03:21 2011
*mangle
:PREROUTING ACCEPT [99359:7600276]
:INPUT ACCEPT [99359:7600276]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [100683:10693111]
:POSTROUTING ACCEPT [100683:10693111]
COMMIT
# Completed on Wed Aug 24 19:03:21 2011
# Generated by iptables-save v1.4.12 on Wed Aug 24 19:03:21 2011
*filter
:INPUT ACCEPT [99359:7600276]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [100685:10693359]
COMMIT
# Completed on Wed Aug 24 19:03:21 2011
# Generated by iptables-save v1.4.12 on Wed Aug 24 19:03:21 2011
*nat
:PREROUTING ACCEPT [3020:158095]
:POSTROUTING ACCEPT [2003:126283]
:OUTPUT ACCEPT [2003:126283]
COMMIT

It errors the same when I try to substitute empty.rules inside iptables.rules.

# uname -a -i -m -n -p -r -s -v
Linux 2.6.18-194.26.1.el5.028stab070.14 #1 SMP Thu Nov 18 16:34:01 MSK         2010 x86_64 Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz GenuineIntel GNU/Linux

I believe I'm using this VZ Template: http://dev.archlinux.org/~ibiru/openvz/2010.05/

I reinstalled iptables like so...

pacman -R iptables
pacman -S iptables

I will try what you said to attempt when I get some more time, thanks

Last edited by mike55 (2011-08-24 23:11:25)

Offline

#10 2011-09-04 03:09:53

abdulmueid
Member
Registered: 2011-09-04
Posts: 1

Re: iptables fails to save after update

Solution to this problem:

Edit /var/lib/iptables/empty-nat.rules and comment out line #4

# Empty iptables nat table rules file
*nat
:PREROUTING ACCEPT [0:0]
# :INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT

Offline

#11 2011-09-18 19:34:53

mike55
Member
Registered: 2010-08-13
Posts: 16

Re: iptables fails to save after update

THANK YOU!  That was it!

It didn't work right away, but however AFTER I added a newline after my COMMIT, it worked...  seriously.  I saved the file, without one, then with one, then without one and it worked.

Thanks all

Last edited by mike55 (2011-09-18 19:38:14)

Offline

Pages: 1

Board footer

Powered by FluxBB