I was just trying to setup iptables, following the Simple Stateful Firewall Wiki article. But when I try to run the following command:
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
It gives me the following error message:
iptables v22.214.171.124: Couldn't load target `UDP':No such file or directory
I tried searching the internet, but there were only pages about some modules not loading properly, nothing that looked like the problem I have. If I understand it correctly, this command should make the computer reject UDP "port not reachable" messages, if it does not expect traffic on those ports, and I fear that I could get problems if I just ignore this command (as it rejects the packages and does not only drop them).
Any help for an Arch Linux newbie?
Thanks in advance for solutions to my Problem
Last edited by Gasp0de (2013-02-21 15:05:48)
the -j flag refers to Targets, for example (ever defined by iptables) INPUT, FORWARD and OUTPUT
Others would been set manually. Would you please provide your output of:
$ iptables -nL
Here it is:
Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT 41 -- 0.0.0.0/0 0.0.0.0/0 DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 ctstate NEW Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
i think you've missed this in the manual:
# iptables -N TCP
# iptables -N UDP
Tho parameters are explained here: http://ipset.netfilter.org/iptables.man.html
That fixed it!
Thank you very much. I'm just trying to get into this, as i'm connected to the internet directly, without a firewall, when browsing at my university. One last question:
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
What does this line mean? It's from the output that I posted, and to me it looks as if it just accepts all incoming traffic. If so, why have i set the policy to DROP?
You set the DROP policy for packages which did not met any of your set rules.
But your quoted rule will meet all incoming packages and on the other hand accept them all.
<edit>So the default policy for your INPUT chain will never act</edit>
This is probably not the behavior you want.
How to remove?
1. reboot -> or:
2. iptables -D INPUT rulenumber
You get the line number with: iptables -nL --line-numbers
edit:/ above is possible wrong. you've to check which interface the rule is set for.
iptables -vnL -> you will get a column whit the interface name
Last edited by debijan (2013-02-10 10:45:46)
If that is true, then I'm pretty sure that the article in the wiki is essentially pointless as it tells you to set up a firewall which will accept everything. That is:
-A INPUT -i lo -j ACCEPT
will result in the quoted rule (numerically).
I admit to not understanding this at all but when I first set this up, I did test my firewall by plugging it directly into the net and using that testing web site whose name I've now forgotten and it gave me pretty much the results I expected.
Since my rules initially blocked access to my printer, they must do *something*. Yet I also have that rule if I list with -nL.
the "-i lo" defines the used interface for the dedicated rule. in this case the lo / loopback / 127.0.0.1 interface.
with the -v in -L of iptables you see also the interface it is dedicated to.
[root@desktop florian]# iptables -A INPUT -i lo -j ACCEPT [root@desktop florian]# iptables -vnL Chain INPUT (policy ACCEPT 404 packets, 36405 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 399 packets, 17238 bytes) pkts bytes target prot opt in out source destination
Last edited by debijan (2013-02-09 08:37:01)
OK. So the rule quoted by the OP will NOT necessarily "meet all incoming packages and on the other hand accept them all" or mean that "the default policy for [OP's] INPUT chain will never act" and it may well break things very badly if the OP removes the rule as suggested.
You're right, i've modified my post and apologize for my fault.
I'ven't reviewed the wiki article enough i think ;-)
Thanks for clarifying that.