You are not logged in.
- Topics: Active | Unanswered
#1 2014-06-06 08:57:07
- dopalek
- Member
- Registered: 2014-06-06
- Posts: 20
[SOLVED] firewall from wiki, iptables: No chain/target/match by
I am trying to build a simple firewall using Arch wiki page, https://wiki.archlinux.org/index.php/si … l_firewall
I ended up with this:
#!/bin/bash
iptables -N TCP
iptables -N UDP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst
iptables -D INPUT -p tcp -j REJECT --reject-with tcp-rst
iptables -A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst
iptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with port-unreach
iptables -D INPUT -p udp -j REJECT --reject-with icmp-port-unreach
iptables -A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreach
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-rst
iptables -D INPUT -j REJECT --reject-with icmp-proto-unreachable
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachableWhen I run the script, it gives me this error:
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.The problem is caused by the last 4 lines. What do I do wrong?
(I use current x64 Arch).
Last edited by dopalek (2014-06-06 11:59:11)
Offline
#2 2014-06-06 09:09:30
- brebs
- Member
- Registered: 2007-04-03
- Posts: 3,742
Re: [SOLVED] firewall from wiki, iptables: No chain/target/match by
You've got a space, instead of a dash, in --reject-with...unreachable.
Offline
#3 2014-06-06 09:28:48
- dopalek
- Member
- Registered: 2014-06-06
- Posts: 20
Re: [SOLVED] firewall from wiki, iptables: No chain/target/match by
Do you mean for example "--reject-with-icmp-proto-unreachable"? I don't think it is correct.
Offline
#4 2014-06-06 09:47:06
- brebs
- Member
- Registered: 2007-04-03
- Posts: 3,742
Re: [SOLVED] firewall from wiki, iptables: No chain/target/match by
Oops, sorry I was mistaken, ignore that 
icmp-port-unreach
There is no such option, you probably want icmp-port-unreachable
Options are listed in:
man iptables-extensionsLast edited by brebs (2014-06-06 09:51:29)
Offline
#5 2014-06-06 10:33:13
- Gcool
- Member
- Registered: 2011-08-16
- Posts: 1,456
Re: [SOLVED] firewall from wiki, iptables: No chain/target/match by
You're probably getting those warnings because you're trying to delete (iptables -D) rules that don't exist. While this is no big deal on itself (the rest of the rules will still be applied); you could consider simply omitting the 3 "iptables -D" rules from your config, which should get rid of the warnings.
Burninate!
Offline
#6 2014-06-06 11:58:43
- dopalek
- Member
- Registered: 2014-06-06
- Posts: 20
Re: [SOLVED] firewall from wiki, iptables: No chain/target/match by
You're probably getting those warnings because you're trying to delete (iptables -D) rules that don't exist. While this is no big deal on itself (the rest of the rules will still be applied); you could consider simply omitting the 3 "iptables -D" rules from your config, which should get rid of the warnings.
You are right, thank you, I didn't notice it before.
Anyway I guess -D rules from wiki are in case somebody has own rules applied before. It could be explained in the wiki to avoid confusion in future.
Last edited by dopalek (2014-06-06 12:02:30)
Offline