You are not logged in.
I wrote up a simple script to clear, then reapply my firewall settings. It seems to work fine, but I am receiving the following output:
sudo ./fwreset
iptables v1.4.16.2: no command specified
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.16.2: no command specified
Try `iptables -h' or 'iptables --help' for more information.
Active: active (exited) since Wed, 2012-11-14 03:19:55 PST; 5h 16min ago
Main PID: 279 (code=exited, status=0/SUCCESS)
Stateful firewall has been reset
I don't know exactly why I am receving no command specified errors. Here is the script:
## Stateful Firewall Reset Script
# Reset Iptables
iptables-restore < /etc/iptables/empty.rules;
# Protocol Chains
iptables -N TCP;
iptables -N UDP;
# Forward Chain
iptables -P FORWARD DROP;
# Output Chain
iptables -P OUTPUT ACCEPT;
# Input Chain
iptables -P INPUT DROP;
# ICMP Messages & Ping Replies For Established And Related Connections Allowed
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT;
# Loopback Traffic Allowed
iptables -i lo -j ACCEPT;
iptables -o lo -j ACCEPT;
# ICMPv6 Neighbor Discovery Packets Allowed
iptables -A INPUT -p 41 -j ACCEPT;
# Invalid Headers, Checksums, TCP Flags, And ICMP Messages Dropped
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP;
# ICMP Ping For New Incoming Connections Allowed
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT;
# Append Open Chain To Input Chain
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP;
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP;
# ICMP Port Unreachable Message If Port Not Opened Reject
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable;
# TCP RST Packet Reject
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-rst;
# All Other ICMP Unreachable Messages Reject
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable;
# Kismet Port 2501 On Loopback Open
iptables -A TCP -p tcp --dport 2501 -j ACCEPT;
# Save The Configuration
iptables-save > /etc/iptables/iptables.rules;
# Test Service
systemctl status iptables.service | grep -iE 'active|main';
# Command Successful
echo "Stateful firewall has been reset"
I used https://wiki.archlinux.org/index.php/Si … l_Firewall as a guide to set up this type of firewall. There is no dmesg output either. If anyone could take a look at this, I'd really appreciate it.
EDIT: Here is the output of 'iptables-save' after running the script:
# Generated by iptables-save v1.4.16.2 on Wed Nov 14 08:52:23 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [221:40634]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6 -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp -m tcp --dport 2501 -j ACCEPT
COMMIT
# Completed on Wed Nov 14 08:52:23 2012
It looks like the order of the rules are not saved in the order of execution either.
Last edited by rogue (2012-11-15 01:25:13)
Offline
I don't use iptables, but as a tip: Did you try to execute the lines in the script by hand one after the other, to narrow down the problem?
Offline
From the output it looks like two of your commands have a flaw.
Easy debug: change the comment lines to echo:
echo "Reset Iptables"
iptables-restore < /etc/iptables/empty.rules;
...
Now you'll know where to look.
Offline
From the output it looks like two of your commands have a flaw.
Easy debug: change the comment lines to echo:echo "Reset Iptables" iptables-restore < /etc/iptables/empty.rules; ...
Now you'll know where to look.
Thanks guys, the issue seemed to be my loopback rules, I was missing the TCP chain. That is a nifty trick there with echo To anyone who is interested, here is the entire working script:
## Stateful Firewall Reset Script
# Reset Iptables
iptables-restore < /etc/iptables/empty.rules;
# Protocol Chains
iptables -N TCP;
iptables -N UDP;
# Forward Chain
iptables -P FORWARD DROP;
# Output Chain
iptables -P OUTPUT ACCEPT;
# Input Chain
iptables -P INPUT DROP;
# ICMP Messages & Ping Replies For Established And Related Connections Allowed
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT;
# Loopback Traffic Allowed
iptables -A TCP -i lo -j ACCEPT;
iptables -A TCP -o lo -j ACCEPT;
# ICMPv6 Neighbor Discovery Packets Allowed
iptables -A INPUT -p 41 -j ACCEPT;
# Invalid Headers, Checksums, TCP Flags, And ICMP Messages Dropped
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP;
# ICMP Ping For New Incoming Connections Allowed
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT;
# Append Open Chain To Input Chain
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP;
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP;
# ICMP Port Unreachable Message If Port Not Opened Reject
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable;
# TCP RST Packet Reject
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-rst;
# All Other ICMP Unreachable Messages Reject
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable;
# Kismet Port 2501 On Loopback Open
iptables -A TCP -p tcp --dport 2501 -j ACCEPT;
# Save The Configuration
iptables-save > /etc/iptables/iptables.rules;
# Test Service
systemctl status iptables.service | grep -iE 'active|main';
# Command Successful
echo "Stateful firewall has been reset"
Last edited by rogue (2012-11-15 01:25:45)
Offline