You are not logged in.

#1 2012-11-14 16:44:22

rogue
Member
Registered: 2011-08-03
Posts: 68
Website

[solved] Iptables script output question

I wrote up a simple script to clear, then reapply my firewall settings. It seems to work fine, but I am receiving the following output:

sudo ./fwreset 
iptables v1.4.16.2: no command specified
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.16.2: no command specified
Try `iptables -h' or 'iptables --help' for more information.
	  Active: active (exited) since Wed, 2012-11-14 03:19:55 PST; 5h 16min ago
	Main PID: 279 (code=exited, status=0/SUCCESS)
Stateful firewall has been reset

I don't know exactly why I am receving no command specified errors. Here is the script:

## Stateful Firewall Reset Script

# Reset Iptables
iptables-restore < /etc/iptables/empty.rules;

# Protocol Chains
iptables -N TCP;
iptables -N UDP;

# Forward Chain
iptables -P FORWARD DROP;

# Output Chain
iptables -P OUTPUT ACCEPT;

# Input Chain
iptables -P INPUT DROP;

# ICMP Messages & Ping Replies For Established And Related Connections Allowed
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT;

# Loopback Traffic Allowed
iptables -i lo -j ACCEPT;
iptables -o lo -j ACCEPT;

# ICMPv6 Neighbor Discovery Packets Allowed
iptables -A INPUT -p 41 -j ACCEPT;

# Invalid Headers, Checksums, TCP Flags, And ICMP Messages Dropped
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP;

# ICMP Ping For New Incoming Connections Allowed
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT;

# Append Open Chain To Input Chain
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP;
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP;

# ICMP Port Unreachable Message If Port Not Opened Reject 
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable;

# TCP RST Packet Reject
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-rst;

# All Other ICMP Unreachable Messages Reject
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable;

# Kismet Port 2501 On Loopback Open
iptables -A TCP -p tcp --dport 2501 -j ACCEPT;

# Save The Configuration
iptables-save > /etc/iptables/iptables.rules;

# Test Service
systemctl status iptables.service | grep -iE 'active|main';

# Command Successful
echo "Stateful firewall has been reset"

I used https://wiki.archlinux.org/index.php/Si … l_Firewall as a guide to set up this type of firewall. There is no dmesg output either. If anyone could take a look at this, I'd really appreciate it.

EDIT: Here is the output of 'iptables-save' after running the script:

# Generated by iptables-save v1.4.16.2 on Wed Nov 14 08:52:23 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [221:40634]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6 -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A TCP -p tcp -m tcp --dport 2501 -j ACCEPT
COMMIT
# Completed on Wed Nov 14 08:52:23 2012

It looks like the order of the rules are not saved in the order of execution either.

Last edited by rogue (2012-11-15 01:25:13)

Offline

#2 2012-11-14 18:12:11

Lord Bo
Member
Registered: 2012-11-11
Posts: 168

Re: [solved] Iptables script output question

I don't use iptables, but as a tip: Did you try to execute the lines in the script by hand one after the other, to narrow down the problem?

Offline

#3 2012-11-15 00:46:12

foppe
Member
Registered: 2011-04-02
Posts: 47

Re: [solved] Iptables script output question

From the output it looks like two of your commands have a flaw.
Easy debug: change the comment lines to echo:

echo "Reset Iptables"
iptables-restore < /etc/iptables/empty.rules;
...

Now you'll know where to look.

Offline

#4 2012-11-15 01:20:15

rogue
Member
Registered: 2011-08-03
Posts: 68
Website

Re: [solved] Iptables script output question

foppe wrote:

From the output it looks like two of your commands have a flaw.
Easy debug: change the comment lines to echo:

echo "Reset Iptables"
iptables-restore < /etc/iptables/empty.rules;
...

Now you'll know where to look.

Thanks guys, the issue seemed to be my loopback rules, I was missing the TCP chain. That is a nifty trick there with echo smile To anyone who is interested, here is the entire working script:

## Stateful Firewall Reset Script

# Reset Iptables
iptables-restore < /etc/iptables/empty.rules;

# Protocol Chains
iptables -N TCP;
iptables -N UDP;

# Forward Chain
iptables -P FORWARD DROP;

# Output Chain
iptables -P OUTPUT ACCEPT;

# Input Chain
iptables -P INPUT DROP;

# ICMP Messages & Ping Replies For Established And Related Connections Allowed
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT;

# Loopback Traffic Allowed
iptables -A TCP -i lo -j ACCEPT;
iptables -A TCP -o lo -j ACCEPT;

# ICMPv6 Neighbor Discovery Packets Allowed
iptables -A INPUT -p 41 -j ACCEPT;

# Invalid Headers, Checksums, TCP Flags, And ICMP Messages Dropped
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP;

# ICMP Ping For New Incoming Connections Allowed
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT;

# Append Open Chain To Input Chain
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP;
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP;

# ICMP Port Unreachable Message If Port Not Opened Reject
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable;

# TCP RST Packet Reject
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-rst;

# All Other ICMP Unreachable Messages Reject
iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable;

# Kismet Port 2501 On Loopback Open
iptables -A TCP -p tcp --dport 2501 -j ACCEPT;

# Save The Configuration
iptables-save > /etc/iptables/iptables.rules;

# Test Service
systemctl status iptables.service | grep -iE 'active|main';

# Command Successful
echo "Stateful firewall has been reset"

Last edited by rogue (2012-11-15 01:25:45)

Offline

Board footer

Powered by FluxBB