You are not logged in.

#1 2013-02-08 14:49:37

Gasp0de
Member
Registered: 2012-12-24
Posts: 19

[SOLVED]Problem setting up iptables

Hi Folks.
I was just trying to setup iptables, following the Simple Stateful Firewall Wiki article. But when I try to run the following command:

iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP

It gives me the following error message:

iptables v1.4.16.3: Couldn't load target `UDP':No such file or directory

I tried searching the internet, but there were only pages about some modules not loading properly, nothing that looked like the problem I have. If I understand it correctly, this command should make the computer reject UDP "port not reachable" messages, if it does not expect traffic on those ports, and I fear that I could get problems if I just ignore this command (as it rejects the packages and does not only drop them).
Any help for an Arch Linux newbie?

Thanks in advance for solutions to my Problem smile

Gasp0de

Last edited by Gasp0de (2013-02-21 15:05:48)

Offline

#2 2013-02-08 14:54:46

debijan
Member
Registered: 2010-09-14
Posts: 36

Re: [SOLVED]Problem setting up iptables

Hi Gasp0de,

the -j flag refers to Targets, for example (ever defined by iptables) INPUT, FORWARD and OUTPUT
Others would been set manually. Would you please provide your output of:
$ iptables -nL

Offline

#3 2013-02-08 14:57:22

Gasp0de
Member
Registered: 2012-12-24
Posts: 19

Re: [SOLVED]Problem setting up iptables

Here it is:

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     41   --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8 ctstate NEW

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Offline

#4 2013-02-08 15:01:56

debijan
Member
Registered: 2010-09-14
Posts: 36

Re: [SOLVED]Problem setting up iptables

i think you've missed this in the manual:
# iptables -N TCP
# iptables -N UDP

Tho parameters are explained here: http://ipset.netfilter.org/iptables.man.html

Offline

#5 2013-02-08 15:05:27

Gasp0de
Member
Registered: 2012-12-24
Posts: 19

Re: [SOLVED]Problem setting up iptables

That fixed it!
Thank you very much. I'm just trying to get into this, as i'm connected to the internet directly, without a firewall, when browsing at my university. One last question:

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

What does this line mean? It's from the output that I posted, and to me it looks as if it just accepts all incoming traffic. If so, why have i set the policy to DROP?

Gasp0de

Offline

#6 2013-02-08 15:18:26

debijan
Member
Registered: 2010-09-14
Posts: 36

Re: [SOLVED]Problem setting up iptables

You set the DROP policy for packages which did not met any of your set rules.
But your quoted rule will meet all incoming packages and on the other hand accept them all.
<edit>So the default policy for your INPUT chain will never act</edit>
This is probably not the behavior you want.

How to remove?
1. reboot -> or:
2. iptables -D INPUT rulenumber

You get the line number with: iptables -nL --line-numbers

edit:/ above is possible wrong. you've to check which interface the rule is set for.
to check:
iptables -vnL -> you will get a column whit the interface name

Last edited by debijan (2013-02-10 10:45:46)

Offline

#7 2013-02-09 03:34:17

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 5,662

Re: [SOLVED]Problem setting up iptables

If that is true, then I'm pretty sure that the article in the wiki is essentially pointless as it tells you to set up a firewall which will accept everything. That is:

-A INPUT -i lo -j ACCEPT

will result in the quoted rule (numerically).

I admit to not understanding this at all but when I first set this up, I did test my firewall by plugging it directly into the net and using that testing web site whose name I've now forgotten and it gave me pretty much the results I expected.

Since my rules initially blocked access to my printer, they must do *something*. Yet I also have that rule if I list with -nL.


How To Ask Questions The Smart Way | Help Vampires

Arch Linux | x86_64 | GPT | EFI boot | grub2 | systemd | LVM2 on LUKS
Lenovo x121e | Intel(R) Core(TM) i3-2367M CPU @ 1.40GHz GenuineIntel | Intel Centrino Wireless-N 1000 | US keyboard with Euro | 320G 7200 RPM Seagate HDD

Offline

#8 2013-02-09 08:27:55

debijan
Member
Registered: 2010-09-14
Posts: 36

Re: [SOLVED]Problem setting up iptables

the "-i lo" defines the used interface for the dedicated rule. in this case the lo / loopback / 127.0.0.1 interface.
with the -v in -L of iptables you see also the interface it is dedicated to.

[root@desktop florian]# iptables -A INPUT -i lo -j ACCEPT
[root@desktop florian]# iptables -vnL
Chain INPUT (policy ACCEPT 404 packets, 36405 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                                      
                                                                                                                                                                                                                                                   
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)                                                                                                                                                                                                   
 pkts bytes target     prot opt in     out     source               destination                                                                                                                                                                    

Chain OUTPUT (policy ACCEPT 399 packets, 17238 bytes)
 pkts bytes target     prot opt in     out     source               destination

Last edited by debijan (2013-02-09 08:37:01)

Offline

#9 2013-02-09 22:03:10

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 5,662

Re: [SOLVED]Problem setting up iptables

OK. So the rule quoted by the OP will NOT necessarily "meet all incoming packages and on the other hand accept them all" or mean that "the default policy for [OP's] INPUT chain will never act" and it may well break things very badly if the OP removes the rule as suggested.


How To Ask Questions The Smart Way | Help Vampires

Arch Linux | x86_64 | GPT | EFI boot | grub2 | systemd | LVM2 on LUKS
Lenovo x121e | Intel(R) Core(TM) i3-2367M CPU @ 1.40GHz GenuineIntel | Intel Centrino Wireless-N 1000 | US keyboard with Euro | 320G 7200 RPM Seagate HDD

Offline

#10 2013-02-10 10:47:10

debijan
Member
Registered: 2010-09-14
Posts: 36

Re: [SOLVED]Problem setting up iptables

Hi cfr.
You're right, i've modified my post and apologize for my fault.
I'ven't reviewed the wiki article enough i think ;-)

Offline

#11 2013-02-11 03:21:02

cfr
Member
From: Cymru
Registered: 2011-11-27
Posts: 5,662

Re: [SOLVED]Problem setting up iptables

Thanks for clarifying that.


How To Ask Questions The Smart Way | Help Vampires

Arch Linux | x86_64 | GPT | EFI boot | grub2 | systemd | LVM2 on LUKS
Lenovo x121e | Intel(R) Core(TM) i3-2367M CPU @ 1.40GHz GenuineIntel | Intel Centrino Wireless-N 1000 | US keyboard with Euro | 320G 7200 RPM Seagate HDD

Offline

Board footer

Powered by FluxBB