Building packet filter via /etc/sysconfig/iptables method 2
dvv@internet-bg.net
dvv@internet-bg.net
Wed, 5 Dec 2001 07:44:53 +0100
Hello everybody!
It's pleasure for me to join the netfilter mail list and gain a bit of the
knowledge you have.
My query is as follows:
I am trying to build a packet filter for my dial-up multiboot Linux box, using
a netfilter 1.2.2 and defining the settings in the /etc/sysconfig/iptables
file.
When I issue the command /etc/rc.d/init.d/iptables restart, the following error
message occurs:
"iptables-restore unknown arg --destination-port
Try iptables-restore --help or iptables-restore -h for more details"
I confess I do not know iptables-save format and how does it look like.If
somebody can help me outsmart my machine to accept the so called "unknown arg",
I would be very grateful.
The script is attached to my message. It is called iptables.best, as it is the
best thing I have done for now on try and error.
For those of you who don't like opening attachements follows a complete
breakdown of my malformed brainchild:
#
#Iptables /etc/sysconfig/iptables script
#
# Example iptables config file.
# Note the this file uses the format of iptables-save
# What follows is an example of this output. However,
# the actual rule lines have been commented out.
# DO NOT USE THE -t (table) OPTION IN THIS FILE!
*mangle
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A OUTPUT -o ppp0 -s 255.255.255.255/32 -j DROP
-A OUTPUT -o ppp0 -s 172.16.0.0/12 -j DROP
-A OUTPUT -o ppp0 -s 10.0.0/8 -j DROP
-A OUTPUT -o ppp0 -s 192.168.0.0/16 -j DROP
-A OUTPUT -o ppp0 -s 127.0.0.0/8 -j DROP
#-A PREROUTING -p tcp --dport 22 -j TOS --set-tos 0x10
COMMIT
*filter
:INPUT DROP [0:0]
#allow local
-A INPUT -i lo -j ACCEPT
#deny spoofed
-A INPUT -i ppp0 -s 255.255.255.255/32 -j DROP
-A INPUT -i ppp0 -s 172.16.0.0/12 -j DROP
-A INPUT -i ppp0 -s 10.0.0/8 -j DROP
-A INPUT -i ppp0 -s 192.168.0.0/16 -j DROP
-A INPUT -i ppp0 -s 127.0.0.0/8 -j DROP
#allow return pax 4 conns we initated
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT
#SSH+web+mail
-A INPUT -i ppp0 -p tcp --dport 22 -j ACCEPT
#-A INPUT -i ppp0 -p tcp -s 212.124.64.2 --destination-port 25 -j ACCEPT
-A INPUT -i ppp0 -p tcp --destination-port 25 -j ACCEPT
-A INPUT -i ppp0 -p tcp -m state --state ESTABLISHED,RELATED --destination-
port 80 -j ACCEPT
#REJECT auth conections for fast SMTP handshake
-A INPUT -i ppp0 -p tcp --destination-port 113 -j REJECT
#DNS
-A INPUT -i ppp0 -p tcp -s 212.124.64.2:53 -j ACCEPT
-A INPUT -i ppp0 -p tcp -s 212.124.64.5:53 -j ACCEPT
#anti syn
-A INPUT -p tcp --syn -m limit --limit burst 3 -m state NEW, ESTABLISHED,
RELATED,INVALID -j LOG
-A INPUT -p tcp --syn -m limit 1/s -m state --state NEW, ESTABLISHED, RELATED -
j ACCEPT
-A FORWARD -p tcp --syn -m limit --limit burst 3 -m state
NEW,ESTABLISHED,RELATED,INVALID -j LOG
-A FORWARD -p tcp --syn -m limit 1/s -m state --state NEW,ESTABLISHED,RELATED -
j ACCEPT
#ICMP
-A INPUT -p icmp --icmp-type echo-request -m limit --limit-burst 3 -m state
NEW,ESTABLISHED,RELATED,INVALID -j LOG
-A INPUT -p icmp --icmp-type echo-request -m limit 1/s -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp --icmp-type echo-request -m limit --limit-burst 3 -m state
NEW,ESTABLISHED,RELATED,INVALID -j LOG
-A FORWARD -p icmp --icmp-type echo-request -m limit 1/s -m state --state
NEW,ESTABLISHED,RELATED -j ACCEPT
#ICMP cont.
-A INPUT -i ppp0 -p icmp --destination-port 0 -j ACCEPT
-A INPUT -i ppp0 -p icmp --destination-port 3 -j ACCEPT
-A INPUT -i ppp0 -p icmp --destination-port 11 -j ACCEPT
#
#TCP portscans
#
-A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST,URG,PUSH -m limit --limit-burst 3 -
j LOG
-A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST,URG,PUSH -m limit 1/s -j ACCEPT
-A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST,URG,PUSH -m limit --limit-burst
3 -j LOG
-A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST,URG,PUSH -m limit 1/s -j ACCEPT
# UDP bans
-A INPUT -i ppp0 -p udp --sport www -j DROP
COMMIT
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#-A FORWARD -i eth0 -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:-A PREROUTING -i ppp0 -s 255.255.255.255/32 -j DROP
:-A PREROUTING -i ppp0 -s 192.168.0.0./16 -j DROP
:-A PREROUTING -i ppp0 -s 10.0.0.0/8 -j DROP
:-A PREROUTING -i ppp0 -s 172.16.0.0/12 -j DROP
:-A PREROUTING -i ppp0 -s 127.0.0.0/8 -j DROP
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
#
As you can see I am just making some changes to the default settings in the
file. My aim is to allow SSH,web,DNS replies and mail transport to and from my
ISP.
Also some refinements are added. Can you tell me how to add ip_conntrack
modules to the script? I tried writing insmod ip_conntrack it didn't work.
Thank you in advance for your feedback.
Dimitar Vassilev,
Dimitar Vassilev,
dvv@internet-bg.net
-------------- Enclosure number 1 ----------------
# Example iptables config file.
# Note the this file uses the format of iptables-save
# What follows is an example of this output. However,
# the actual rule lines have been commented out.
# DO NOT USE THE -t (table) OPTION IN THIS FILE!
*mangle
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A OUTPUT -o ppp0 -s 255.255.255.255/32 -j DROP
-A OUTPUT -o ppp0 -s 172.16.0.0/12 -j DROP
-A OUTPUT -o ppp0 -s 10.0.0/8 -j DROP
-A OUTPUT -o ppp0 -s 192.168.0.0/16 -j DROP
-A OUTPUT -o ppp0 -s 127.0.0.0/8 -j DROP
#-A PREROUTING -p tcp --dport 22 -j TOS --set-tos 0x10
COMMIT
*filter
:INPUT DROP [0:0]
#allow local
-A INPUT -i lo -j ACCEPT
#deny spoofed
-A INPUT -i ppp0 -s 255.255.255.255/32 -j DROP
-A INPUT -i ppp0 -s 172.16.0.0/12 -j DROP
-A INPUT -i ppp0 -s 10.0.0/8 -j DROP
-A INPUT -i ppp0 -s 192.168.0.0/16 -j DROP
-A INPUT -i ppp0 -s 127.0.0.0/8 -j DROP
#allow return pax 4 conns we initated
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT
#SSH+web+mail
-A INPUT -i ppp0 -p tcp --dport 22 -j ACCEPT
#-A INPUT -i ppp0 -p tcp -s 212.124.64.2 --destination-port 25 -j ACCEPT
-A INPUT -i ppp0 -p tcp --destination-port 25 -j ACCEPT
-A INPUT -i ppp0 -p tcp -m state --state ESTABLISHED,RELATED --destination-port 80 -j ACCEPT
#REJECT auth conections for fast SMTP handshake
-A INPUT -i ppp0 -p tcp --destination-port 113 -j REJECT
#DNS
-A INPUT -i ppp0 -p tcp -s 212.124.64.2:53 -j ACCEPT
-A INPUT -i ppp0 -p tcp -s 212.124.64.5:53 -j ACCEPT
#anti syn
-A INPUT -p tcp --syn -m limit --limit burst 3 -m state NEW, ESTABLISHED, RELATED,INVALID -j LOG
-A INPUT -p tcp --syn -m limit 1/s -m state --state NEW, ESTABLISHED, RELATED -j ACCEPT
-A FORWARD -p tcp --syn -m limit --limit burst 3 -m state NEW,ESTABLISHED,RELATED,INVALID -j LOG
-A FORWARD -p tcp --syn -m limit 1/s -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#ICMP
-A INPUT -p icmp --icmp-type echo-request -m limit --limit-burst 3 -m state NEW,ESTABLISHED,RELATED,INVALID -j LOG
-A INPUT -p icmp --icmp-type echo-request -m limit 1/s -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -p icmp --icmp-type echo-request -m limit --limit-burst 3 -m state NEW,ESTABLISHED,RELATED,INVALID -j LOG
-A FORWARD -p icmp --icmp-type echo-request -m limit 1/s -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#ICMP cont.
-A INPUT -i ppp0 -p icmp --destination-port 0 -j ACCEPT
-A INPUT -i ppp0 -p icmp --destination-port 3 -j ACCEPT
-A INPUT -i ppp0 -p icmp --destination-port 11 -j ACCEPT
#
#TCP portscans
#
-A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST,URG,PUSH -m limit --limit-burst 3 -j LOG
-A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST,URG,PUSH -m limit 1/s -j ACCEPT
-A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST,URG,PUSH -m limit --limit-burst 3 -j LOG
-A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST,URG,PUSH -m limit 1/s -j ACCEPT
# UDP bans
-A INPUT -i ppp0 -p udp --sport www -j DROP
COMMIT
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#-A FORWARD -i eth0 -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:-A PREROUTING -i ppp0 -s 255.255.255.255/32 -j DROP
:-A PREROUTING -i ppp0 -s 192.168.0.0./16 -j DROP
:-A PREROUTING -i ppp0 -s 10.0.0.0/8 -j DROP
:-A PREROUTING -i ppp0 -s 172.16.0.0/12 -j DROP
:-A PREROUTING -i ppp0 -s 127.0.0.0/8 -j DROP
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT