Talk:HOWTO Iptables for newbies
From Gentoo Linux Wiki
[edit] iptables on 2.6.22
Hi,
I am having problems with iptables. I have configured kernel as written in HOWTO, however, I am still getting:
iptables v1.3.8: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
How to get out of that on start running iptables?
If anyone can help, i would be really happy.
--69.31.133.16 14:59, 10 April 2008 (UTC)Smajlix (smajlix@gmail.com)
[edit] NTP
Hi, I apologize if this is not the correct place to post this, but your script has a couple bugs. At least, I think they're bugs. I just found out why NTP wasn't working anymore (after having used your script).
In "UDPBLOCK", you block port 123. This is the port used by the Network Time Protocol daemon. Yet, in "UDPSERV", you allow port 37 (i.e. time)?
I would just like to note that many servers no longer support the TIME and DAYTIME protocols (including two of those I'm using, time.nrc.ca and time.chu.nrc.ca).
Therefore, if you plan on using NTP, simply unlist port 123 from UDPBLOCK.
It is not necessary to add any other rules to iptables concerning communication with the NTP server, since, as the NTP wiki states, the following line is sufficient:
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
However, since the NTP daemon communicates through the local loopback, then you need to allow outbound UDP from the local loopback to the local loopback, with destination port 123. Otherwise, you will get the following error (for example, when executing the command: ntpq -p):
ntpq: write to localhost failed: Operation not permitted
For the sake of laziness, I just allowed anything outbound from the local loopback:
$IPT -A OUTPUT -s $LPDIP -j ACCEPT
Also, it might be a good idea to remove the TIME and DAYTIME protocols from UDPSERV.
Note: My firewall is running on the same machine as the NTP daemon (i.e. a simple home one-box setup), so I don't know what to do for the "router case".
[edit] The part about checking kernel config doesn't seem to work
tux@gen2 ~ $ zgrep -i netfilter /proc/config.gz gzip: /proc/config.gz: No such file or directory
- this is an option you can enable in your kernel -> use the second command to check the kernel which was loaded :] DjSmiley2k 15:48, 9 January 2006 (GMT)
[edit] Headline text
External IP
I think it is not very user friendly to use the ip-adress of the external If, because you'd have to rerun the script every time you get reconnected to the Internet, I'm looking for a solution to this Problem. I'll be back for a fix.
I found a pretty decent solution to this, there is a script /etc/ppp/ip-up which is called every time the machine (ppp) reconnects. just put:
%PathToYourIpfirewall.sh% into the bottom section before the last fi and it should be fine. Feedback is appreciated!
[edit] Gentoo noob
Ok I've done IPtables before (on debian), but I am having trouble with this one. We have to recompile our kernal to make this work? Or just add a module. All I really want to do is turn my firewall off, since I am already behind a router. --Terrible Tim 02:45, 8 Jun 2005 (GMT)
Reply: There are 2 possibilities: either you never enabled iptables in your kernel in the first place, in which case, don't do anything; or you did and don't want it anymore. In the latter case, issue the following commands as root to stop the iptables service, stop it from starting at boot, and then uninstall it:
/etc/init.d/iptables stop
rc-update del iptables default
emerge --unmerge net-firewall/iptables
Then you can procede to remove iptables support from your kernel.
Anyways, the right place to ask your question would have been the Gentoo forums: http://forums.gentoo.org/
[edit] Clarity
It is not really clear to everyone that you should save the shell scripts to files and then run them.
The shell-scripts also need some modification regarding DNS-machines, perhaps someone could add a bit to this one about it? I'm not qualified (technically) to do so.
I mean, the iptables rules are only needed to be added once (unless you add/remove interfaces, of course) - but some of the stuff does need to update on each boot time (as DNS assigned IP may change) - or am I totally wrong here?
[edit] Scripts
[quote Scripting first paragraph]
*WARNING* If you are paranoid, this isn't the most secure thing to do. Afterall, you're opening yourself up to the world with very little protection. [/quote]
Assumeing I am a noob I wont be happy with a specs like this. So since I consider myself a noob, what is the Problem with the script firewall.sh. My guess is that this is the first step. In Part II we have next steps in order to close more of our computer down.
The other problem I realy do have is that the Manpage has to be known and understand before you can understand the Idea of this Howto. The more you understand the manpage the more you know what is written in the Howto. Maybe some basics could help to smooth the reading and enhance the overall understanding of the HowTo.
I.E. something like the expected internet structure of the network would help seeing the people what the script is doing and makeing.
So basicly I see that if you get the Idea of the HowTo and the Manpage you find this Howto very usefull. I needed in addition some stuff about basics in routing to keep orientation in IP - tables.
This comment is for people like me that had problems. Maybe Ill change more the more I understand. Maybe I'll restructure the Howto a bit to improve this well plant Howto
Cheers to all contributors --Legine 15:40, 9 January 2006 (GMT)
[edit] Kernel Options
Apparently the option CONFIG_NETFILTER isn’t enough. It didn’t work for me, and I was advised to activate CONFIG_IP_NF_FILTER, what did the trick.
[edit] Debug script
Having had a problem recently, I noticed how many times the same question was asked. Many times the error:
iptables v1.3.4: can't initialize iptables table `filter': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded.
appears. What about a section debugging? Perhaps with a script that can locate the cause of the most common errors? It could be used to find the error your self or to provide enough information to someone else. Perhaps a far better version of this (based on my searches when I had the problem)
# run as root # for kernel versions 2.6.14 tot 2.6.14 # checking the version of your kernel # (not typical for this problem, could be in a separate script) echo "Check the version of your Kernel, check the time. Is this the one you compiled?” echo “If not, check that you have copied your kernel image to your /boot folder" echo " after it was mounted and your boot configuration points to the correct kernel” echo “if you don’t know how, refer to …” cat /proc/version
echo “Check the existence of /proc/net/ip_tables” echo “if this file doesn’t exists you have either no /proc," echo " what makes checking inpossible, or you didn’t activate kernel option “ ls /proc/net/ip_*
echo “checking that Netfilter did start up (without error messages ?)” dmesg | grep Net
echo “checking the compiled kernel options” echo “ if you don’t have a /proc, checking is inpossible,see next step” echo “you should find CONFIG_NETFILTER=y or CONFIG_NETFILTER=m “ zgrep -i netfilter /proc/config.gz echo “and should find CONFIG_IP_NF_FILTER =y or CONFIG_IP_NF_FILTER=m“ zgrep -i IP_NF_FILTER /proc/config.gz echo “If you did find a ‘option’=m, see if the module is loaded” echo “if you don’t find ???, run modprobe ???, if that doesn’t work, refer to …” lsmod | grep ??? echo “if you didn’t find the options, activate them in your kernel”
echo “if you didn’t find the /proc/config.gz file, check your configuration the same way” grep -i netfilter /usr/src/linux/.config grep -i IP_NF_FILTER /usr/src/linux/.config
Just to give an idea, this is not tested at all. It would take some time to make it, but looking for an error, or replying to it, asking for more info repeatedly also takes time.
For a part of the users, you will not need the echo statements. The same is true if the output is used only to ask a more experienced user for comment. Without the echo statements, the script would be a lot shorter.
Or a few links to different short scripts. Is this the correct kernel version? Are the options set in the configfile? Are the versions of the kernel and iptables compatible?
A script taken from a website, should perhaps best be checked before it is run. Surely if it is put on a site is used that is editable. A debug script like this should contain only commands that display information on the screen of write to a /temp directory. If the results have to be published on a website, it should better not display information that could be used to locate the computer, official IP address, DNS name, information like the encrypted passwords and information about the used protection mechanism. At least all this information together should not be displayed.
[edit] Problems with iptables-restore
iptables-restore /etc/iptables.bak iptables-restore: line 35 failed
so I started to test iptables.bak line by line:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables: Unknown error 4294967295
Looks like some of the modules in kernel 2.6.1* section are missing.
[edit] init.d/iptables & conf.d/iptables versus awk
Defining a portrange is done by using a colon (:). The dash (-) makes iptables bork. So I used a slash-forward (\) as a field delimiter where necessary. I rewrote the awk command in the init.d/iptables script from
# allow incomming connections to tcp ports
for i in $INCOMINGPORTS ; do
device="`echo $i | awk -F: '{ print $1 }'`"
proto="`echo $i | awk -F: '{ print $2 }'`"
ports="`echo $i | awk -F: '{ print $3 }'`"
to
# allow incoming connections to tcp ports
for i in $INCOMINGPORTS ; do
device="`echo $i | awk -F/ '{ print $1 }'`"
proto="`echo $i | awk -F/ '{ print $2 }'`"
ports="`echo $i | awk -F/ '{ print $3 }'`"
and changed conf.d/iptables from
INCOMINGPORTS="eth0:tcp:22,80,443,1500-1510 eth0:udp:53"
to
INCOMINGPORTS="eth0/tcp/22,80,443,1500:1510 eth0/udp/53"
[edit] grsec+2.4.35
Hello,
What do I have to enable w/Linux 2.4.35 to get IPtables working correctly?
[edit] script assumes your using modules
The problems with failing at lines that contain merely 'COMMIT' are when you use the -m options ( http://help.lockergnome.com/linux/iptables-restore-barfs-COMMIT-ftopict282705.html helped in realizing this)
I compiled the modules in my kernel, and things started working when I took out all -m options and the stuff about states
- I've added a section to the main article about this.
- --AllenJB 21:04, 30 December 2007 (UTC)
