I went to reload (iptables-restore) my iptables configuration and obtained an error at the COMMIT statement. No further details were provided even when I ran restore with the -v option.
I determined that none of my backed up configuration files going back to October will load either. This is more than passing strange because I altered and uploaded the iptables configuration on this host several times in December alone. These alterations certainly applied without error at the time.
Through painful trial and error (it is a fairly large configuration) I discovered that I cannot add any rule using the __recent__ module. Adding a single rule referencing that module inevitably results in a load error reported at the following COMMIT statement. An example of an actual rule that fails follows:
. . . :BRUTE_FORCE - [0:0] . . . -A BRUTE_FORCE -p tcp -m tcp -m state -m recent --set -i eth0 --dport 22 --state NEW -A BRUTE_FORCE -m comment -j RETURN --comment "Return to calling chain" COMMIT
Perhaps I am missing something obvious but as far as I can determine the rule using the recent module should simply add all traffic coming in over i/f eth0 consigned to port 22 on any ip-addr to the DEFAULT list. I do not expect it to give an error. If I remove this statement then the iptables file loads without error.
An interesting thing happens if I simply add a trailing -j to the end of recent module rule above. It fails with this specific error:
-c packet counter not numeric
Does anyone see what I am doing wrong?
Sincerely,
Quoting "James B. Byrne" byrnejb@harte-lyne.ca:
I went to reload (iptables-restore) my iptables configuration and obtained an error at the COMMIT statement. No further details were provided even when I ran restore with the -v option.
I determined that none of my backed up configuration files going back to October will load either. This is more than passing strange because I altered and uploaded the iptables configuration on this host several times in December alone. These alterations certainly applied without error at the time.
Through painful trial and error (it is a fairly large configuration) I discovered that I cannot add any rule using the __recent__ module. Adding a single rule referencing that module inevitably results in a load error reported at the following COMMIT statement. An example of an actual rule that fails follows:
. . . :BRUTE_FORCE - [0:0] . . . -A BRUTE_FORCE -p tcp -m tcp -m state -m recent --set -i eth0 --dport 22 --state NEW -A BRUTE_FORCE -m comment -j RETURN --comment "Return to calling chain" COMMIT
Perhaps I am missing something obvious but as far as I can determine the rule using the recent module should simply add all traffic coming in over i/f eth0 consigned to port 22 on any ip-addr to the DEFAULT list. I do not expect it to give an error. If I remove this statement then the iptables file loads without error.
An interesting thing happens if I simply add a trailing -j to the end of recent module rule above. It fails with this specific error:
-c packet counter not numeric
Does anyone see what I am doing wrong?
I don't think you need the -m state ..
From the iptables man page ...
# iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP
# iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP
Barry
On Friday 08 January 2010 15:32, James B. Byrne wrote:
:BRUTE_FORCE - [0:0]
. . . -A BRUTE_FORCE -p tcp -m tcp -m state -m recent --set -i eth0 --dport 22 --state NEW -A BRUTE_FORCE -m comment -j RETURN --comment "Return to calling chain" COMMIT
Check out this TUTORIAL http://www.zoominternet.net/~lazydog/iptables-tutorial.html#RECENTMATCH
On Fri, January 8, 2010 15:32, James B. Byrne wrote:
I went to reload (iptables-restore) my iptables configuration and obtained an error at the COMMIT statement. No further details were provided even when I ran restore with the -v option.
I ran lsmod and I do not find that ipt_recent is loaded. In fact, I don not see any ipt modules other than itp_LOG. There was a recent kernel update. Does anyone know if this had any adverse effects on loading ipt_recent?
. . . ip_tables 17029 3 iptable_nat,iptable_mangle,iptable_filter ipt_LOG 10049 6 ipv6 267489 23 ip6t_REJECT . . .
And this does not look good either:
# modprobe --first-time ipt_recent FATAL: Error inserting ipt_recent (/lib/modules/2.6.18-164.9.1.el5/kernel/net/ipv4/netfilter/ipt_recent.ko): Unknown symbol in module, or unknown parameter (see dmesg)
There is no entry in /var/log/dmesg relating to this problem.
Check out this TUTORIAL http://www.zoominternet.net/~lazydog/iptables- tutorial.html#RECENTMATCH
I do not seem to be making myself clear. I do not need a tutorial on how to use the recent module of iptables. The recent module itself seems not to be available on this particular host anymore. There seems a problem with the module itself and it will not load even if I try to do this manually using modprobe.
I will revert to the previous kernel as soon as I can and see if the problem disappears, as I think likely.
James B. Byrne wrote:
On Fri, January 8, 2010 15:32, James B. Byrne wrote:
I went to reload (iptables-restore) my iptables configuration and obtained an error at the COMMIT statement. No further details were provided even when I ran restore with the -v option.
I ran lsmod and I do not find that ipt_recent is loaded. In fact, I don not see any ipt modules other than itp_LOG. There was a recent kernel update. Does anyone know if this had any adverse effects on loading ipt_recent?
. . . ip_tables 17029 3 iptable_nat,iptable_mangle,iptable_filter ipt_LOG 10049 6 ipv6 267489 23 ip6t_REJECT . . .
And this does not look good either:
# modprobe --first-time ipt_recent FATAL: Error inserting ipt_recent (/lib/modules/2.6.18-164.9.1.el5/kernel/net/ipv4/netfilter/ipt_recent.ko): Unknown symbol in module, or unknown parameter (see dmesg)
There is no entry in /var/log/dmesg relating to this problem.
fwiw, no problem here with the before-last kernel:
[root@tryo nthierry]# uname -a Linux tryo.imag.fr 2.6.18-164.9.1.el5 #1 SMP Tue Dec 15 20:57:57 EST 2009 x86_64 x86_64 x86_64 GNU/Linux [root@tryo nthierry]# modprobe --first-time ipt_recent [root@tryo nthierry]# lsmod | grep ipt_recent ipt_recent 42969 0 x_tables 50505 5 ipt_recent,ipt_REJECT,xt_state,xt_tcpudp,ip_tables
And also no problem with the latest kernel: [after a reboot to 2.6.18-164.10.1.el5] [root@tryo nthierry]# uname -a Linux tryo.imag.fr 2.6.18-164.10.1.el5 #1 SMP Thu Jan 7 19:54:26 EST 2010 x86_64 x86_64 x86_64 GNU/Linux [root@tryo nthierry]# modprobe --first-time ipt_recent [root@tryo nthierry]# lsmod ipt_recent Usage: lsmod [root@tryo nthierry]# lsmod | grep ipt_recent ipt_recent 42969 0 x_tables 50505 5 ipt_recent,ipt_REJECT,xt_state,xt_tcpudp,ip_tables
what's your kernel? did you reboot after upgrading?
modprobe is trying to insert the 2.6.18-164.9.1.el5 module, but you mentioned the latest kernel upgrade (which is 164-10.1)
-
Barry Brimer -
James B. Byrne -
Nicolas Thierry-Mieg -
Robert Spangler