Hello,
can anybody please spot an error here?
# sudo service iptables start Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: filter [ OK ] Unloading iptables modules: [ OK ] Applying iptables firewall rules: iptables-restore: line 20 failed [FAILED]
And my /etc/sysconfig/iptables is (I'm trying to enable Samba, Apache, FMS dev. ed. and throttled SSH at 22 and 443):
*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [294:35064] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -s 194.247.190.0/24 -j DROP -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A INPUT -p tcp -m state --state NEW -m udp --dport 137 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m udp --dport 138 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m udp --dport 445 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 1935 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 1111 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/min --limit-burst 2 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/min --limit-burst 2 -j ACCEPT COMMIT
Any hints on how to debug those issues? The error message line points to the COMMIT.
Thank you Alex
Alexander Farber wrote:
Hello,
can anybody please spot an error here?
# sudo service iptables start Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: filter [ OK ] Unloading iptables modules: [ OK ] Applying iptables firewall rules: iptables-restore: line 20 failed [FAILED]
And my /etc/sysconfig/iptables is (I'm trying to enable Samba, Apache, FMS dev. ed. and throttled SSH at 22 and 443):
<snip>
Any hints on how to debug those issues?
the same way you debug stuff when you can't see the problem by just staring at it: reduce it to a minimal error-case. So, remove some of those /etc/sysconfig/iptables lines until it no longer fails, and identify the exact line that causes the failure. Then stare at that one line and understand why it's failing.
Hello Nicolas,
On Tue, Oct 5, 2010 at 11:01 AM, Nicolas Thierry-Mieg Nicolas.Thierry-Mieg@imag.fr wrote:
Any hints on how to debug those issues?
the same way you debug stuff when you can't see the problem by just staring at it: reduce it to a minimal error-case. So, remove some of those /etc/sysconfig/iptables lines until it no longer fails, and identify the exact line that causes the failure. Then stare at that one line and understand why it's failing.
Ain't those 20! combinations? (my combinatorics skills are aged).
I was actually hoping for good iptables tips and not for mental coaching :-)
Regards Alex
2010/10/5 Alexander Farber alexander.farber@gmail.com:
Hello Nicolas,
On Tue, Oct 5, 2010 at 11:01 AM, Nicolas Thierry-Mieg Nicolas.Thierry-Mieg@imag.fr wrote:
Any hints on how to debug those issues?
the same way you debug stuff when you can't see the problem by just staring at it: reduce it to a minimal error-case. So, remove some of those /etc/sysconfig/iptables lines until it no longer fails, and identify the exact line that causes the failure. Then stare at that one line and understand why it's failing.
Ain't those 20! combinations? (my combinatorics skills are aged).
I was actually hoping for good iptables tips and not for mental coaching :-)
multiport helps to reduce lines on iptables ..
-- Eero
Seems to work now, thank you (I was having -p tcp instead of -p udp):
*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [294:35064] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -s 194.247.190.0/24 -j DROP -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A INPUT -p udp -m state --state NEW -m udp -m multiport --dports 137,138,445 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 139,445,8080,1935,1111,80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/min --limit-burst 2 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/min --limit-burst 2 -j ACCEPT COMMIT
-
Alexander Farber -
Eero Volotinen -
Nicolas Thierry-Mieg