[CentOS] Problems with IPTABLES recent module.

James B. Byrne

byrnejb at harte-lyne.ca
Fri Jan 8 20:32:45 UTC 2010


I went to reload (iptables-restore) my iptables configuration and
obtained an error at the COMMIT statement.  No further details were
provided even when I ran restore with the -v option.

I determined that none of my backed up configuration files going
back to October will load either.  This is more than passing strange
because I altered and uploaded the iptables configuration on this
host several times in December alone.  These alterations certainly
applied without error at the time.

Through painful trial and error (it is a fairly large configuration)
I discovered that I cannot add any rule using the __recent__ module.
 Adding a single rule referencing that module inevitably results in
a load error reported at the following COMMIT statement.  An example
of an actual rule that fails follows:

.  .  .
:BRUTE_FORCE - [0:0]
.  .  .
-A BRUTE_FORCE -p tcp -m tcp -m state -m recent --set -i eth0
--dport 22 --state NEW
-A BRUTE_FORCE -m comment -j RETURN --comment "Return to calling chain"
COMMIT

Perhaps I am missing something obvious but as far as I can determine
the rule using the recent module should simply add all traffic
coming in over i/f eth0 consigned to port 22 on any ip-addr to the
DEFAULT list.  I do not expect it to give an error.  If I remove
this statement then the iptables file loads without error.

An interesting thing happens if I simply add a trailing -j to the
end of recent module rule above.  It fails with this specific error:

-c packet counter not numeric

Does anyone see what I am doing wrong?


Sincerely,

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3




More information about the CentOS mailing list