| lanceq |
27th June 2012 23:57 |
Ispconfig and iptables rules
Hello,
I want to add to my iptables a few of rules, in addition it should do log of the DROP IP's to /var/log/messages
Unfortunately, only a few of the large list of rules is added to the iptables (ispconfig-> Monitor-> Show Iptables)
Theres my all rules:
Code:
iptables *filter
iptables :INPUT DROP [0:0]
iptables :FORWARD DROP [0:0]
iptables :OUTPUT ACCEPT [0:0]
iptables :ch - [0:0]
# loopback
iptables -A INPUT -i lo -j ACCEPT
# login packet
iptables -A INPUT -p tcp -m tcp --dport 7171 --tcp-flags FIN,SYN,RST,PSH,ACK,URG PSH,ACK -m length --length 191 -j ch
# logout packet
iptables -A INPUT -p tcp -m tcp --dport 7172 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,ACK -m recent --set --name login --rsource
# drop banned clients
iptables -A INPUT -m recent --rcheck --seconds 600 --name ban --rsource -j DROP
# accept established
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
# ban over 24 connections
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 24 --connlimit-mask 32 -m recent --set --name ban --rsource -j DROP
# IP-specific bans, 1 line per IP
#iptables -A INPUT -s 186.211.32.3 -j DROP
# HTTP
iptables -A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
# loginserver and gameserver
iptables -A INPUT -p tcp -m tcp --dport 7171 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit ! --connlimit-above 2 --connlimit-mask 32 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 7172 --tcp-flags FIN,SYN,RST,ACK SYN -m recent --rcheck --seconds 30 --name login --rsource -j ACCEPT
# DNS
iptables -A INPUT -p udp -m state --state ESTABLISHED -m udp --sport 53 -j ACCEPT
# NTP
#iptables -A INPUT -p udp -m state --state ESTABLISHED -m udp --sport 123 -j ACCEPT
# SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# ban UDP, not very useful!
iptables -A INPUT -p udp -m recent --set --name ban --rsource -j DROP
# accept login
iptables -A ch -m recent --set --name login --rsource -j ACCEPT
#logging
iptables -A INPUT -i $if_ext -p all -j LOG --log-prefix " - FIREWALL: droped -> "
And only those rules have been added.
Code:
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p udp -m state --state ESTABLISHED -m udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
When i execute this script i receives a lot of errors:
Code:
Bad argument `*filter'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:INPUT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:FORWARD'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:OUTPUT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:ch'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.8: Couldn't load target `ch':/lib/xtables/libipt_ch.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
Bad argument `COMMIT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `all'
Try `iptables -h' or 'iptables --help' for more information.
root@s2:/etc/init.d# sh firewall.sh
Bad argument `*filter'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:INPUT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:FORWARD'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:OUTPUT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:ch'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.8: Couldn't load target `ch':/lib/xtables/libipt_ch.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
Bad argument `COMMIT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `all'
Try `iptables -h' or 'iptables --help' for more information.
root@s2:/etc/init.d# sh firewall.sh
Bad argument `*filter'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:INPUT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:FORWARD'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:OUTPUT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:ch'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.8: Couldn't load target `ch':/lib/xtables/libipt_ch.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
Bad argument `all'
Try `iptables -h' or 'iptables --help' for more information.
root@s2:/etc/init.d# sh firewall.sh
Bad argument `*filter'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:INPUT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:FORWARD'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:OUTPUT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:ch'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.8: Couldn't load target `ch':/lib/xtables/libipt_ch.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
Bad argument `all'
Try `iptables -h' or 'iptables --help' for more information.
root@s2:/etc/init.d# sh firewall.sh
Bad argument `*filter'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:INPUT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:FORWARD'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:OUTPUT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:ch'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.8: Couldn't load target `ch':/lib/xtables/libipt_ch.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
Bad argument `all'
Try `iptables -h' or 'iptables --help' for more information.
and ifconfig because i don't know that entered a good network
Code:
root@s2:/etc/init.d# ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:36780 errors:0 dropped:0 overruns:0 frame:0
TX packets:36780 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:30657328 (29.2 MiB) TX bytes:30657328 (29.2 MiB)
venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:127.0.0.2 P-t-P:127.0.0.2 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:345186 errors:0 dropped:0 overruns:0 frame:0
TX packets:248992 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:427749317 (407.9 MiB) TX bytes:34822662 (33.2 MiB)
venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:91.204.162.161 P-t-P:91.204.162.161 Bcast:0.0.0.0 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
Could u help me to fix these rules? |
