HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=27)
-   -   Ispconfig and iptables rules (http://www.howtoforge.com/forums/showthread.php?t=57757)

lanceq 27th June 2012 23:57

Ispconfig and iptables rules
 
Hello,
I want to add to my iptables a few of rules, in addition it should do log of the DROP IP's to /var/log/messages
Unfortunately, only a few of the large list of rules is added to the iptables (ispconfig-> Monitor-> Show Iptables)

Theres my all rules:

Code:

iptables *filter
iptables :INPUT DROP [0:0]
iptables :FORWARD DROP [0:0]
iptables :OUTPUT ACCEPT [0:0]
iptables :ch - [0:0]
 
# loopback
iptables -A INPUT -i lo -j ACCEPT
 
# login packet
iptables -A INPUT -p tcp -m tcp --dport 7171 --tcp-flags FIN,SYN,RST,PSH,ACK,URG PSH,ACK -m length --length 191 -j ch
# logout packet
iptables -A INPUT -p tcp -m tcp --dport 7172 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,ACK -m recent --set --name login --rsource
 
# drop banned clients
iptables -A INPUT -m recent --rcheck --seconds 600 --name ban --rsource -j DROP
 
# accept established
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
 
# ban over 24 connections
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 24 --connlimit-mask 32 -m recent --set --name ban --rsource -j DROP
 
# IP-specific bans, 1 line per IP
#iptables -A INPUT -s 186.211.32.3 -j DROP
 
# HTTP
iptables -A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
 
# loginserver and gameserver
iptables -A INPUT -p tcp -m tcp --dport 7171 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit ! --connlimit-above 2 --connlimit-mask 32 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 7172 --tcp-flags FIN,SYN,RST,ACK SYN -m recent --rcheck --seconds 30 --name login --rsource -j ACCEPT
 
# DNS
iptables -A INPUT -p udp -m state --state ESTABLISHED -m udp --sport 53 -j ACCEPT
 
# NTP
#iptables -A INPUT -p udp -m state --state ESTABLISHED -m udp --sport 123 -j ACCEPT
 
# SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
 
# ban UDP, not very useful!
iptables -A INPUT -p udp -m recent --set --name ban --rsource -j DROP
 
# accept login
iptables -A ch -m recent --set --name login --rsource -j ACCEPT
#logging
iptables -A INPUT -i $if_ext -p all -j LOG --log-prefix " - FIREWALL: droped -> "

And only those rules have been added.

Code:

-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p udp -m state --state ESTABLISHED -m udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

When i execute this script i receives a lot of errors:

Code:

Bad argument `*filter'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:INPUT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:FORWARD'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:OUTPUT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:ch'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.8: Couldn't load target `ch':/lib/xtables/libipt_ch.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
Bad argument `COMMIT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `all'
Try `iptables -h' or 'iptables --help' for more information.
root@s2:/etc/init.d# sh firewall.sh
Bad argument `*filter'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:INPUT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:FORWARD'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:OUTPUT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:ch'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.8: Couldn't load target `ch':/lib/xtables/libipt_ch.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
Bad argument `COMMIT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `all'
Try `iptables -h' or 'iptables --help' for more information.
root@s2:/etc/init.d# sh firewall.sh
Bad argument `*filter'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:INPUT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:FORWARD'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:OUTPUT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:ch'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.8: Couldn't load target `ch':/lib/xtables/libipt_ch.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
Bad argument `all'
Try `iptables -h' or 'iptables --help' for more information.
root@s2:/etc/init.d# sh firewall.sh
Bad argument `*filter'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:INPUT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:FORWARD'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:OUTPUT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:ch'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.8: Couldn't load target `ch':/lib/xtables/libipt_ch.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
Bad argument `all'
Try `iptables -h' or 'iptables --help' for more information.
root@s2:/etc/init.d# sh firewall.sh
Bad argument `*filter'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:INPUT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:FORWARD'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:OUTPUT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:ch'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.8: Couldn't load target `ch':/lib/xtables/libipt_ch.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
Bad argument `all'
Try `iptables -h' or 'iptables --help' for more information.

and ifconfig because i don't know that entered a good network
Code:

root@s2:/etc/init.d# ifconfig
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:36780 errors:0 dropped:0 overruns:0 frame:0
          TX packets:36780 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:30657328 (29.2 MiB)  TX bytes:30657328 (29.2 MiB)

venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:127.0.0.2  P-t-P:127.0.0.2  Bcast:0.0.0.0  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
          RX packets:345186 errors:0 dropped:0 overruns:0 frame:0
          TX packets:248992 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:427749317 (407.9 MiB)  TX bytes:34822662 (33.2 MiB)

venet0:0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:91.204.162.161  P-t-P:91.204.162.161  Bcast:0.0.0.0  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1

Could u help me to fix these rules?


All times are GMT +2. The time now is 10:04.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.