View Single Post
  #1  
Old 28th June 2012, 00:57
lanceq lanceq is offline
Junior Member
 
Join Date: Dec 2011
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
Default Ispconfig and iptables rules

Hello,
I want to add to my iptables a few of rules, in addition it should do log of the DROP IP's to /var/log/messages
Unfortunately, only a few of the large list of rules is added to the iptables (ispconfig-> Monitor-> Show Iptables)

Theres my all rules:

Code:
iptables *filter
iptables :INPUT DROP [0:0]
iptables :FORWARD DROP [0:0]
iptables :OUTPUT ACCEPT [0:0]
iptables :ch - [0:0]
 
# loopback
iptables -A INPUT -i lo -j ACCEPT
 
# login packet
iptables -A INPUT -p tcp -m tcp --dport 7171 --tcp-flags FIN,SYN,RST,PSH,ACK,URG PSH,ACK -m length --length 191 -j ch
# logout packet
iptables -A INPUT -p tcp -m tcp --dport 7172 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,ACK -m recent --set --name login --rsource
 
# drop banned clients
iptables -A INPUT -m recent --rcheck --seconds 600 --name ban --rsource -j DROP
 
# accept established
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
 
# ban over 24 connections
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 24 --connlimit-mask 32 -m recent --set --name ban --rsource -j DROP
 
# IP-specific bans, 1 line per IP
#iptables -A INPUT -s 186.211.32.3 -j DROP
 
# HTTP
iptables -A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
 
# loginserver and gameserver
iptables -A INPUT -p tcp -m tcp --dport 7171 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit ! --connlimit-above 2 --connlimit-mask 32 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 7172 --tcp-flags FIN,SYN,RST,ACK SYN -m recent --rcheck --seconds 30 --name login --rsource -j ACCEPT
 
# DNS
iptables -A INPUT -p udp -m state --state ESTABLISHED -m udp --sport 53 -j ACCEPT
 
# NTP
#iptables -A INPUT -p udp -m state --state ESTABLISHED -m udp --sport 123 -j ACCEPT
 
# SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
 
# ban UDP, not very useful!
iptables -A INPUT -p udp -m recent --set --name ban --rsource -j DROP
 
# accept login
iptables -A ch -m recent --set --name login --rsource -j ACCEPT
#logging
iptables -A INPUT -i $if_ext -p all -j LOG --log-prefix " - FIREWALL: droped -> "
And only those rules have been added.

Code:
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT 
-A INPUT -p udp -m state --state ESTABLISHED -m udp --sport 53 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
When i execute this script i receives a lot of errors:

Code:
Bad argument `*filter'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:INPUT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:FORWARD'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:OUTPUT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:ch'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.8: Couldn't load target `ch':/lib/xtables/libipt_ch.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
Bad argument `COMMIT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `all'
Try `iptables -h' or 'iptables --help' for more information.
root@s2:/etc/init.d# sh firewall.sh
Bad argument `*filter'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:INPUT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:FORWARD'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:OUTPUT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:ch'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.8: Couldn't load target `ch':/lib/xtables/libipt_ch.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
Bad argument `COMMIT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `all'
Try `iptables -h' or 'iptables --help' for more information.
root@s2:/etc/init.d# sh firewall.sh
Bad argument `*filter'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:INPUT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:FORWARD'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:OUTPUT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:ch'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.8: Couldn't load target `ch':/lib/xtables/libipt_ch.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
Bad argument `all'
Try `iptables -h' or 'iptables --help' for more information.
root@s2:/etc/init.d# sh firewall.sh
Bad argument `*filter'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:INPUT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:FORWARD'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:OUTPUT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:ch'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.8: Couldn't load target `ch':/lib/xtables/libipt_ch.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
Bad argument `all'
Try `iptables -h' or 'iptables --help' for more information.
root@s2:/etc/init.d# sh firewall.sh
Bad argument `*filter'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:INPUT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:FORWARD'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:OUTPUT'
Try `iptables -h' or 'iptables --help' for more information.
Bad argument `:ch'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.8: Couldn't load target `ch':/lib/xtables/libipt_ch.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
Bad argument `all'
Try `iptables -h' or 'iptables --help' for more information.
and ifconfig because i don't know that entered a good network
Code:
root@s2:/etc/init.d# ifconfig
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:36780 errors:0 dropped:0 overruns:0 frame:0
          TX packets:36780 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:30657328 (29.2 MiB)  TX bytes:30657328 (29.2 MiB)

venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:127.0.0.2  P-t-P:127.0.0.2  Bcast:0.0.0.0  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
          RX packets:345186 errors:0 dropped:0 overruns:0 frame:0
          TX packets:248992 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:427749317 (407.9 MiB)  TX bytes:34822662 (33.2 MiB)

venet0:0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:91.204.162.161  P-t-P:91.204.162.161  Bcast:0.0.0.0  Mask:255.255.255.255
          UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
Could u help me to fix these rules?

Last edited by lanceq; 28th June 2012 at 01:03.
Reply With Quote
Sponsored Links