#1  
Old 25th May 2006, 08:39
adityavpratap adityavpratap is offline
Junior Member
 
Join Date: May 2006
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default configuring IPTABLES firewall

Hi,
I am running Slackware 10.1 kernel 2.6.16.
I followed the instructions given in the following link -
http://www.howtoforge.net/custom_iptables_firewall
however with the modifications relevant to Slackware.
Now when I run the rc.firewall script I get the following error message -
Quote:
Starting Firewall services
firewall: Configuring Firewall Rules using iptables
firewall: No configuration file found at /etc/firewall/firewall.conf.iptables;
firewall: default policies set to DROP on INPUT/OUTPUT/FORWARD chains.
the /etc/firewall/firewall.conf.iptables file is missing. Have I missed something or there should be a default file somwhere?
Any suggestions?
__________________
Aditya Pratap V.
Goshamahal, Hyderabad - A. P.
I N D I A
Reply With Quote
Sponsored Links
  #2  
Old 25th May 2006, 15:14
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,747 Times in 2,578 Posts
Default

Have a look here: http://www.howtoforge.com/forums/sho....conf.iptables
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 26th May 2006, 12:22
adityavpratap adityavpratap is offline
Junior Member
 
Join Date: May 2006
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hi,
Thanks for the prompt reply,
I tried the link mentioned in your reply and put the firewall.conf.iptables file in /etc/firewall/
Now when I run the firewall I get the following rather lengthy output on the console -
Quote:
Starting Firewall services
firewall: Configuring Firewall Rules using iptables
Bad argument `DROP'
Try `iptables -h' or 'iptables --help' for more information.
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
firewall: Banned address/network file not found.
firewall: IANA-reserved address/network file not found.
firewall: Local rules file not found.
firewall: Outbound ping enabled
firewall: Inbound ping enabled
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
firewall: DNS client enabled
firewall: ** No secondary DNS configured **
firewall: DNS Full server enabled
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
firewall: Auth client enabled
iptables: Unknown error 4294967295
firewall: Auth server enabled
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
firewall: SMTP Local server enabled
iptables: Unknown error 4294967295
firewall: Remote site any/0 may access local POP-3 server
/etc/rc.firewall.iptables: line 963: [: -gt: unary operator expected
/etc/rc.firewall.iptables: line 990: [: -gt: unary operator expected
/etc/rc.firewall.iptables: line 1058: [: -gt: unary operator expected
/etc/rc.firewall.iptables: line 1084: [: -gt: unary operator expected
iptables v1.3.5: host/network `my.news.server' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.5: host/network `my.news.server' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.5: host/network `my.news.server' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.5: host/network `my.news.server' not found
Try `iptables -h' or 'iptables --help' for more information.
firewall: Clients may access remote NNTP server: my.news.server
iptables v1.3.5: host/network `your.snews.server' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.5: host/network `your.snews.server' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.5: host/network `your.snews.server' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.5: host/network `your.snews.server' not found
Try `iptables -h' or 'iptables --help' for more information.
firewall: Clients may access remote secure NNTP server: your.snews.server
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
firewall: Clients may access remote TELNET servers
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
firewall: Clients may access remote SSH servers
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
firewall: Remote site any/0 may access local SSH server
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
firewall: Clients may access remote FTP servers
iptables: Unknown error 4294967295
firewall: Clients may access remote HTTP servers
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
firewall: Remote client any/0 may access local HTTP server
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
firewall: Clients may access remote HTTPS servers
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
firewall: Clients may access remote FINGER servers
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
firewall: Clients may access remote WHOIS servers
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
firewall: Clients may access remote GOPHER servers
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
firewall: Clients may access remote WAIS servers
iptables: Unknown error 4294967295
firewall: Real Video client enabled
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
firewall: Clients may access remote PPTP servers
firewall: Outbound TRACEROUTE enabled
firewall: Inbound TRACEROUTE enabled
firewall: NTP Client enabled
firewall: ICQ Client enabled
firewall: Masquerading internal network
done
Being a complete newbie in this particular area, I am at loss to know what is going on. I hope you can throw some light on this.
__________________
Aditya Pratap V.
Goshamahal, Hyderabad - A. P.
I N D I A
Reply With Quote
  #4  
Old 26th May 2006, 17:02
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,747 Times in 2,578 Posts
Default

Did you save firewall.conf.iptables with Unix linebreaks or with Windows linebreaks? You must save it with Unix linebreaks.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
The Following User Says Thank You to falko For This Useful Post:
AbannyvabVask (8th November 2013)
  #5  
Old 26th May 2006, 17:28
adityavpratap adityavpratap is offline
Junior Member
 
Join Date: May 2006
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Yes. It is saved with Unix linebreaks.
__________________
Aditya Pratap V.
Goshamahal, Hyderabad - A. P.
I N D I A
Reply With Quote
  #6  
Old 26th May 2006, 17:40
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,747 Times in 2,578 Posts
Default

What's in firewall.conf.iptables?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #7  
Old 27th May 2006, 05:32
adityavpratap adityavpratap is offline
Junior Member
 
Join Date: May 2006
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Here is the file -
Quote:
#
# File: /etc/firewall/firewall.conf.iptables
#
# Firewall Configuration
#
# This file contains the editable firewall parameters.
# User edits belong in this file. It is included by
# /etc/rc.d/init.d/firewall when the configuration script
# runs.
#
# Original ipchains scripts by:
# Craig Zeller - 03-Jan-2000
# Translated to iptables and modified by:
# Bob Sully (rcs@malibyte.net) - latest: 16 Mar 2003

# ------------------------------------------------------------------


VERBOSE=1 # Turns on verbose feature
# (configuration messages)
#
# INTERFACES
#
# Edit these to suit your system interfaces
#

#
# The 'External Interface' is the connection to your
# ISP via Ethernet, xDSL, Cable Modem, T1, etc. This
# is the Internet side, where the bad guys hang out.
#

EXTERNAL_INTERFACE="eth0" # Unsecure (Red) Interface <--- Edit here!
EXTERNAL_IP="11.222.111.221" # Unsecure (Red) IP address <--- Edit here!

#
# Special case for PPP external interface: grabs external IP address after connecting.
# If running PPP over Ethernet, may need to change "ppp0" to "ethx" where ethx =
# your "external" network interface, e.g. eth0
# Requires awk; thanks to Sean Mannion
#

if [ $EXTERNAL_INTERFACE == "ppp0" ]; then
EXTERNAL_IP=`/sbin/ifconfig ppp0 |awk '/inet addr/{split($2,x,":"); print x[2]}'`
fi


#
# The 'Internal Interface' is the connection to your
# protected network(s).
#

INTERNAL_INTERFACE="eth1" # Secure (Black) Interface <--- Edit here!
INTERNAL_NETWORK="192.168.56.0/24" # Secure (Black) LAN network range <--- Edit here!
INTERNAL_IP="192.168.56.1" # Secure (Black) LAN IP address <--- Edit here!


BROADCAST_NET=11.222.111.222 # Broadcast address for your local subnet;
# can be used for user-generated rules in
# firewall.local; not required to be defined
# otherwise.

# ------------------------------------------------------------------

#
# Your ISP's servers
#

#
# Valid responses here consist of:
#
# 1. A single IP address in CIDR notation (ex: 192.168.1.1/32)
#
# 2. A network IP address range in CIDR notation (ex: 192.168.1.0/24)
#
# 3. The expression 'any/0', which matches any IP address.
#
# Note that in CIDR (Classless Internet Domain Routing) notation, the
# number following the slash mark is the number of bits in the network
# portion of the address. This notation replaces the old Class-A (CIDR /8),
# Class-B (CIDR /16), and Class-C (CIDR /24) netmasks. CIDR addressing
# greatly simplifies sub-netting as netmasks can be on any bit-boundary.
#

DHCP_SERVER_IP="my.dhcp.server" # ISPs DHCP Server (if known)
SMTP_SERVER="my.smtp.server" # ISPs External SMTP Mail Server
POP_SERVER="my.pop3.server" # External POP3 Server, if any
MY_IMAP_SERVER="my.imap.server" # External IMAP Server, if any
NEWS_SERVER="my.news.server" # External NNTP News Server, if any
SNEWS_SERVER="your.snews.server" # External Secure NNTP News Server, if any
MY_NEWS_FEED="my.news.feed" # ISP NNTP News Feed, if any

#
# The following entry requires an IP address or range as in the
# previous paragraph.
#

#WEB_PROXY_SERVER="my.www.proxy" # ISP Web Proxy Server, if any

#
# The port number of your proxy host. Typically this is 8008
# or 8080.
#

#WEB_PROXY_PORT="www.proxy.port" # ISP Web Proxy Port, if any


# ------------------------------------------------------------------

#
# Firewall Configuration Options
#

# Set the variables on the following lines = 1 to enable
# their respective features, or = 0 to disable.

#
# IP MASQUERADING
#
# Set the following variable = 1 if you are Masquerading
# your internal (RFC-1918) network, else = 0.
#

MASQUERADING=1

#
# Set the following variable = 1 if your firewall's
# external interface gets its IP address from your ISP's
# DHCP server. The 'external interface' is the one that is
# connected to your ISP via xDSL, Cable Modem, T1, etc.,
# and is often referred to as the 'Red' interface.
#
# Note to anyone running RedHat 7.x: RedHat now runs pumpd
# by default rather than dhcpd; this will give erratic
# results with this script. Suggest running dhcpd instead.

DHCP=0


#
# Port-Forwarding
#
#
# Set the following variable = 1 if you wish to allow
# port-forwarding through your firewall to services
# running on machines in your internal network.
#

PORT_FORWARD=0


#
# ICMP Services
#

#
# Set the following variable = 1 if you wish to allow
# local clients to 'ping' external sites.
#

OUTBOUND_PING=1

#
# Set the following variable = 1 if you wish to allow
# external sites to ping your firewall (stops at the
# firewall).
#

INBOUND_PING=1

#
# Set the following variable = 1 if you wish to allow
# local clients to 'traceroute' to external sites.
#

OUTBOUND_TRACEROUTE=1

#
# Set the following variable = 1 if you wish to allow
# external sites to 'traceroute' to your firewall (stops
# at the firewall).
#

INBOUND_TRACEROUTE=1


# ------------------------------------------------------------------


#
# E-Mail Services
#

#
# Set the following variable = 1 if you send your outbound
# EMail via SMTP protocol through your ISPs mail server.
# This is most frequently used in combination with the
# next option, POP3_CLIENT.
#

SMTP_REMOTE_SERVER=0

#
# Set the following variable = 1 if you receive your
# inbound EMail via POP3 protocol from your ISPs mail
# server. This is the method most installations will use.
#

POP3_CLIENT=0

#
# Set the following variable = 1 if you get your
# EMail via IMAP protocol from your ISPs mail server.
# This is still quite rare.
#

IMAP_CLIENT=0

#
# Set the following variable = 1 if you are running
# Sendmail (or other MTA) on your firewall. Your
# local mail clients will connect via POP3 to your
# firewall for mail delivery. Note that this does
# not require the POP3_CLIENT option for clients
# inside the firewall.
#

SMTP_LOCAL_SERVER=1


# ------------------------------------------------------------------


#
# CLIENT ACCESS
#
# Set the following variables = 1 to enable their respective
# client services, or = 0 to disable. These features allow
# your internal clients to access services on external
# Internet servers.
#

AUTH_CLIENT=1 # The Auth Protocol
DNS_CLIENT=1 # Domain Name Servers
FINGER_CLIENT=1 # Finger Protocol
FTP_CLIENT=1 # File Transfer Protocol
GOPHER_CLIENT=1 # Gopher Protocol
HTTP_CLIENT=1 # WWW Client Protocol
HTTPS_CLIENT=1 # Secure WWW Client Protocol
HTTP_PROXY=0 # WWW through a Web Proxy Server
NNTP_CLIENT=1 # The Usenet News Protocol
NNTPS_CLIENT=1 # NNTP access over SSL (port 563)
NTP_CLIENT=1 # The Network Time Protocol
SSH_CLIENT=1 # The secure SSH Protocol (Telnet/FTP)
TELNET_CLIENT=1 # The Telnet Protocol
WAIS_CLIENT=1 # The WAIS Protocol
WHOIS_CLIENT=1 # WHOIS Protocol
ICQ_CLIENT=1 # The Miribilis ICQ Client Protocol
RV_CLIENT=1 # The RealVideo Client (port 554)
PPTP_CLIENT=1 # PPTP server access as client (1723)

# ------------------------------------------------------------------

#
# SERVER ACCESS
#

# Enable this if you're running dhcpd on your firewall to
# supply IP addresses to machines on your internal (masqueraded)
# network.

DHCP_SERVER=0 # DHCP server for internal network


# Note: Enabling these services is for EXTERNAL access from
# the Internet. Access from internal clients to the firewall
# server does not require that these items be configured.
# THIS IS FOR EXTERNAL ACCESS - BE CAREFUL!
#

FTP_SERVER=0 # If you are running an FTP server
MY_FTP_CLIENTS="any/0" # My FTP client list
DNS_CACHING_SERVER=0 # Caching-Only Domain Name Server
DNS_FULL_SERVER=1 # Full-function Domain Name Server
# DNS Secondary name servers for zone transfer:
# Place allowed DNS IP's in /etc/firewall/firewall.dns
# in CIDR format, one IP per line
AUTH_SERVER=1 # AUTH protocol server
POP3_SERVER=1 # POP-3 EMail server
MY_POP3_CLIENTS="any/0" # POP-3 EMail client list
IMAP_SERVER=0 # IMAP EMail server
MY_IMAP_CLIENTS="any/0" # IMAP EMail client list
NNTP_SERVER=0 # Usenet NNTP News server
MY_NNTP_CLIENTS="any/0" # Usenet News client list
NNTP_NEWS_FEED=0 # NNTP News feeds
TELNET_SERVER=0 # Telnet server (unsecure - not recommended)
MY_TELNET_CLIENTS="any/0" # Telnet client list
SSH_SERVER=1 # Secure SSH server (Telnet/FTP)
MY_SSH_CLIENTS="any/0" # Secure SSH client list
SSH_PORT="22" # SSH access port, usually 22
HTTP_SERVER=1 # Web (HTTP) server
MY_HTTP_CLIENTS="any/0" # My WWW client list
HTTPS_SERVER=0 # Secure Web server (SSL)
FINGER_SERVER=0 # Finger Server (not recommended)
MY_FINGER_CLIENTS="any/0" # My Finger client list

#
# Games
#

HALF_LIFE=0 # Enable this if you run a
# Half-Life/CounterStrike server
WOLF_CLIENT=0 # Client ports for Return to Castle Wolfenstein


__________________
Aditya Pratap V.
Goshamahal, Hyderabad - A. P.
I N D I A
Reply With Quote
  #8  
Old 27th May 2006, 14:44
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,747 Times in 2,578 Posts
Default

Looks ok.

I found this about your iptables error: http://archives.free.net.ph/message/...451b7f.en.html
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #9  
Old 27th May 2006, 15:22
adityavpratap adityavpratap is offline
Junior Member
 
Join Date: May 2006
Posts: 5
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks falko, for the prompt reply. However, I found the link mentioned by you already and have recompiled the kernel with the said parameter = y. Still the error messages ceases to go away.
I don't know what is going on.
By the way, I have no chkconfig in slackware. But even then the firewall should start, and this is not happening.
__________________
Aditya Pratap V.
Goshamahal, Hyderabad - A. P.
I N D I A
Reply With Quote
  #10  
Old 27th May 2006, 22:42
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,747 Times in 2,578 Posts
 
Default

Quote:
Originally Posted by adityavpratap
Thanks falko, for the prompt reply. However, I found the link mentioned by you already and have recompiled the kernel with the said parameter = y. Still the error messages ceases to go away.
And you booted the correct kernel, and not the old one?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
How To Install A Custom Iptables Firewall merlos HOWTO-Related Questions 16 18th December 2010 21:01
The Perfect Xen 3.0 Setup For Debian | IPTABLES rocket30 HOWTO-Related Questions 7 25th July 2006 15:18
confius on configuring behind firewall... crypt3rc0d3 Installation/Configuration 1 15th February 2006 21:16
Firewall question for Virtual Users/domains using postfix/courier/MySQL toastmaster HOWTO-Related Questions 1 25th January 2006 08:04
I need a suitable firewall. agul Server Operation 4 23rd November 2005 01:12


All times are GMT +2. The time now is 02:25.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.