configuring IPTABLES firewall

[adityavpratap]

Hi,
I am running Slackware 10.1 kernel 2.6.16.
I followed the instructions given in the following link -
http://www.howtoforge.net/custom_iptables_firewall
however with the modifications relevant to Slackware.
Now when I run the rc.firewall script I get the following error message -

Quote:

Starting Firewall services
firewall: Configuring Firewall Rules using iptables
firewall: No configuration file found at /etc/firewall/firewall.conf.iptables;
firewall: default policies set to DROP on INPUT/OUTPUT/FORWARD chains.

the /etc/firewall/firewall.conf.iptables file is missing. Have I missed something or there should be a default file somwhere?
Any suggestions?

[falko]

Have a look here: http://www.howtoforge.com/forums/sho....conf.iptables

[adityavpratap]

Hi,
Thanks for the prompt reply,
I tried the link mentioned in your reply and put the firewall.conf.iptables file in /etc/firewall/
Now when I run the firewall I get the following rather lengthy output on the console -

Quote:

Starting Firewall services
firewall: Configuring Firewall Rules using iptables
Bad argument `DROP'
Try `iptables -h' or 'iptables --help' for more information.
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
firewall: Banned address/network file not found.
firewall: IANA-reserved address/network file not found.
firewall: Local rules file not found.
firewall: Outbound ping enabled
firewall: Inbound ping enabled
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
firewall: DNS client enabled
firewall: ** No secondary DNS configured **
firewall: DNS Full server enabled
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
firewall: Auth client enabled
iptables: Unknown error 4294967295
firewall: Auth server enabled
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
firewall: SMTP Local server enabled
iptables: Unknown error 4294967295
firewall: Remote site any/0 may access local POP-3 server
/etc/rc.firewall.iptables: line 963: [: -gt: unary operator expected
/etc/rc.firewall.iptables: line 990: [: -gt: unary operator expected
/etc/rc.firewall.iptables: line 1058: [: -gt: unary operator expected
/etc/rc.firewall.iptables: line 1084: [: -gt: unary operator expected
iptables v1.3.5: host/network `my.news.server' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.5: host/network `my.news.server' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.5: host/network `my.news.server' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.5: host/network `my.news.server' not found
Try `iptables -h' or 'iptables --help' for more information.
firewall: Clients may access remote NNTP server: my.news.server
iptables v1.3.5: host/network `your.snews.server' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.5: host/network `your.snews.server' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.5: host/network `your.snews.server' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.5: host/network `your.snews.server' not found
Try `iptables -h' or 'iptables --help' for more information.
firewall: Clients may access remote secure NNTP server: your.snews.server
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
firewall: Clients may access remote TELNET servers
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
firewall: Clients may access remote SSH servers
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
firewall: Remote site any/0 may access local SSH server
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
firewall: Clients may access remote FTP servers
iptables: Unknown error 4294967295
firewall: Clients may access remote HTTP servers
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
firewall: Remote client any/0 may access local HTTP server
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
firewall: Clients may access remote HTTPS servers
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
firewall: Clients may access remote FINGER servers
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
firewall: Clients may access remote WHOIS servers
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
firewall: Clients may access remote GOPHER servers
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
firewall: Clients may access remote WAIS servers
iptables: Unknown error 4294967295
firewall: Real Video client enabled
iptables: Unknown error 4294967295
iptables: Unknown error 4294967295
firewall: Clients may access remote PPTP servers
firewall: Outbound TRACEROUTE enabled
firewall: Inbound TRACEROUTE enabled
firewall: NTP Client enabled
firewall: ICQ Client enabled
firewall: Masquerading internal network
done

Being a complete newbie in this particular area, I am at loss to know what is going on. I hope you can throw some light on this.

[falko]

Did you save firewall.conf.iptables with Unix linebreaks or with Windows linebreaks? You must save it with Unix linebreaks.

[adityavpratap]

Yes. It is saved with Unix linebreaks.

[falko]

What's in firewall.conf.iptables?

[adityavpratap]

Here is the file -

Quote:

#
# File: /etc/firewall/firewall.conf.iptables
#
# Firewall Configuration
#
# This file contains the editable firewall parameters.
# User edits belong in this file. It is included by
# /etc/rc.d/init.d/firewall when the configuration script
# runs.
#
# Original ipchains scripts by:
# Craig Zeller - 03-Jan-2000
# Translated to iptables and modified by:
# Bob Sully (rcs@malibyte.net) - latest: 16 Mar 2003

# ------------------------------------------------------------------


VERBOSE=1 # Turns on verbose feature
# (configuration messages)
#
# INTERFACES
#
# Edit these to suit your system interfaces
#

#
# The 'External Interface' is the connection to your
# ISP via Ethernet, xDSL, Cable Modem, T1, etc. This
# is the Internet side, where the bad guys hang out.
#

EXTERNAL_INTERFACE="eth0" # Unsecure (Red) Interface <--- Edit here!
EXTERNAL_IP="11.222.111.221" # Unsecure (Red) IP address <--- Edit here!

#
# Special case for PPP external interface: grabs external IP address after connecting.
# If running PPP over Ethernet, may need to change "ppp0" to "ethx" where ethx =
# your "external" network interface, e.g. eth0
# Requires awk; thanks to Sean Mannion
#

if [ $EXTERNAL_INTERFACE == "ppp0" ]; then
EXTERNAL_IP=`/sbin/ifconfig ppp0 |awk '/inet addr/{split($2,x,":"); print x[2]}'`
fi


#
# The 'Internal Interface' is the connection to your
# protected network(s).
#

INTERNAL_INTERFACE="eth1" # Secure (Black) Interface <--- Edit here!
INTERNAL_NETWORK="192.168.56.0/24" # Secure (Black) LAN network range <--- Edit here!
INTERNAL_IP="192.168.56.1" # Secure (Black) LAN IP address <--- Edit here!


BROADCAST_NET=11.222.111.222 # Broadcast address for your local subnet;
# can be used for user-generated rules in
# firewall.local; not required to be defined
# otherwise.

# ------------------------------------------------------------------

#
# Your ISP's servers
#

#
# Valid responses here consist of:
#
# 1. A single IP address in CIDR notation (ex: 192.168.1.1/32)
#
# 2. A network IP address range in CIDR notation (ex: 192.168.1.0/24)
#
# 3. The expression 'any/0', which matches any IP address.
#
# Note that in CIDR (Classless Internet Domain Routing) notation, the
# number following the slash mark is the number of bits in the network
# portion of the address. This notation replaces the old Class-A (CIDR /8),
# Class-B (CIDR /16), and Class-C (CIDR /24) netmasks. CIDR addressing
# greatly simplifies sub-netting as netmasks can be on any bit-boundary.
#

DHCP_SERVER_IP="my.dhcp.server" # ISPs DHCP Server (if known)
SMTP_SERVER="my.smtp.server" # ISPs External SMTP Mail Server
POP_SERVER="my.pop3.server" # External POP3 Server, if any
MY_IMAP_SERVER="my.imap.server" # External IMAP Server, if any
NEWS_SERVER="my.news.server" # External NNTP News Server, if any
SNEWS_SERVER="your.snews.server" # External Secure NNTP News Server, if any
MY_NEWS_FEED="my.news.feed" # ISP NNTP News Feed, if any

#
# The following entry requires an IP address or range as in the
# previous paragraph.
#

#WEB_PROXY_SERVER="my.www.proxy" # ISP Web Proxy Server, if any

#
# The port number of your proxy host. Typically this is 8008
# or 8080.
#

#WEB_PROXY_PORT="www.proxy.port" # ISP Web Proxy Port, if any


# ------------------------------------------------------------------

#
# Firewall Configuration Options
#

# Set the variables on the following lines = 1 to enable
# their respective features, or = 0 to disable.

#
# IP MASQUERADING
#
# Set the following variable = 1 if you are Masquerading
# your internal (RFC-1918) network, else = 0.
#

MASQUERADING=1

#
# Set the following variable = 1 if your firewall's
# external interface gets its IP address from your ISP's
# DHCP server. The 'external interface' is the one that is
# connected to your ISP via xDSL, Cable Modem, T1, etc.,
# and is often referred to as the 'Red' interface.
#
# Note to anyone running RedHat 7.x: RedHat now runs pumpd
# by default rather than dhcpd; this will give erratic
# results with this script. Suggest running dhcpd instead.

DHCP=0


#
# Port-Forwarding
#
#
# Set the following variable = 1 if you wish to allow
# port-forwarding through your firewall to services
# running on machines in your internal network.
#

PORT_FORWARD=0


#
# ICMP Services
#

#
# Set the following variable = 1 if you wish to allow
# local clients to 'ping' external sites.
#

OUTBOUND_PING=1

#
# Set the following variable = 1 if you wish to allow
# external sites to ping your firewall (stops at the
# firewall).
#

INBOUND_PING=1

#
# Set the following variable = 1 if you wish to allow
# local clients to 'traceroute' to external sites.
#

OUTBOUND_TRACEROUTE=1

#
# Set the following variable = 1 if you wish to allow
# external sites to 'traceroute' to your firewall (stops
# at the firewall).
#

INBOUND_TRACEROUTE=1


# ------------------------------------------------------------------


#
# E-Mail Services
#

#
# Set the following variable = 1 if you send your outbound
# EMail via SMTP protocol through your ISPs mail server.
# This is most frequently used in combination with the
# next option, POP3_CLIENT.
#

SMTP_REMOTE_SERVER=0

#
# Set the following variable = 1 if you receive your
# inbound EMail via POP3 protocol from your ISPs mail
# server. This is the method most installations will use.
#

POP3_CLIENT=0

#
# Set the following variable = 1 if you get your
# EMail via IMAP protocol from your ISPs mail server.
# This is still quite rare.
#

IMAP_CLIENT=0

#
# Set the following variable = 1 if you are running
# Sendmail (or other MTA) on your firewall. Your
# local mail clients will connect via POP3 to your
# firewall for mail delivery. Note that this does
# not require the POP3_CLIENT option for clients
# inside the firewall.
#

SMTP_LOCAL_SERVER=1


# ------------------------------------------------------------------


#
# CLIENT ACCESS
#
# Set the following variables = 1 to enable their respective
# client services, or = 0 to disable. These features allow
# your internal clients to access services on external
# Internet servers.
#

AUTH_CLIENT=1 # The Auth Protocol
DNS_CLIENT=1 # Domain Name Servers
FINGER_CLIENT=1 # Finger Protocol
FTP_CLIENT=1 # File Transfer Protocol
GOPHER_CLIENT=1 # Gopher Protocol
HTTP_CLIENT=1 # WWW Client Protocol
HTTPS_CLIENT=1 # Secure WWW Client Protocol
HTTP_PROXY=0 # WWW through a Web Proxy Server
NNTP_CLIENT=1 # The Usenet News Protocol
NNTPS_CLIENT=1 # NNTP access over SSL (port 563)
NTP_CLIENT=1 # The Network Time Protocol
SSH_CLIENT=1 # The secure SSH Protocol (Telnet/FTP)
TELNET_CLIENT=1 # The Telnet Protocol
WAIS_CLIENT=1 # The WAIS Protocol
WHOIS_CLIENT=1 # WHOIS Protocol
ICQ_CLIENT=1 # The Miribilis ICQ Client Protocol
RV_CLIENT=1 # The RealVideo Client (port 554)
PPTP_CLIENT=1 # PPTP server access as client (1723)

# ------------------------------------------------------------------

#
# SERVER ACCESS
#

# Enable this if you're running dhcpd on your firewall to
# supply IP addresses to machines on your internal (masqueraded)
# network.

DHCP_SERVER=0 # DHCP server for internal network


# Note: Enabling these services is for EXTERNAL access from
# the Internet. Access from internal clients to the firewall
# server does not require that these items be configured.
# THIS IS FOR EXTERNAL ACCESS - BE CAREFUL!
#

FTP_SERVER=0 # If you are running an FTP server
MY_FTP_CLIENTS="any/0" # My FTP client list
DNS_CACHING_SERVER=0 # Caching-Only Domain Name Server
DNS_FULL_SERVER=1 # Full-function Domain Name Server
# DNS Secondary name servers for zone transfer:
# Place allowed DNS IP's in /etc/firewall/firewall.dns
# in CIDR format, one IP per line
AUTH_SERVER=1 # AUTH protocol server
POP3_SERVER=1 # POP-3 EMail server
MY_POP3_CLIENTS="any/0" # POP-3 EMail client list
IMAP_SERVER=0 # IMAP EMail server
MY_IMAP_CLIENTS="any/0" # IMAP EMail client list
NNTP_SERVER=0 # Usenet NNTP News server
MY_NNTP_CLIENTS="any/0" # Usenet News client list
NNTP_NEWS_FEED=0 # NNTP News feeds
TELNET_SERVER=0 # Telnet server (unsecure - not recommended)
MY_TELNET_CLIENTS="any/0" # Telnet client list
SSH_SERVER=1 # Secure SSH server (Telnet/FTP)
MY_SSH_CLIENTS="any/0" # Secure SSH client list
SSH_PORT="22" # SSH access port, usually 22
HTTP_SERVER=1 # Web (HTTP) server
MY_HTTP_CLIENTS="any/0" # My WWW client list
HTTPS_SERVER=0 # Secure Web server (SSL)
FINGER_SERVER=0 # Finger Server (not recommended)
MY_FINGER_CLIENTS="any/0" # My Finger client list

#
# Games
#

HALF_LIFE=0 # Enable this if you run a
# Half-Life/CounterStrike server
WOLF_CLIENT=0 # Client ports for Return to Castle Wolfenstein

[falko]

Looks ok.

I found this about your iptables error: http://archives.free.net.ph/message/...451b7f.en.html

[adityavpratap]

Thanks falko, for the prompt reply. However, I found the link mentioned by you already and have recompiled the kernel with the said parameter = y. Still the error messages ceases to go away.
I don't know what is going on.
By the way, I have no chkconfig in slackware. But even then the firewall should start, and this is not happening.

[falko]

Quote:

Originally Posted by adityavpratap

Thanks falko, for the prompt reply. However, I found the link mentioned by you already and have recompiled the kernel with the said parameter = y. Still the error messages ceases to go away.

And you booted the correct kernel, and not the old one?