Ispconfig and iptables rules

Discussion in 'Installation/Configuration' started by lanceq, Jun 27, 2012.

  1. lanceq

    lanceq New Member

    Hello,
    I want to add to my iptables a few of rules, in addition it should do log of the DROP IP's to /var/log/messages
    Unfortunately, only a few of the large list of rules is added to the iptables (ispconfig-> Monitor-> Show Iptables)

    Theres my all rules:

    Code:
    iptables *filter
    iptables :INPUT DROP [0:0]
    iptables :FORWARD DROP [0:0]
    iptables :OUTPUT ACCEPT [0:0]
    iptables :ch - [0:0]
     
    # loopback
    iptables -A INPUT -i lo -j ACCEPT
     
    # login packet
    iptables -A INPUT -p tcp -m tcp --dport 7171 --tcp-flags FIN,SYN,RST,PSH,ACK,URG PSH,ACK -m length --length 191 -j ch
    # logout packet
    iptables -A INPUT -p tcp -m tcp --dport 7172 --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,ACK -m recent --set --name login --rsource
     
    # drop banned clients
    iptables -A INPUT -m recent --rcheck --seconds 600 --name ban --rsource -j DROP
     
    # accept established
    iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
     
    # ban over 24 connections
    iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 24 --connlimit-mask 32 -m recent --set --name ban --rsource -j DROP
     
    # IP-specific bans, 1 line per IP
    #iptables -A INPUT -s 186.211.32.3 -j DROP
     
    # HTTP
    iptables -A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
     
    # loginserver and gameserver
    iptables -A INPUT -p tcp -m tcp --dport 7171 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit ! --connlimit-above 2 --connlimit-mask 32 -j ACCEPT
    iptables -A INPUT -p tcp -m tcp --dport 7172 --tcp-flags FIN,SYN,RST,ACK SYN -m recent --rcheck --seconds 30 --name login --rsource -j ACCEPT
     
    # DNS
    iptables -A INPUT -p udp -m state --state ESTABLISHED -m udp --sport 53 -j ACCEPT
     
    # NTP
    #iptables -A INPUT -p udp -m state --state ESTABLISHED -m udp --sport 123 -j ACCEPT
     
    # SSH
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
     
    # ban UDP, not very useful!
    iptables -A INPUT -p udp -m recent --set --name ban --rsource -j DROP
     
    # accept login
    iptables -A ch -m recent --set --name login --rsource -j ACCEPT
    #logging
    iptables -A INPUT -i $if_ext -p all -j LOG --log-prefix " - FIREWALL: droped -> "
    And only those rules have been added.

    Code:
    -A INPUT -i lo -j ACCEPT 
    -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT 
    -A INPUT -p tcp -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT 
    -A INPUT -p udp -m state --state ESTABLISHED -m udp --sport 53 -j ACCEPT 
    -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
    When i execute this script i receives a lot of errors:

    Code:
    Bad argument `*filter'
    Try `iptables -h' or 'iptables --help' for more information.
    Bad argument `:INPUT'
    Try `iptables -h' or 'iptables --help' for more information.
    Bad argument `:FORWARD'
    Try `iptables -h' or 'iptables --help' for more information.
    Bad argument `:OUTPUT'
    Try `iptables -h' or 'iptables --help' for more information.
    Bad argument `:ch'
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.8: Couldn't load target `ch':/lib/xtables/libipt_ch.so: cannot open shared object file: No such file or directory
    
    Try `iptables -h' or 'iptables --help' for more information.
    iptables: No chain/target/match by that name.
    iptables: No chain/target/match by that name.
    iptables: No chain/target/match by that name.
    iptables: No chain/target/match by that name.
    iptables: No chain/target/match by that name.
    iptables: No chain/target/match by that name.
    iptables: No chain/target/match by that name.
    Bad argument `COMMIT'
    Try `iptables -h' or 'iptables --help' for more information.
    Bad argument `all'
    Try `iptables -h' or 'iptables --help' for more information.
    [email protected]:/etc/init.d# sh firewall.sh
    Bad argument `*filter'
    Try `iptables -h' or 'iptables --help' for more information.
    Bad argument `:INPUT'
    Try `iptables -h' or 'iptables --help' for more information.
    Bad argument `:FORWARD'
    Try `iptables -h' or 'iptables --help' for more information.
    Bad argument `:OUTPUT'
    Try `iptables -h' or 'iptables --help' for more information.
    Bad argument `:ch'
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.8: Couldn't load target `ch':/lib/xtables/libipt_ch.so: cannot open shared object file: No such file or directory
    
    Try `iptables -h' or 'iptables --help' for more information.
    iptables: No chain/target/match by that name.
    iptables: No chain/target/match by that name.
    iptables: No chain/target/match by that name.
    iptables: No chain/target/match by that name.
    iptables: No chain/target/match by that name.
    iptables: No chain/target/match by that name.
    iptables: No chain/target/match by that name.
    Bad argument `COMMIT'
    Try `iptables -h' or 'iptables --help' for more information.
    Bad argument `all'
    Try `iptables -h' or 'iptables --help' for more information.
    [email protected]:/etc/init.d# sh firewall.sh
    Bad argument `*filter'
    Try `iptables -h' or 'iptables --help' for more information.
    Bad argument `:INPUT'
    Try `iptables -h' or 'iptables --help' for more information.
    Bad argument `:FORWARD'
    Try `iptables -h' or 'iptables --help' for more information.
    Bad argument `:OUTPUT'
    Try `iptables -h' or 'iptables --help' for more information.
    Bad argument `:ch'
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.8: Couldn't load target `ch':/lib/xtables/libipt_ch.so: cannot open shared object file: No such file or directory
    
    Try `iptables -h' or 'iptables --help' for more information.
    iptables: No chain/target/match by that name.
    iptables: No chain/target/match by that name.
    iptables: No chain/target/match by that name.
    iptables: No chain/target/match by that name.
    iptables: No chain/target/match by that name.
    iptables: No chain/target/match by that name.
    iptables: No chain/target/match by that name.
    Bad argument `all'
    Try `iptables -h' or 'iptables --help' for more information.
    [email protected]:/etc/init.d# sh firewall.sh
    Bad argument `*filter'
    Try `iptables -h' or 'iptables --help' for more information.
    Bad argument `:INPUT'
    Try `iptables -h' or 'iptables --help' for more information.
    Bad argument `:FORWARD'
    Try `iptables -h' or 'iptables --help' for more information.
    Bad argument `:OUTPUT'
    Try `iptables -h' or 'iptables --help' for more information.
    Bad argument `:ch'
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.8: Couldn't load target `ch':/lib/xtables/libipt_ch.so: cannot open shared object file: No such file or directory
    
    Try `iptables -h' or 'iptables --help' for more information.
    iptables: No chain/target/match by that name.
    iptables: No chain/target/match by that name.
    iptables: No chain/target/match by that name.
    iptables: No chain/target/match by that name.
    iptables: No chain/target/match by that name.
    iptables: No chain/target/match by that name.
    iptables: No chain/target/match by that name.
    Bad argument `all'
    Try `iptables -h' or 'iptables --help' for more information.
    [email protected]:/etc/init.d# sh firewall.sh
    Bad argument `*filter'
    Try `iptables -h' or 'iptables --help' for more information.
    Bad argument `:INPUT'
    Try `iptables -h' or 'iptables --help' for more information.
    Bad argument `:FORWARD'
    Try `iptables -h' or 'iptables --help' for more information.
    Bad argument `:OUTPUT'
    Try `iptables -h' or 'iptables --help' for more information.
    Bad argument `:ch'
    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.4.8: Couldn't load target `ch':/lib/xtables/libipt_ch.so: cannot open shared object file: No such file or directory
    
    Try `iptables -h' or 'iptables --help' for more information.
    iptables: No chain/target/match by that name.
    iptables: No chain/target/match by that name.
    iptables: No chain/target/match by that name.
    iptables: No chain/target/match by that name.
    iptables: No chain/target/match by that name.
    iptables: No chain/target/match by that name.
    iptables: No chain/target/match by that name.
    Bad argument `all'
    Try `iptables -h' or 'iptables --help' for more information.
    and ifconfig because i don't know that entered a good network
    Code:
    [email protected]:/etc/init.d# ifconfig
    lo        Link encap:Local Loopback
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING  MTU:16436  Metric:1
              RX packets:36780 errors:0 dropped:0 overruns:0 frame:0
              TX packets:36780 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:30657328 (29.2 MiB)  TX bytes:30657328 (29.2 MiB)
    
    venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
              inet addr:127.0.0.2  P-t-P:127.0.0.2  Bcast:0.0.0.0  Mask:255.255.255.255
              UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
              RX packets:345186 errors:0 dropped:0 overruns:0 frame:0
              TX packets:248992 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:427749317 (407.9 MiB)  TX bytes:34822662 (33.2 MiB)
    
    venet0:0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
              inet addr:91.204.162.161  P-t-P:91.204.162.161  Bcast:0.0.0.0  Mask:255.255.255.255
              UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
    
    Could u help me to fix these rules?
     
    Last edited: Jun 28, 2012

Share This Page