Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19

Warning: Function ereg() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 4

Warning: Function split() is deprecated in ..../includes/class_postbit.php(345) : eval()'d code on line 19
iptables script...
Results 1 to 6 of 6

Thread: iptables script...

  1. #1

    iptables script...

    I'm trying to get a iptables script to work anyone who can spot the error in it, I keep getting "iptables: No chain/target/match by that name"
    understand the error but I cant find where it is.

    #!/bin/sh

    # change eth0 with the NIC that's connected to the internet
    ext_ip="`/sbin/ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
    LOG_LEVEL="notice"

    # flush all the old rules and also delete them
    iptables -F
    iptables -X

    # enable some extra security options
    # it's possible that some of these commands may cause errors, if so just comment
    # them out, there not that important anyway
    #echo 1 > /proc/sys/net/ipv4/ip_forward
    #echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
    #echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    #echo 1 > /proc/sys/net/ipv4/tcp_syncookies
    #echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
    #echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
    #echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
    #echo "1024 9999" > /proc/sys/net/ipv4/ip_local_port_range
    #for i in /proc/sys/net/ipv4/conf/*; do
    # echo 1 > $i/rp_filter
    #done

    ################################ Input rules #######################################
    # set up default policy for incomming packets
    iptables -P INPUT DROP

    # these rules filter packets based on certain TCP flags
    iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-level $LOG_LEVEL --log-prefix "ANTI PORTSCAN: "
    iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
    iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level $LOG_LEVEL --log-prefix "ANTI PORTSCAN: "
    iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

    # allow everything from the loopback network device
    iptables -A INPUT -i lo -j ACCEPT

    # these are gateways/dns/dhcp servers from my ISP so I allow everything from them
    iptables -A INPUT -i eth0 -s 195.54.112.136 -d $ext_ip -j ACCEPT
    iptables -A INPUT -i eth0 -s 195.54.112.198 -d $ext_ip -j ACCEPT
    iptables -A INPUT -i eth0 -s 213.112.91.129 -d $ext_ip -j ACCEPT

    # these are ports that must be denied access to at all time
    DENIED_PORTS="0:20 23:50 60:112 114:6660 7000:64000"
    for PORT in $DENIED_PORTS; do
    iptables -A INPUT -i eth0 -p tcp --dport $PORT -j LOG --log-level $LOG_LEVEL --log-prefix "DENIED PORTS: "
    iptables -A INPUT -i eth0 -p udp --dport $PORT -j LOG --log-level $LOG_LEVEL --log-prefix "DENIED PORTS: "
    iptables -A INPUT -i eth0 -p tcp --dport $PORT -j DROP
    iptables -A INPUT -i eth0 -p udp --dport $PORT -j DROP
    done

    # these are ports that i allow at all time (usefull for irc dcc'ing, ftp, ssh)
    iptables -A INPUT -i eth0 -p tcp -d $ext_ip --dport 22 -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp -d $ext_ip --dport 6667 -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp -d $ext_ip --dport 113 -j ACCEPT
    # DROP packets associated with an "INVALID" connection.
    iptables -A INPUT -m state --state INVALID -j LOG --log-level $LOG_LEVEL --log-prefix "INVALID CONNECTION: "
    iptables -A INPUT -m state --state INVALID -j DROP

    # ACCEPT packets which are related to an established connection.
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    # deny everything that wasn't explicetely allowed by the above rules
    iptables -A INPUT -j LOG --log-level $LOG_LEVEL --log-prefix "DEFAULT: "
    iptables -A INPUT -j DROP

    ################################ Output rules #######################################
    iptables -P OUTPUT ACCEPT

    ################################ Forward rules ######################################
    iptables -P FORWARD DROP

  2. #2

    Re: iptables script...

    try doing an iptables -L. That will echo each rule on the screen as it is executed.

  3. #3

    Re: iptables script...

    I'd guess you don't have a certain feature built into the kernel that you're trying to use. Do each rule one by one until you find the one that's messing up and go from there.

  4. #4

    Re: iptables script...

    Just thought I'd point out a few things:

    # flush all the old rules and also delete them
    iptables -F
    iptables -X
    This is redundant; once the rules are flushed there are no rules to delete

    #for i in /proc/sys/net/ipv4/conf/*; do
    # * *echo 1 > $i/rp_filter
    #done
    If you want to use this, you could also do this:

    Code:
    for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
      echo 1 > $i
    done


    But, do as Kenshi said, do the rules one by one until you find the one that screws up. It's possible that you don't have one of the modules you're trying to use, or you've spelled one of the targets wrong.

  5. #5

    Re: iptables script...


    Just thought I'd point out a few things:
    This is redundant; once the rules are flushed there are no rules to delete
    No no, they are different. iptables -F flushes all the rules. iptables -X removes any user-created chains. He didn't create any but it's still a good practice to put that in there.

  6. #6

    Re: iptables script...

    Ah, oops. Bit of a blond moment there. I just woke up when I posted that

Similar Threads

  1. iptables script not working
    By lasanthaindika in forum Security
    Replies: 0
    Last Post: 03-04-2009, 12:15 PM
  2. Running cusom firewall script -iptables -RHEL 4
    By sud.tech in forum Programming
    Replies: 0
    Last Post: 06-12-2008, 01:09 PM
  3. Probs in a script called from another script
    By Outlaw in forum Programming
    Replies: 1
    Last Post: 03-12-2004, 02:54 PM
  4. Port Forwarding IPTABLES Script
    By Coral_Sea in forum Programming
    Replies: 0
    Last Post: 10-08-2002, 10:56 PM
  5. Iptables script and NFS not working ):
    By Killer_Penguin in forum Programming
    Replies: 11
    Last Post: 01-24-2002, 12:45 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •