iptables script...

[Mor_gath]

I'm trying to get a iptables script to work anyone who can spot the error in it, I keep getting "iptables: No chain/target/match by that name"
understand the error but I cant find where it is.

#!/bin/sh

# change eth0 with the NIC that's connected to the internet
ext_ip="`/sbin/ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
LOG_LEVEL="notice"

# flush all the old rules and also delete them
iptables -F
iptables -X

# enable some extra security options
# it's possible that some of these commands may cause errors, if so just comment
# them out, there not that important anyway
#echo 1 > /proc/sys/net/ipv4/ip_forward
#echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
#echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
#echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1024 9999" > /proc/sys/net/ipv4/ip_local_port_range
#for i in /proc/sys/net/ipv4/conf/*; do
# echo 1 > $i/rp_filter
#done

################################ Input rules #######################################
# set up default policy for incomming packets
iptables -P INPUT DROP

# these rules filter packets based on certain TCP flags
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-level $LOG_LEVEL --log-prefix "ANTI PORTSCAN: "
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level $LOG_LEVEL --log-prefix "ANTI PORTSCAN: "
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# allow everything from the loopback network device
iptables -A INPUT -i lo -j ACCEPT

# these are gateways/dns/dhcp servers from my ISP so I allow everything from them
iptables -A INPUT -i eth0 -s 195.54.112.136 -d $ext_ip -j ACCEPT
iptables -A INPUT -i eth0 -s 195.54.112.198 -d $ext_ip -j ACCEPT
iptables -A INPUT -i eth0 -s 213.112.91.129 -d $ext_ip -j ACCEPT

# these are ports that must be denied access to at all time
DENIED_PORTS="0:20 23:50 60:112 114:6660 7000:64000"
for PORT in $DENIED_PORTS; do
iptables -A INPUT -i eth0 -p tcp --dport $PORT -j LOG --log-level $LOG_LEVEL --log-prefix "DENIED PORTS: "
iptables -A INPUT -i eth0 -p udp --dport $PORT -j LOG --log-level $LOG_LEVEL --log-prefix "DENIED PORTS: "
iptables -A INPUT -i eth0 -p tcp --dport $PORT -j DROP
iptables -A INPUT -i eth0 -p udp --dport $PORT -j DROP
done

# these are ports that i allow at all time (usefull for irc dcc'ing, ftp, ssh)
iptables -A INPUT -i eth0 -p tcp -d $ext_ip --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d $ext_ip --dport 6667 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d $ext_ip --dport 113 -j ACCEPT
# DROP packets associated with an "INVALID" connection.
iptables -A INPUT -m state --state INVALID -j LOG --log-level $LOG_LEVEL --log-prefix "INVALID CONNECTION: "
iptables -A INPUT -m state --state INVALID -j DROP

# ACCEPT packets which are related to an established connection.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# deny everything that wasn't explicetely allowed by the above rules
iptables -A INPUT -j LOG --log-level $LOG_LEVEL --log-prefix "DEFAULT: "
iptables -A INPUT -j DROP

################################ Output rules #######################################
iptables -P OUTPUT ACCEPT

################################ Forward rules ######################################
iptables -P FORWARD DROP

[binary_boy]

try doing an iptables -L. That will echo each rule on the screen as it is executed.

[kenshi]

I'd guess you don't have a certain feature built into the kernel that you're trying to use. Do each rule one by one until you find the one that's messing up and go from there.

[Feztaa]

Just thought I'd point out a few things:

# flush all the old rules and also delete them
iptables -F
iptables -X

This is redundant; once the rules are flushed there are no rules to delete

#for i in /proc/sys/net/ipv4/conf/*; do
# * *echo 1 > $i/rp_filter
#done

If you want to use this, you could also do this:

Code:

for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
  echo 1 > $i
done

But, do as Kenshi said, do the rules one by one until you find the one that screws up. It's possible that you don't have one of the modules you're trying to use, or you've spelled one of the targets wrong.

[kenshi]

Just thought I'd point out a few things:
This is redundant; once the rules are flushed there are no rules to delete

No no, they are different. iptables -F flushes all the rules. iptables -X removes any user-created chains. He didn't create any but it's still a good practice to put that in there.

[Feztaa]

Ah, oops. Bit of a blond moment there. I just woke up when I posted that