View previous topic :: View next topic |
Author |
Message |
BlackCat73 n00b

Joined: 11 Sep 2004 Posts: 15 Location: VIC, Australia
|
Posted: Thu Sep 16, 2004 11:49 am Post subject: |
|
|
Ok, I read other post in this or another thread that those long lines that I typed is a shell script.
So I copied it into my /root/scripts/iptables_script and made it executable by chmod it executable
then I ran it by doing
I then got error message
Code: |
root@usagi scripts # ./iptables_script
modprobe: Can't locate module ip_tables
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
modprobe: Can't locate module ip_tables
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
modprobe: Can't locate module ip_tables
iptables v1.2.11: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
modprobe: Can't locate module ip_tables
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
modprobe: Can't locate module ip_tables
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
modprobe: Can't locate module ip_tables
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
modprobe: Can't locate module ip_tables
iptables v1.2.11: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
|
Am I suppose to recompile it into the kernel as a module?
Thanks. |
|
Back to top |
|
 |
BlackCat73 n00b

Joined: 11 Sep 2004 Posts: 15 Location: VIC, Australia
|
Posted: Fri Sep 17, 2004 6:32 am Post subject: |
|
|
I got it fixed, I forgot to include the necessary components in my kernel
After I did that, recompile my kernel, everything returns to normal  |
|
Back to top |
|
 |
BlindSpy Apprentice


Joined: 20 Mar 2004 Posts: 263
|
Posted: Fri Sep 17, 2004 3:13 pm Post subject: |
|
|
great guide! thanks _________________ Symlinks to:
xorg.conf |
|
Back to top |
|
 |
burmashave Tux's lil' helper


Joined: 01 Dec 2002 Posts: 82
|
Posted: Mon Sep 20, 2004 5:21 am Post subject: Thanks! |
|
|
Thanks for an excellent quickstart! |
|
Back to top |
|
 |
radsatori n00b


Joined: 11 Sep 2003 Posts: 6 Location: Halifax, Nova Scotia
|
Posted: Thu Oct 07, 2004 8:06 pm Post subject: I find this is a muck simplier way for me |
|
|
I use this process on my Gentoo box and my Redhat VPS, and for me it is the simplest from all the ways I have tried.
Basically put in the ports of the services you want and comment out the ones you don't, and then run the script.
Then after you run the script, do a /etc/init.d/iptables save, and then a /etc/init.d/iptables restart.
You can take a peek at what your current rules are by running the command iptables-save at any time.
And if you have just installed iptables, as mentioned do a rc-update add iptables default
SCRIPT - I called mine firewall.sh and made it executable
**********************************************************
#!/bin/bash
#---------------------------------------------------------------
# Reset everything
#---------------------------------------------------------------
iptables -F
iptables -X
iptables -F -t nat
iptables -F -t mangle
#---------------------------------------------------------------
# Basically let this machine acces any port on itself
#---------------------------------------------------------------
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#---------------------------------------------------------------
# Users on this computers can access the web with no problems
#---------------------------------------------------------------
iptables -A OUTPUT -m state --state NEW -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#---------------------------------------------------------------
# Different ports to be accessed
#---------------------------------------------------------------
#------- FTP SERVICES ---------------------------------------
iptables -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
#------- SSH SERVICES ---------------------------------------
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#------- SMTP SERVICES --------------------------------------
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
#------- NAME SERVER ----------------------------------------
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 953 -j ACCEPT
#------- APACHE WEB SERVER ----------------------------------
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
#------- POP3 SERVER ----------------------------------------
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 995 -j ACCEPT
#------- IMAP SERVER ----------------------------------------
iptables -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp --dport 993 -j ACCEPT _________________ Linux Hackers mandate is to have 75% of all Maritime Canada residents, business's, and government entities using the Linux operating system and other open source derived software by the year 2009. |
|
Back to top |
|
 |
Rooney Apprentice


Joined: 07 Aug 2003 Posts: 193 Location: Sheffield, UK
|
Posted: Wed Oct 20, 2004 4:53 pm Post subject: |
|
|
Just want to say thank im not a noob to gentoo but certainly am to IP Tables and this helped big time.
Cheers.....Rooney |
|
Back to top |
|
 |
lundi n00b


Joined: 13 Dec 2003 Posts: 13
|
Posted: Fri Oct 22, 2004 3:17 am Post subject: |
|
|
every time when I startup iptables service, I have to do
"echo 1 > /proc/sys/net/ipv4/ip_forward" manually again. Do I some thing wrong? |
|
Back to top |
|
 |
Walmarde Tux's lil' helper

Joined: 17 Mar 2003 Posts: 91 Location: Granby (Quebec)
|
Posted: Fri Oct 29, 2004 5:44 pm Post subject: |
|
|
Nice how-to ! _________________ Naturally, the common people don't want war, it is always a simple matter to drag people. All you have to do is to tell them they are being attacked and denounce the pacifist for lack of patriotism and exposing the country to danger. -Hermann Goering- |
|
Back to top |
|
 |
zdra Veteran


Joined: 30 Nov 2003 Posts: 1693 Location: Bruxelles, Belgique
|
Posted: Sat Oct 30, 2004 9:11 am Post subject: |
|
|
lundi wrote: | every time when I startup iptables service, I have to do
"echo 1 > /proc/sys/net/ipv4/ip_forward" manually again. Do I some thing wrong? |
I've the same problem ! ive tried with this in /etc/conf.d/iptables:
Code: | ENABLE_FORWARDING_IPv4="yes" |
but doesn't works.... someone has an idea ?
thx. |
|
Back to top |
|
 |
Tazok Guru

Joined: 25 Oct 2003 Posts: 310
|
Posted: Sun Nov 07, 2004 5:13 pm Post subject: |
|
|
My router has only one NIC, which is connected to the adsl-modem and to the rest of the network via a switch. It looks like this:
Code: |
switch ______
___ _ ( )
| |-----|_|-------( LAN )
|___| | (______)
router |
|
|_| adsl-modem
|
Can anyone provide me with an absolutely minimal configuration for iptables, including masquerading (access to the internet from my LAN) and blocking all incoming connections from the internet (prevent access to nfs and other network services) ?
I would really like to learn iptables, but I need something to start with.
Thanks for any help! |
|
Back to top |
|
 |
res0r9lm n00b

Joined: 30 Jul 2004 Posts: 56
|
Posted: Mon Nov 08, 2004 6:42 pm Post subject: |
|
|
/etc/conf.d/iptables and /etc/init.d/iptables has changed and no longer have anything to do with ipforwarding in the latest ~x86 version not sure where this needs to be enable now but I think /etc/sysctl |
|
Back to top |
|
 |
j-m Retired Dev

Joined: 31 Oct 2004 Posts: 975
|
Posted: Tue Nov 09, 2004 2:16 am Post subject: |
|
|
Put the following in /etc/conf.d/local.start
Code: |
echo "1" > /proc/sys/net/ipv4/conf/all/forwarding
|
This is also advised when you finish emerging iptables. |
|
Back to top |
|
 |
cocran n00b

Joined: 27 Jan 2005 Posts: 1
|
Posted: Fri Jan 28, 2005 12:08 am Post subject: iptables problem |
|
|
Hello. I am a new Linux and Gentoo supporter, and I have a problem with the Iptables.
I followed the great tutorial, but I stop without seeing "the light out out of the tunnel"
I compliled the kernel with genkernel and I enabled iptable support(not as a modul). I merged the iptables and configured the network. But when trying to run the script I get
Code: |
bash-2.05b# ./ipConfig.script
iptables v1.2.11: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.11: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.11: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
Warning: wierd character in interface `-o' (No aliases, :, ! or *).
Bad argument `eth0'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.11: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.11: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.11: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.2.11: can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
bash-2.05b#
|
I also tryed again but making enabling iptables in the kernel as a modul, then I making "modprobe ip_tables". Infact I have this result from lsmod
Code: |
bash-2.05b# lsmod
Module Size Used by
ipt_MASQUERADE 3464 2
iptable_nat 24620 2 ipt_MASQUERADE
ip_tables 17920 2 ipt_MASQUERADE,iptable_nat
ohci_hcd 17924 0
snd_via82xx 21764 0
snd_ac97_codec 59908 1 snd_via82xx
snd_pcm 76808 1 snd_via82xx
snd_page_alloc 8840 2 snd_via82xx,snd_pcm
snd_mpu401_uart 5504 1 snd_via82xx
snd_rawmidi 18852 1 snd_mpu401_uart
usbhid 28480 0
uhci_hcd 27792 0
parport_pc 25920 0
parport 32328 1 parport_pc
via_agp 6784 1
usb_storage 25088 0
ehci_hcd 24580 0
usbcore 91360 7 ohci_hcd,usbhid,uhci_hcd,usb_storage,ehci_hcd
|
But the result of the script is the same.I am using kernel 2.6.7
I really don't know what I can invet to help me
Thanks  _________________ The hope is the last to die |
|
Back to top |
|
 |
Rooney Apprentice


Joined: 07 Aug 2003 Posts: 193 Location: Sheffield, UK
|
Posted: Fri Jan 28, 2005 5:27 pm Post subject: |
|
|
Just built my self a new system where as the old one worked fine with iptables but this one won't boot the modified kernel for some reason can some one look over my kernel option
< > Connection tracking (required for masq/NAT) │ │
│ │ [ ] Connection mark tracking support │ │
│ │ < > Userspace queueing via NETLINK │ │
│ │ <M> IP tables support (required for filtering/masq/NAT) │ │
│ │ <M> limit match support │ │
│ │ <M> IP range match support │ │
│ │ <M> MAC address match support │ │
│ │ <M> Packet type match support │ │
│ │ <M> netfilter MARK match support │ │
│ │ <M> Multiple port match support │ │
│ │ <M> TOS match support │ │
│ │ <M> recent match support │ │
│ │ <M> ECN match support │ │
│ │ <M> DSCP match support │ │
│ │ <M> AH/ESP match support │ │
│ │ <M> LENGTH match support │ │
│ │ <M> TTL match support │ │
│ │ <M> tcpmss match support │ │
│ │ <M> Owner match support │ │
│ │ <M> address type match support │ │
│ │ <M> realm match support │ │
│ │ <M> SCTP protocol match support │ │
│ │ <M> comment match support │ │
│ │ <M> hashlimit match support │ │
│ │ <M> Packet filtering │ │
│ │ <M> REJECT target support │ │
│ │ <M> LOG target support │ │
│ │ <M> ULOG target support │ │
│ │ <M> TCPMSS target support │ │
│ │ < > Packet mangling │ │
│ │ < > raw table support (required for NOTRACK/TRACE) │ │
│ │ < > ARP tables support │ │
│ │ < > ipchains (2.2-style) support │ │
│ │ < > ipfwadm (2.0-style) support
as these are all modules i wouldent have thought it would affect a boot as they are loaded on demaned and i havent yet added any thing to modules.autoload yet
####appendment####
i have found this is when i add my network card drivers i have also tried 2 xcard (e100 and 3c59x) but both fetch a kernel panic |
|
Back to top |
|
 |
torklingberg Tux's lil' helper


Joined: 30 May 2004 Posts: 86
|
Posted: Sat Jan 29, 2005 10:18 pm Post subject: |
|
|
What settings changes if I want forwarding for the client, but no firewalling? |
|
Back to top |
|
 |
edwardpayne n00b

Joined: 17 Nov 2004 Posts: 7 Location: Östersund, Sweden
|
Posted: Thu Feb 03, 2005 9:19 pm Post subject: ipt_state not found |
|
|
I installed a new gentoo system last night.
i can't get iptables to work on this machine. I figured out that i'm missing the ipt_state module (can't load it) since it's this line I can't execute:
Code: | $IPTABLES -A FORWARD -i eth0 -o eth1 -m state --state NEW,ESTABLISHED -j ACCEPT |
It's very annoying.. I can't find where ipt_state is in the menconfig either.. I need help here! I'm using Gentoo 2003.4 with the gen-sources kernel (2.6).
Or am I wrong about ipt_state?
plz help. |
|
Back to top |
|
 |
Xamindar Veteran


Joined: 03 Oct 2004 Posts: 1155 Location: California
|
Posted: Thu Feb 24, 2005 5:27 pm Post subject: |
|
|
Great howto! Thanks.
I have a couple of questions though.
What does this part do exactly?
Code: | # forward LAN traffic from $INTIF1 to Internet interface $EXTIF
$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state NEW,ESTABLISHED -j ACCEPT |
As my internal network is able to communicate with the outside world just fine with only nabled, this command doesn't make sense.
Does the commented out "echo -e" even do anything?
Code: | #echo -e " - Allowing access to the SSH server"
$IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT
|
And also, is there any way to ignore arp requests that my isp is continually sending out? Or is that kind of pointless.
Thanks:D |
|
Back to top |
|
 |
SerfurJ l33t

Joined: 10 Apr 2004 Posts: 824 Location: Texas
|
Posted: Wed Mar 09, 2005 7:27 pm Post subject: |
|
|
here's an even simpler starting point for people who don't need the system to be a router:
Code: | #!/bin/bash
IPTABLES='/sbin/iptables'
# Set interface values
EXTIF='eth1'
# flush rules and delete chains
$IPTABLES -F
$IPTABLES -X
#echo -e " - Allowing access to the SSH server"
$IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT
#echo -e " - Allowing access to the HTTP server"
$IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT
# block out all other Internet access on $EXTIF
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP
$IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP
|
|
|
Back to top |
|
 |
imsdunn n00b


Joined: 06 Sep 2003 Posts: 19
|
Posted: Sat Mar 12, 2005 8:43 pm Post subject: |
|
|
Krunk, Very nice! Great instructions! I just set up my first network at home following your instructions. _________________ ---------------------
s.dunn |
|
Back to top |
|
 |
odioworks_com Tux's lil' helper

Joined: 23 Jan 2005 Posts: 82 Location: Charlottesville, Virginia
|
Posted: Thu Apr 07, 2005 8:06 pm Post subject: |
|
|
hm can't seem to get it to work...
Every time I run /etc/init.d/iptables start I get this error:
: No such file or directory
Here is my exact IPtables script:
http://www.odioworks.com/iptables_code.txt
I asked this question in another post (https://forums.gentoo.org/viewtopic-p-2283977.html#2283977) and MrUlterior has been graciously helping me. He suggested adding the code:
Quote: |
for MODULE in `find /lib/modules/*/netfilter -name "*.ko" -type f -print "%f" | egrep -o "[^\.]+"`; do
echo "Loading ${MODULE}"
modprobe $MODULE
done
|
Since iptables is built into my kernel and not loaded. However this has not helped. Anyone experience this before? Is there another simple iptables script that people have had success with? I'm just basically interested in NATing...
TIA,
Sam |
|
Back to top |
|
 |
eleanor l33t


Joined: 01 Nov 2004 Posts: 666
|
Posted: Fri May 13, 2005 2:40 pm Post subject: |
|
|
Can anyone explain this to me:
Quote: | #!/bin/bash
#---------------------------------------------------------------
# Reset everything
#---------------------------------------------------------------
iptables -F
iptables -X
iptables -F -t nat
iptables -F -t mangle
#---------------------------------------------------------------
# Basically let this machine acces any port on itself
#---------------------------------------------------------------
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#---------------------------------------------------------------
# Users on this computers can access the web with no problems
#---------------------------------------------------------------
iptables -A OUTPUT -m state --state NEW -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#---------------------------------------------------------------
# Different ports to be accessed
#---------------------------------------------------------------
#------- FTP SERVICES ---------------------------------------
iptables -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
#------- SSH SERVICES ---------------------------------------
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#------- SMTP SERVICES --------------------------------------
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
#------- NAME SERVER ----------------------------------------
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 953 -j ACCEPT
#------- APACHE WEB SERVER ----------------------------------
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
#------- POP3 SERVER ----------------------------------------
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 995 -j ACCEPT
#------- IMAP SERVER ----------------------------------------
iptables -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp --dport 993 -j ACCEPT |
I would like to know what are the basic rules when writing this. I understang what "iptables -A INPUT -p tcp --dport 143 -j ACCEPT " that is the way it is, but I don't understand the other things. Please, need help? |
|
Back to top |
|
 |
volkmar Tux's lil' helper

Joined: 01 Jul 2004 Posts: 122
|
Posted: Sat Jul 02, 2005 9:53 am Post subject: |
|
|
SerfurJ wrote: | here's an even simpler starting point for people who don't need the system to be a router:
|
I've got another one here. It's using the DROP policy and some ACCEPTs on the INPUT chain. This way both eth0 and eth1 can be used as interfaces to the internet.
Code: | ######################### start ###########################
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -Z
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 113 -j REJECT --reject-with tcp-reset
############################# end ################################# |
Since it's only a few lines you don't need a script for it. Simply type the commands into console, then run "iptables-save". On reboot it should be restored automatically by "iptables-restore".
Additional lines for remote-login (ssh) or sip phone calls may be addes.
Thanks to Georgi Alexandrov's reply on the netfilter mailing list. |
|
Back to top |
|
 |
simongermain n00b

Joined: 02 Feb 2006 Posts: 1
|
Posted: Thu Feb 02, 2006 5:34 am Post subject: |
|
|
Thanks a lot! this guide is REALLY helpful!
Good work man! |
|
Back to top |
|
 |
huckabuck Tux's lil' helper


Joined: 14 Apr 2007 Posts: 110 Location: Bronx, NY
|
Posted: Sun Nov 30, 2008 5:52 pm Post subject: |
|
|
Hi, i've been trying to get my iptables working for 3 days now, and i am lost. These are the commands i've been running as root,
tux ~ # modprobe ip_tables
tux ~ # iptables -F
tux ~ # iptables -X
tux ~ # iptables -Z
tux ~ # iptables -t mangle -F
tux ~ # iptables -t mangle -X
tux ~ # iptables -t mangle -Z
tux ~ # iptables -P INPUT DROP
tux ~ # iptables -P FORWARD DROP
tux ~ # iptables -P OUTPUT ACCEPT
tux ~ # iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables: No chain/target/match by that name
and the whole thing gets hung up with the last line. I just want to set up a basic firewall to be able to browse and torrent, and possible set up an ftp fileserver in the future. What am i doing wrong. I wanted to get the rules straight, and get an understanding of what each command did before i put it in a script to start up at boot.
Can anyone point me in the right direction ? i know this was originally scripted for a box running as a router, but i have just my main system. I'm running gentoo-sources 2.6.26-r3.
Thanks in advance. |
|
Back to top |
|
 |
|