[Firewall] Errors when starting Arno's firewall script

Thomas Seilund tps at netmaster.dk
Tue Jan 26 10:14:22 CET 2010


Philip A. Prindeville wrote:
> Same answer I gave a couple of weeks ago.  Run:
>
> % TRACE=1 arno-iptables-firewall start
>
> This will capture the commands it would have run into a file.
>
> You can then run that file as;
>
> bash -x /tmp/aifXXXXXXX
>
> and see which commands are generating errors.
>
> -Philip
>
>
> On 01/21/2010 02:00 AM, Thomas Seilund wrote:
>   
>> Dear All,
>>
>> I installed Arno's firewall script (I had to install package iproute2 otherwise install.sh complains that binary ip does not exist)
>>
>> When call /etc/init.d/arno-iptables-firewall start I first get a lot of errors about modules not found, assuming compiled in. Thats is ok.
>>
>> But then I get messages like this:
>>
>>     
>> Disabling ECN (Explicit Congestion Notification)
>>  Set kernel parameter net.ipv4.tcp_ecn=0
>>  Set kernel parameter net.ipv4.ip_dynaddr=0
>>  Set kernel parameter net.ipv4.ip_no_pmtu_disc=0
>> Flushing route table
>>  Set kernel parameter net.ipv4.route.flush=1
>> Kernel setup done...
>> Initializing firewall chains
>> Setting all default policies to DROP while "setting up firewall rules"
>>  /sbin/iptables: (1) iptables: No chain/target/match by that name.
>> Using loglevel "info" for syslogd
>>
>> Setting up firewall rules:
>> -------------------------------------------------------------------------------
>> Enabling setting the maximum packet size via MSS
>> Enabling mangling TOS
>>  /sbin/iptables: (1) iptables: No chain/target/match by that name.
>>  /sbin/iptables: (1) iptables: No chain/target/match by that name.
>>  /sbin/iptables: (1) iptables: No chain/target/match by that name.
>>  /sbin/iptables: (1) iptables: No chain/target/match by that name.
>>  /sbin/iptables: (1) iptables: No chain/target/match by that name.
>>  /sbin/iptables: (1) iptables: No chain/target/match by that name.
>>  /sbin/iptables: (1) iptables: No chain/target/match by that name.
>>  /sbin/iptables: (1) iptables: No chain/target/match by that name.
>>  /sbin/iptables: (1) iptables: No chain/target/match by that name.
>>
>> <<
>>
>> The message "/sbin/iptables: (1) iptables: No chain/target/match by that name." is in red text!
>>
>> I don't get any other messages in red text besides a lot of "/sbin/iptables: (1) iptables: No chain/target/match by that name."
>>
>> Finally I get:
>>
>>     
>> Security is ENFORCED for external interface(s) in the FORWARD chain
>>  /sbin/iptables: (1) iptables: No chain/target/match by that name.
>>
>> Jan 21 10:49:01 WARNING: Not all firewall rules are applied.
>> p600 arno-iptables-firewall_1.9.2h #
>> (reverse-i-search)`emer': ^Cerge -av iproute2
>> p600 arno-iptables-firewall_1.9.2h # /etc/init.d/arno-iptables-firewall start
>> Arno's Iptables Firewall Script v1.9.2h
>> -------------------------------------------------------------------------------
>> Sanity checks passed...OK
>> Checking/probing IPv4 Iptables modules:
>> /sbin/modprobe ip_tables: Module not found! Assuming compiled-in-kernel!
>> <<
>>
>> In /var/log/messages I get:
>>
>>     
>> Jan 21 10:48:52 p600 firewall: ** Starting Arno's Iptables Firewall v1.9.2h **
>> Jan 21 10:49:01 p600 firewall: ** WARNING: Not all firewall rules are applied **
>> <<
>>
>> I feel unsecure getting the message "** WARNING: Not all firewall rules are applied **"
>>
>> Why do I get these messages?
>>
>> Any help would be appreciated.
>>
>> Thanks
>>
>> Thomas S
>>     
>
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
>   
Hi Philip,

Thanks for the advice.

I follow your advice.

The temp file with the commands that would have been executed holds 305 
lines!

When executing the commands in the file I get this output. Only part of 
the output is shown:

I recognize some of the error messages like "iptables: No 
chain/target/match by that name." but I don't know why I get these errors.

 >>
/sbin/iptables -N DMZ_INPUT_CHAIN
/sbin/iptables -N DMZ_FORWARD_IN_CHAIN
/sbin/iptables -N DMZ_FORWARD_OUT_CHAIN
/sbin/iptables -N DMZ_OUTPUT_CHAIN
/sbin/iptables -Z
/sbin/iptables -t nat -Z
/sbin/iptables -t mangle -Z
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -A POST_INPUT_DROP_CHAIN -j DROP
/sbin/iptables -A HOST_BLOCK_DROP -m limit --limit 1/m --limit-burst 1 
-j LOG --log-level info --log-prefix 'AIF:Blocked host(s): '
iptables: No chain/target/match by that name.
/sbin/iptables -A HOST_BLOCK_DROP -j DROP
/sbin/iptables -F HOST_BLOCK_SRC
/sbin/iptables -F HOST_BLOCK_DST
/sbin/sysctl -w -a
error: "-a" must be of the form name=value
/sbin/iptables -A FORWARD -o eth0 -p tcp --tcp-flags SYN,RST SYN -j 
TCPMSS --clamp-mss-to-pmtu
/sbin/iptables -A OUTPUT -o eth0 -p tcp --tcp-flags SYN,RST SYN -j 
TCPMSS --clamp-mss-to-pmtu
/sbin/iptables -t nat -A POSTROUTING -o eth0 -p tcp --tcp-flags SYN,RST 
SYN -j TCPMSS --clamp-mss-to-pmtu
/sbin/iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 20 -j TOS 
--set-tos Maximize-Throughput
iptables: No chain/target/match by that name.
/sbin/iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 21 -j TOS 
--set-tos Minimize-Delay
iptables: No chain/target/match by that name.
/sbin/iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 22 -j TOS 
--set-tos Minimize-Delay
iptables: No chain/target/match by that name.
/sbin/iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 23 -j TOS 
--set-tos Minimize-Delay
iptables: No chain/target/match by that name.
/sbin/iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 25 -j TOS 
--set-tos Minimize-Delay
iptables: No chain/target/match by that name.
/sbin/iptables -t mangle -A OUTPUT -o eth0 -p udp --dport 53 -j TOS 
--set-tos Maximize-Throughput
<<

Thanks

Thomas S


More information about the Firewall mailing list