[Firewall] Errors when starting Arno's firewall script

Thomas Seilund tps at netmaster.dk
Thu Jan 28 11:10:32 CET 2010


Arno van Amersfoort wrote:
> Your problem is simple to determine: The TOS-target is missing. You 
> probably compiled your own kernel and forgot to include it either as a 
> module or in the kernel itself. Do note that for newer kernels the 
> name for the module holding this target has changed, I can't recall 
> the name now but I believe it was something like DSSP....
>
> a.
>
> Thomas Seilund wrote:
>> Philip A. Prindeville wrote:
>>> Same answer I gave a couple of weeks ago.  Run:
>>>
>>> % TRACE=1 arno-iptables-firewall start
>>>
>>> This will capture the commands it would have run into a file.
>>>
>>> You can then run that file as;
>>>
>>> bash -x /tmp/aifXXXXXXX
>>>
>>> and see which commands are generating errors.
>>>
>>> -Philip
>>>
>>>
>>> On 01/21/2010 02:00 AM, Thomas Seilund wrote:
>>>  
>>>> Dear All,
>>>>
>>>> I installed Arno's firewall script (I had to install package 
>>>> iproute2 otherwise install.sh complains that binary ip does not exist)
>>>>
>>>> When call /etc/init.d/arno-iptables-firewall start I first get a 
>>>> lot of errors about modules not found, assuming compiled in. Thats 
>>>> is ok.
>>>>
>>>> But then I get messages like this:
>>>>
>>>>     Disabling ECN (Explicit Congestion Notification)
>>>>  Set kernel parameter net.ipv4.tcp_ecn=0
>>>>  Set kernel parameter net.ipv4.ip_dynaddr=0
>>>>  Set kernel parameter net.ipv4.ip_no_pmtu_disc=0
>>>> Flushing route table
>>>>  Set kernel parameter net.ipv4.route.flush=1
>>>> Kernel setup done...
>>>> Initializing firewall chains
>>>> Setting all default policies to DROP while "setting up firewall rules"
>>>>  /sbin/iptables: (1) iptables: No chain/target/match by that name.
>>>> Using loglevel "info" for syslogd
>>>>
>>>> Setting up firewall rules:
>>>> ------------------------------------------------------------------------------- 
>>>>
>>>> Enabling setting the maximum packet size via MSS
>>>> Enabling mangling TOS
>>>>  /sbin/iptables: (1) iptables: No chain/target/match by that name.
>>>>  /sbin/iptables: (1) iptables: No chain/target/match by that name.
>>>>  /sbin/iptables: (1) iptables: No chain/target/match by that name.
>>>>  /sbin/iptables: (1) iptables: No chain/target/match by that name.
>>>>  /sbin/iptables: (1) iptables: No chain/target/match by that name.
>>>>  /sbin/iptables: (1) iptables: No chain/target/match by that name.
>>>>  /sbin/iptables: (1) iptables: No chain/target/match by that name.
>>>>  /sbin/iptables: (1) iptables: No chain/target/match by that name.
>>>>  /sbin/iptables: (1) iptables: No chain/target/match by that name.
>>>>
>>>> <<
>>>>
>>>> The message "/sbin/iptables: (1) iptables: No chain/target/match by 
>>>> that name." is in red text!
>>>>
>>>> I don't get any other messages in red text besides a lot of 
>>>> "/sbin/iptables: (1) iptables: No chain/target/match by that name."
>>>>
>>>> Finally I get:
>>>>
>>>>     Security is ENFORCED for external interface(s) in the FORWARD 
>>>> chain
>>>>  /sbin/iptables: (1) iptables: No chain/target/match by that name.
>>>>
>>>> Jan 21 10:49:01 WARNING: Not all firewall rules are applied.
>>>> p600 arno-iptables-firewall_1.9.2h #
>>>> (reverse-i-search)`emer': ^Cerge -av iproute2
>>>> p600 arno-iptables-firewall_1.9.2h # 
>>>> /etc/init.d/arno-iptables-firewall start
>>>> Arno's Iptables Firewall Script v1.9.2h
>>>> ------------------------------------------------------------------------------- 
>>>>
>>>> Sanity checks passed...OK
>>>> Checking/probing IPv4 Iptables modules:
>>>> /sbin/modprobe ip_tables: Module not found! Assuming 
>>>> compiled-in-kernel!
>>>> <<
>>>>
>>>> In /var/log/messages I get:
>>>>
>>>>     Jan 21 10:48:52 p600 firewall: ** Starting Arno's Iptables 
>>>> Firewall v1.9.2h **
>>>> Jan 21 10:49:01 p600 firewall: ** WARNING: Not all firewall rules 
>>>> are applied **
>>>> <<
>>>>
>>>> I feel unsecure getting the message "** WARNING: Not all firewall 
>>>> rules are applied **"
>>>>
>>>> Why do I get these messages?
>>>>
>>>> Any help would be appreciated.
>>>>
>>>> Thanks
>>>>
>>>> Thomas S
>>>>     
>>>
>>> _______________________________________________
>>> Firewall mailing list
>>> Firewall at rocky.eld.leidenuniv.nl
>>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>> http://rocky.eld.leidenuniv.nl
>>>   
>> Hi Philip,
>>
>> Thanks for the advice.
>>
>> I follow your advice.
>>
>> The temp file with the commands that would have been executed holds 
>> 305 lines!
>>
>> When executing the commands in the file I get this output. Only part 
>> of the output is shown:
>>
>> I recognize some of the error messages like "iptables: No 
>> chain/target/match by that name." but I don't know why I get these 
>> errors.
>>
>>  >>
>> /sbin/iptables -N DMZ_INPUT_CHAIN
>> /sbin/iptables -N DMZ_FORWARD_IN_CHAIN
>> /sbin/iptables -N DMZ_FORWARD_OUT_CHAIN
>> /sbin/iptables -N DMZ_OUTPUT_CHAIN
>> /sbin/iptables -Z
>> /sbin/iptables -t nat -Z
>> /sbin/iptables -t mangle -Z
>> /sbin/iptables -P INPUT DROP
>> /sbin/iptables -P FORWARD DROP
>> /sbin/iptables -P OUTPUT DROP
>> /sbin/iptables -A POST_INPUT_DROP_CHAIN -j DROP
>> /sbin/iptables -A HOST_BLOCK_DROP -m limit --limit 1/m --limit-burst 
>> 1 -j LOG --log-level info --log-prefix 'AIF:Blocked host(s): '
>> iptables: No chain/target/match by that name.
>> /sbin/iptables -A HOST_BLOCK_DROP -j DROP
>> /sbin/iptables -F HOST_BLOCK_SRC
>> /sbin/iptables -F HOST_BLOCK_DST
>> /sbin/sysctl -w -a
>> error: "-a" must be of the form name=value
>> /sbin/iptables -A FORWARD -o eth0 -p tcp --tcp-flags SYN,RST SYN -j 
>> TCPMSS --clamp-mss-to-pmtu
>> /sbin/iptables -A OUTPUT -o eth0 -p tcp --tcp-flags SYN,RST SYN -j 
>> TCPMSS --clamp-mss-to-pmtu
>> /sbin/iptables -t nat -A POSTROUTING -o eth0 -p tcp --tcp-flags 
>> SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
>> /sbin/iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 20 -j TOS 
>> --set-tos Maximize-Throughput
>> iptables: No chain/target/match by that name.
>> /sbin/iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 21 -j TOS 
>> --set-tos Minimize-Delay
>> iptables: No chain/target/match by that name.
>> /sbin/iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 22 -j TOS 
>> --set-tos Minimize-Delay
>> iptables: No chain/target/match by that name.
>> /sbin/iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 23 -j TOS 
>> --set-tos Minimize-Delay
>> iptables: No chain/target/match by that name.
>> /sbin/iptables -t mangle -A OUTPUT -o eth0 -p tcp --dport 25 -j TOS 
>> --set-tos Minimize-Delay
>> iptables: No chain/target/match by that name.
>> /sbin/iptables -t mangle -A OUTPUT -o eth0 -p udp --dport 53 -j TOS 
>> --set-tos Maximize-Throughput
>> <<
>>
>> Thanks
>>
>> Thomas S
>> _______________________________________________
>> Firewall mailing list
>> Firewall at rocky.eld.leidenuniv.nl
>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
>>
>
Hi Arno

Thanks for the tip.

True - I compile my own kernel. I use a gentoo distro.

Using menu menuconfig to configure my kernel I decided to compile as 
much as possible as modules under the netfilter section.

Now, I only have two error message left when I start the firewall script.

 >>
/sbin/sysctl -w -a
error: "-a" must be of the form name=value
.
.
/sbin/iptables -t nat -A POSTROUTING -o eth0 -s / '!' -d / -j MASQUERADE
iptables v1.4.3.2: invalid mask `' specified
Try `iptables -h' or 'iptables --help' for more information.
<<

In /var/log/messages I get:

 >>
Jan 28 11:02:44 p600 firewall: ** Starting Arno's Iptables Firewall 
v1.9.2h **
Jan 28 11:02:51 p600 firewall: ** All firewall rules applied **
<<

Thanks a lot

Thomas S


More information about the Firewall mailing list