[Firewall] 2.0.1d LAN_INET_HOST_OPEN_TCP issues

Daniel Lindbeck dajmon at lindnet.se
Tue Apr 2 13:55:11 CEST 2013


Here's the log:

  * Loading Firewall... ...Arno's Iptables Firewall Script 
v2.0.1d
-------------------------------------------------------------------------------
Platform: Linux 3.7.5-hardened-r1 x86_64
Checking/probing Iptables modules:
  Loaded kernel module ip_tables.
  Loaded kernel module nf_conntrack.
  Loaded kernel module nf_conntrack_ftp.
  Loaded kernel module xt_conntrack.
  Loaded kernel module xt_limit.
  Loaded kernel module xt_state.
  Loaded kernel module xt_multiport.
  Loaded kernel module iptable_filter.
  Loaded kernel module iptable_mangle.
  Loaded kernel module ipt_REJECT.
  Loaded kernel module xt_LOG.
  Loaded kernel module xt_TCPMSS.
  Loaded kernel module xt_DSCP.
  Loaded kernel module iptable_nat.
  Loaded kernel module nf_nat.
  Loaded kernel module nf_nat_ftp.
  Loaded kernel module ipt_MASQUERADE.
  Loaded kernel module nf_conntrack_irc.
  Loaded kernel module nf_nat_irc.
  Module check done...
Configuring general kernel parameters:
  Setting the max. amount of simultaneous connections to 16384
   net.nf_conntrack_max = 16384
   net.netfilter.nf_conntrack_udp_timeout = 60
   net.netfilter.nf_conntrack_acct = 1
Configuring kernel parameters:
  Disabling send redirects
   net.ipv4.conf.all.send_redirects = 0
   net.ipv4.conf.default.send_redirects = 0
   net.ipv4.conf.eth0.send_redirects = 0
   net.ipv4.conf.eth1.send_redirects = 0
   net.ipv4.conf.lo.send_redirects = 0
  Enabling protection against source routed packets
   net.ipv4.conf.all.accept_source_route = 0
   net.ipv4.conf.default.accept_source_route = 0
   net.ipv4.conf.eth0.accept_source_route = 0
   net.ipv4.conf.eth1.accept_source_route = 0
   net.ipv4.conf.lo.accept_source_route = 0
   net.ipv4.icmp_echo_ignore_broadcasts = 1
   net.ipv4.icmp_ignore_bogus_error_responses = 1
  Enabling packet forwarding
   net.ipv4.conf.all.forwarding = 1
   net.ipv4.conf.default.forwarding = 1
   net.ipv4.conf.eth0.forwarding = 1
   net.ipv4.conf.eth1.forwarding = 1
   net.ipv4.conf.lo.forwarding = 1
  Setting some kernel performance options
   net.ipv4.tcp_window_scaling = 1
   net.ipv4.tcp_timestamps = 1
   net.ipv4.tcp_sack = 1
   net.ipv4.tcp_dsack = 1
   net.ipv4.tcp_fack = 1
   net.ipv4.tcp_low_latency = 0
  Enabling reduction of the DoS'ing ability
   net.ipv4.tcp_fin_timeout = 30
   net.ipv4.tcp_keepalive_time = 1800
   net.ipv4.tcp_syn_retries = 3
   net.ipv4.tcp_synack_retries = 2
   net.ipv4.tcp_rfc1337 = 1
   net.ipv4.ip_local_port_range = 32768 61000
  Enabling SYN-flood protection via SYN-cookies
   net.ipv4.tcp_syncookies = 1
  Enabling anti-spoof with rp_filter
   net.ipv4.conf.all.rp_filter = 1
   net.ipv4.conf.default.rp_filter = 1
   net.ipv4.conf.eth0.rp_filter = 1
   net.ipv4.conf.eth1.rp_filter = 1
   net.ipv4.conf.lo.rp_filter = 1
   net.ipv4.icmp_echo_ignore_all = 0
  Disabling the logging of martians
   net.ipv4.conf.all.log_martians = 0
   net.ipv4.conf.default.log_martians = 0
   net.ipv4.conf.eth0.log_martians = 0
   net.ipv4.conf.eth1.log_martians = 0
   net.ipv4.conf.lo.log_martians = 0
  Disabling the acception of ICMP-redirect messages
   net.ipv4.conf.all.accept_redirects = 0
   net.ipv4.conf.default.accept_redirects = 0
   net.ipv4.conf.eth0.accept_redirects = 0
   net.ipv4.conf.eth1.accept_redirects = 0
   net.ipv4.conf.lo.accept_redirects = 0
  Disabling ECN (Explicit Congestion Notification)
   net.ipv4.tcp_ecn = 0
  Enabling kernel support for dynamic IPs
   net.ipv4.ip_dynaddr = 1
  Enabling PMTU discovery
   net.ipv4.ip_no_pmtu_disc = 0
  Setting default TTL=64
   net.ipv4.ip_default_ttl = 64
  Flushing route table
   net.ipv4.route.flush = 1
  Kernel setup done...
Reinitializing firewall chains
  Setting all default policies to DROP while "setting up firewall rules"
IPv4 mode selected but IPv6 available, DROP all IPv6 packets
Using loglevel "info" for syslogd

Setting up firewall rules:
-------------------------------------------------------------------------------
Enabling setting the maximum packet size via MSS
Enabling mangling TOS
Logging of stealth scans (nmap probes etc.) enabled
Logging of packets with bad TCP-flags enabled
Logging of INVALID TCP packets disabled
Logging of INVALID UDP packets disabled
Logging of INVALID ICMP packets disabled
Logging of fragmented packets enabled
Logging of access from reserved nets enabled
Setting up antispoof for INTERNAL net(s): 192.168.2.0/24
Reading custom rules from /etc/arno-iptables-firewall/custom-rules
Checking for (user) plugins in /usr/share/arno-iptables-firewall/plugins...
  Loaded 0 plugin(s)...
Setting up external(INET) INPUT policy
  Logging of ICMP flooding enabled
  Enabling support for DHCP-assigned-IP (DHCP client)
  Logging of explicitly blocked hosts enabled
  Logging of denied local output connections enabled
  Packets will NOT be checked for reserved source addresses
  Allowing ANYHOST for TCP port(s): 20
  Allowing ANYHOST for TCP port(s): 21
  Allowing ANYHOST for TCP port(s): 22
  Allowing ANYHOST for TCP port(s): 53
  Allowing ANYHOST for TCP port(s): 80
  Allowing ANYHOST to send IPv4 ICMP-requests (ping)
  Logging of possible stealth scans enabled
  Logging of (other) packets to PRIVILEGED TCP ports enabled
  Logging of (other) packets to PRIVILEGED UDP ports enabled
  Logging of (other) packets to UNPRIVILEGED TCP ports enabled
  Logging of (other) packets to UNPRIVILEGED UDP ports enabled
  Logging of IGMP packets enabled
  Logging of dropped ICMP-request(ping) packets enabled
  Logging of dropped other ICMP packets enabled
  Logging of other IP protocols (non TCP/UDP/ICMP/IGMP) packets enabled
Setting up external(INET) OUTPUT policy
Applying external(INET) policy to interface: eth0 (without an external 
subnet specified)
Setting up internal(LAN) INPUT policy
  Allowing ICMP-requests(ping)
  Allowing all (other) ports/protocols
Applying internal(LAN) policy to interface: eth1
Setting up internal(LAN) FORWARD policy
  Logging of denied LAN->INET FORWARD connections enabled
  Setting up LAN->INET policy
   Allowing 0/0(LAN) to 1.2.3.170-190(INET) for TCP port(s): 443
     /sbin/iptables -A LAN_INET_FORWARD_CHAIN -o + -s 0/0 -d 1.2.3.170
171 -p tcp --dport 443 -j ACCEPT
ERROR (2): iptables v1.4.16.3: host/network `1.2.3.170
171' not found
Try `iptables -h' or 'iptables --help' for more information.
   Allowing 192.168.2.160-169(LAN) to 0/0(INET) for TCP port(s): 0:65535
   /sbin/iptables -A LAN_INET_FORWARD_CHAIN -o + -s 192.168.2.160
161 -d 0/0 -p tcp --dport 0:65535 -j ACCEPT
ERROR (2): iptables v1.4.16.3: host/network `192.168.2.160
161' not found
Try `iptables -h' or 'iptables --help' for more information.
   Allowing 192.168.2.10-35(LAN) to 0/0(INET) for TCP port(s): 20:1000
/sbin/iptables -A LAN_INET_FORWARD_CHAIN -o + -s 192.168.2.10
11 -d 0/0 -p tcp --dport 20:1000 -j ACCEPT
ERROR (2): iptables v1.4.16.3: host/network `192.168.2.10
11' not found
Try `iptables -h' or 'iptables --help' for more information.
Apr 02 13:48:48 WARNING: Not all firewall rules are applied.
   Allowing ICMP-requests(ping)
   Denying all (other) ports/protocols
Applying internal(LAN) FORWARD policy to interface: eth1
Enabling masquerading(NAT) via external interface(s): eth0
  Adding (internal) host(s): 192.168.2.0/24
(eth0) Forwarding(NAT) TCP port(s) 0/0:6003,7001,7002,27000:27045 to 
192.168.2.16
(eth0) Forwarding(NAT) UDP port(s) 0/0:6003,7001,7002,27000:27045 to 
192.168.2.16
Security is ENFORCED for external interface(s) in the FORWARD chain
  Logging of dropped FORWARD packets enabled

  * WARNING: Failed to load Firewall [ !! ]
  * ERROR: arno-iptables-firewall failed to start
---

io ~ # echo "1.2.3.4-9" |cut -s -d'-' -f1 |awk -F'.' '{ print $NF }' 
|grep -e '[0-9]'
4
io ~ # echo "1.2.3.4-9" |cut -s -d'-' -f2 |grep -e '[0-9]'
9
io ~ # seq -s' ' 4 9
4
5 6 7 8 9
io ~ # IFS=',' ; $(IFS=' ') ; echo "$IFS" ; unset IFS
,
io ~ #

/Daniel

Arno van Amersfoort skrev 2013-04-02 11:42:
> The syntax is correct: that can't be the problem. I even tested it 
> myself to make sure it (still) does. Could you provide the complete 
> output of "/usr/local/sbin/arno-iptables-firewall start" ? And your 
> config file?
>
> a.
>
> On 02-Apr-13 8:10, Daniel Lindbeck wrote:
>> Hi,
>>
>> I'm having some issues with LAN_INET_HOST_OPEN_TCP/UDP in 2.0.1d.
>> In 1.9.x i could specify IP-ranges like this:
>>
>> LAN_INET_HOST_OPEN_TCP="
>> 0/0>xxx.xxx.xxx.170-190~443
>> xxx.xxx.xxx.160-169>0/0~0:65535
>> xxx.xxx.xxx.10-35>0/0~20:1000"
>>
>> And the errors i'm getting is:
>> seq: invalid floating point argument: 99/0
>> Try 'seq --help' for more information. Allowing xxx.xxx.xxx.160-169(LAN)
>> to 0/0(INET) for TCP port(s): 0:65535
>>
>> AND
>>
>> ERROR (2): iptables v1.4.16.3: host/network `xxx.xxx.xxx.10
>>
>> This configuration works fine in 1.9.x.
>> Am i doing something wrong here?
>>
>> / Daniel
>>
>> _______________________________________________
>> Firewall mailing list
>> Firewall at rocky.eld.leidenuniv.nl
>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
>>
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl



More information about the Firewall mailing list