[Firewall] 2.0.1d LAN_INET_HOST_OPEN_TCP issues

Lonnie Abelbeck lists at lonnie.abelbeck.com
Tue Apr 2 15:37:08 CEST 2013


Daniel,

Very weird, the problem seems to be with your "seq" command:

io ~ # seq -s' ' 4 9
4
5 6 7 8 9

The output should be all on one line, space separated, ie.
--
4 5 6 7 8 9
--

The \n between your first pair is causing your problems.

Can you look into your "seq" command version...  Is your Linux platform a distro, custom built, etc...

Lonnie


On Apr 2, 2013, at 6:55 AM, Daniel Lindbeck wrote:

> Here's the log:
> 
> * Loading Firewall... ...Arno's Iptables Firewall Script v2.0.1d
> -------------------------------------------------------------------------------
> Platform: Linux 3.7.5-hardened-r1 x86_64
> Checking/probing Iptables modules:
> Loaded kernel module ip_tables.
> Loaded kernel module nf_conntrack.
> Loaded kernel module nf_conntrack_ftp.
> Loaded kernel module xt_conntrack.
> Loaded kernel module xt_limit.
> Loaded kernel module xt_state.
> Loaded kernel module xt_multiport.
> Loaded kernel module iptable_filter.
> Loaded kernel module iptable_mangle.
> Loaded kernel module ipt_REJECT.
> Loaded kernel module xt_LOG.
> Loaded kernel module xt_TCPMSS.
> Loaded kernel module xt_DSCP.
> Loaded kernel module iptable_nat.
> Loaded kernel module nf_nat.
> Loaded kernel module nf_nat_ftp.
> Loaded kernel module ipt_MASQUERADE.
> Loaded kernel module nf_conntrack_irc.
> Loaded kernel module nf_nat_irc.
> Module check done...
> Configuring general kernel parameters:
> Setting the max. amount of simultaneous connections to 16384
>  net.nf_conntrack_max = 16384
>  net.netfilter.nf_conntrack_udp_timeout = 60
>  net.netfilter.nf_conntrack_acct = 1
> Configuring kernel parameters:
> Disabling send redirects
>  net.ipv4.conf.all.send_redirects = 0
>  net.ipv4.conf.default.send_redirects = 0
>  net.ipv4.conf.eth0.send_redirects = 0
>  net.ipv4.conf.eth1.send_redirects = 0
>  net.ipv4.conf.lo.send_redirects = 0
> Enabling protection against source routed packets
>  net.ipv4.conf.all.accept_source_route = 0
>  net.ipv4.conf.default.accept_source_route = 0
>  net.ipv4.conf.eth0.accept_source_route = 0
>  net.ipv4.conf.eth1.accept_source_route = 0
>  net.ipv4.conf.lo.accept_source_route = 0
>  net.ipv4.icmp_echo_ignore_broadcasts = 1
>  net.ipv4.icmp_ignore_bogus_error_responses = 1
> Enabling packet forwarding
>  net.ipv4.conf.all.forwarding = 1
>  net.ipv4.conf.default.forwarding = 1
>  net.ipv4.conf.eth0.forwarding = 1
>  net.ipv4.conf.eth1.forwarding = 1
>  net.ipv4.conf.lo.forwarding = 1
> Setting some kernel performance options
>  net.ipv4.tcp_window_scaling = 1
>  net.ipv4.tcp_timestamps = 1
>  net.ipv4.tcp_sack = 1
>  net.ipv4.tcp_dsack = 1
>  net.ipv4.tcp_fack = 1
>  net.ipv4.tcp_low_latency = 0
> Enabling reduction of the DoS'ing ability
>  net.ipv4.tcp_fin_timeout = 30
>  net.ipv4.tcp_keepalive_time = 1800
>  net.ipv4.tcp_syn_retries = 3
>  net.ipv4.tcp_synack_retries = 2
>  net.ipv4.tcp_rfc1337 = 1
>  net.ipv4.ip_local_port_range = 32768 61000
> Enabling SYN-flood protection via SYN-cookies
>  net.ipv4.tcp_syncookies = 1
> Enabling anti-spoof with rp_filter
>  net.ipv4.conf.all.rp_filter = 1
>  net.ipv4.conf.default.rp_filter = 1
>  net.ipv4.conf.eth0.rp_filter = 1
>  net.ipv4.conf.eth1.rp_filter = 1
>  net.ipv4.conf.lo.rp_filter = 1
>  net.ipv4.icmp_echo_ignore_all = 0
> Disabling the logging of martians
>  net.ipv4.conf.all.log_martians = 0
>  net.ipv4.conf.default.log_martians = 0
>  net.ipv4.conf.eth0.log_martians = 0
>  net.ipv4.conf.eth1.log_martians = 0
>  net.ipv4.conf.lo.log_martians = 0
> Disabling the acception of ICMP-redirect messages
>  net.ipv4.conf.all.accept_redirects = 0
>  net.ipv4.conf.default.accept_redirects = 0
>  net.ipv4.conf.eth0.accept_redirects = 0
>  net.ipv4.conf.eth1.accept_redirects = 0
>  net.ipv4.conf.lo.accept_redirects = 0
> Disabling ECN (Explicit Congestion Notification)
>  net.ipv4.tcp_ecn = 0
> Enabling kernel support for dynamic IPs
>  net.ipv4.ip_dynaddr = 1
> Enabling PMTU discovery
>  net.ipv4.ip_no_pmtu_disc = 0
> Setting default TTL=64
>  net.ipv4.ip_default_ttl = 64
> Flushing route table
>  net.ipv4.route.flush = 1
> Kernel setup done...
> Reinitializing firewall chains
> Setting all default policies to DROP while "setting up firewall rules"
> IPv4 mode selected but IPv6 available, DROP all IPv6 packets
> Using loglevel "info" for syslogd
> 
> Setting up firewall rules:
> -------------------------------------------------------------------------------
> Enabling setting the maximum packet size via MSS
> Enabling mangling TOS
> Logging of stealth scans (nmap probes etc.) enabled
> Logging of packets with bad TCP-flags enabled
> Logging of INVALID TCP packets disabled
> Logging of INVALID UDP packets disabled
> Logging of INVALID ICMP packets disabled
> Logging of fragmented packets enabled
> Logging of access from reserved nets enabled
> Setting up antispoof for INTERNAL net(s): 192.168.2.0/24
> Reading custom rules from /etc/arno-iptables-firewall/custom-rules
> Checking for (user) plugins in /usr/share/arno-iptables-firewall/plugins...
> Loaded 0 plugin(s)...
> Setting up external(INET) INPUT policy
> Logging of ICMP flooding enabled
> Enabling support for DHCP-assigned-IP (DHCP client)
> Logging of explicitly blocked hosts enabled
> Logging of denied local output connections enabled
> Packets will NOT be checked for reserved source addresses
> Allowing ANYHOST for TCP port(s): 20
> Allowing ANYHOST for TCP port(s): 21
> Allowing ANYHOST for TCP port(s): 22
> Allowing ANYHOST for TCP port(s): 53
> Allowing ANYHOST for TCP port(s): 80
> Allowing ANYHOST to send IPv4 ICMP-requests (ping)
> Logging of possible stealth scans enabled
> Logging of (other) packets to PRIVILEGED TCP ports enabled
> Logging of (other) packets to PRIVILEGED UDP ports enabled
> Logging of (other) packets to UNPRIVILEGED TCP ports enabled
> Logging of (other) packets to UNPRIVILEGED UDP ports enabled
> Logging of IGMP packets enabled
> Logging of dropped ICMP-request(ping) packets enabled
> Logging of dropped other ICMP packets enabled
> Logging of other IP protocols (non TCP/UDP/ICMP/IGMP) packets enabled
> Setting up external(INET) OUTPUT policy
> Applying external(INET) policy to interface: eth0 (without an external subnet specified)
> Setting up internal(LAN) INPUT policy
> Allowing ICMP-requests(ping)
> Allowing all (other) ports/protocols
> Applying internal(LAN) policy to interface: eth1
> Setting up internal(LAN) FORWARD policy
> Logging of denied LAN->INET FORWARD connections enabled
> Setting up LAN->INET policy
>  Allowing 0/0(LAN) to 1.2.3.170-190(INET) for TCP port(s): 443
>    /sbin/iptables -A LAN_INET_FORWARD_CHAIN -o + -s 0/0 -d 1.2.3.170
> 171 -p tcp --dport 443 -j ACCEPT
> ERROR (2): iptables v1.4.16.3: host/network `1.2.3.170
> 171' not found
> Try `iptables -h' or 'iptables --help' for more information.
>  Allowing 192.168.2.160-169(LAN) to 0/0(INET) for TCP port(s): 0:65535
>  /sbin/iptables -A LAN_INET_FORWARD_CHAIN -o + -s 192.168.2.160
> 161 -d 0/0 -p tcp --dport 0:65535 -j ACCEPT
> ERROR (2): iptables v1.4.16.3: host/network `192.168.2.160
> 161' not found
> Try `iptables -h' or 'iptables --help' for more information.
>  Allowing 192.168.2.10-35(LAN) to 0/0(INET) for TCP port(s): 20:1000
> /sbin/iptables -A LAN_INET_FORWARD_CHAIN -o + -s 192.168.2.10
> 11 -d 0/0 -p tcp --dport 20:1000 -j ACCEPT
> ERROR (2): iptables v1.4.16.3: host/network `192.168.2.10
> 11' not found
> Try `iptables -h' or 'iptables --help' for more information.
> Apr 02 13:48:48 WARNING: Not all firewall rules are applied.
>  Allowing ICMP-requests(ping)
>  Denying all (other) ports/protocols
> Applying internal(LAN) FORWARD policy to interface: eth1
> Enabling masquerading(NAT) via external interface(s): eth0
> Adding (internal) host(s): 192.168.2.0/24
> (eth0) Forwarding(NAT) TCP port(s) 0/0:6003,7001,7002,27000:27045 to 192.168.2.16
> (eth0) Forwarding(NAT) UDP port(s) 0/0:6003,7001,7002,27000:27045 to 192.168.2.16
> Security is ENFORCED for external interface(s) in the FORWARD chain
> Logging of dropped FORWARD packets enabled
> 
> * WARNING: Failed to load Firewall [ !! ]
> * ERROR: arno-iptables-firewall failed to start
> ---
> 
> io ~ # echo "1.2.3.4-9" |cut -s -d'-' -f1 |awk -F'.' '{ print $NF }' |grep -e '[0-9]'
> 4
> io ~ # echo "1.2.3.4-9" |cut -s -d'-' -f2 |grep -e '[0-9]'
> 9
> io ~ # seq -s' ' 4 9
> 4
> 5 6 7 8 9
> io ~ # IFS=',' ; $(IFS=' ') ; echo "$IFS" ; unset IFS
> ,
> io ~ #
> 
> /Daniel
> 
> Arno van Amersfoort skrev 2013-04-02 11:42:
>> The syntax is correct: that can't be the problem. I even tested it myself to make sure it (still) does. Could you provide the complete output of "/usr/local/sbin/arno-iptables-firewall start" ? And your config file?
>> 
>> a.
>> 
>> On 02-Apr-13 8:10, Daniel Lindbeck wrote:
>>> Hi,
>>> 
>>> I'm having some issues with LAN_INET_HOST_OPEN_TCP/UDP in 2.0.1d.
>>> In 1.9.x i could specify IP-ranges like this:
>>> 
>>> LAN_INET_HOST_OPEN_TCP="
>>> 0/0>xxx.xxx.xxx.170-190~443
>>> xxx.xxx.xxx.160-169>0/0~0:65535
>>> xxx.xxx.xxx.10-35>0/0~20:1000"
>>> 
>>> And the errors i'm getting is:
>>> seq: invalid floating point argument: 99/0
>>> Try 'seq --help' for more information. Allowing xxx.xxx.xxx.160-169(LAN)
>>> to 0/0(INET) for TCP port(s): 0:65535
>>> 
>>> AND
>>> 
>>> ERROR (2): iptables v1.4.16.3: host/network `xxx.xxx.xxx.10
>>> 
>>> This configuration works fine in 1.9.x.
>>> Am i doing something wrong here?
>>> 
>>> / Daniel
>>> 
>>> _______________________________________________
>>> Firewall mailing list
>>> Firewall at rocky.eld.leidenuniv.nl
>>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>>> Arno's (Linux IPTABLES Firewall) Homepage:
>>> http://rocky.eld.leidenuniv.nl
>>> 
>> _______________________________________________
>> Firewall mailing list
>> Firewall at rocky.eld.leidenuniv.nl
>> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
> 
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
> 
> 



More information about the Firewall mailing list