[Firewall] 2.0.0c (current on Ubuntu 12.04) fix vlan tagged explicit-interface ports [patch]

Lonnie Abelbeck lists at lonnie.abelbeck.com
Tue Apr 1 06:15:20 CEST 2014


Hi Mike,

A fix for distinguishing between IPv4 and VLAN interfaces as been added upstream.  IPv6 addresses are also supported now as well.

https://github.com/arno-iptables-firewall/aif/commit/b0476a5e52f5dc2230b0745171449ce1216710d9

In theory multiple like-kind entries may occur before the '#', so we can't do as specific of a test as you suggested... all we need is to distinguish between an interface and an IP address.

Thanks for the catch.

Lonnie 


On Feb 7, 2014, at 9:13 AM, Mike C. Fletcher wrote:

> Hi there,
> 
> I'm using the following configuration for arno.  When I use a vlan-tagged port in TCP_OPEN (or UDP_OPEN) I get errors from iptables (this is all on Ubuntu Server 12.04, where DC_OPEN_TCP is mapped to OPEN_TCP):
> 
> ### Version 1 ###
> DC_EXT_IF="eth1 eth2.3 "
> DC_EXT_IF_DHCP_IP=1
> # 22, 80, 443 and 161 (SNMP) should only be on the management interface, not the external data interface
> DC_OPEN_TCP="eth2.3#22 eth2.3#80 eth2.3#443 eth2.3#161 "
> DC_OPEN_UDP="eth1#8000 eth1#161 eth2.3#8000 eth2.3#161 "
> DC_INT_IF="eth0 "
> DC_NAT=1
> DC_INTERNAL_NET="192.168.80.0/24"
> DC_NAT_INTERNAL_NET="192.168.80.0/24"
> DC_OPEN_ICMP=1
> 
> which produces these errors:
> 
> Starting Arno's Iptables Firewall...
> /sbin/iptables -A EXT_INPUT_CHAIN -i + -d eth2.3 -p tcp --dport 22 -j ACCEPT
> ERROR (2): iptables v1.4.12: host/network `eth2.3' not found
> Try `iptables -h' or 'iptables --help' for more information.
> /sbin/iptables -A EXT_INPUT_CHAIN -i + -d eth2.3 -p tcp --dport 80 -j ACCEPT
> ERROR (2): iptables v1.4.12: host/network `eth2.3' not found
> Try `iptables -h' or 'iptables --help' for more information.
> /sbin/iptables -A EXT_INPUT_CHAIN -i + -d eth2.3 -p tcp --dport 443 -j ACCEPT
> ERROR (2): iptables v1.4.12: host/network `eth2.3' not found
> Try `iptables -h' or 'iptables --help' for more information.
> /sbin/iptables -A EXT_INPUT_CHAIN -i + -d eth2.3 -p tcp --dport 161 -j ACCEPT
> ERROR (2): iptables v1.4.12: host/network `eth2.3' not found
> Try `iptables -h' or 'iptables --help' for more information.
> /sbin/iptables -A EXT_INPUT_CHAIN -i + -d eth2.3 -p udp --dport 8000 -j ACCEPT
> ERROR (2): iptables v1.4.12: host/network `eth2.3' not found
> Try `iptables -h' or 'iptables --help' for more information.
> /sbin/iptables -A EXT_INPUT_CHAIN -i + -d eth2.3 -p udp --dport 161 -j ACCEPT
> ERROR (2): iptables v1.4.12: host/network `eth2.3' not found
> Try `iptables -h' or 'iptables --help' for more information.
> Feb 06 14:48:48 WARNING: Not all firewall rules are applied.
> 
> The problem can be addressed by applying the attached context diff (against the 2.0.0c release in Ubuntu) to the "environment" file; it just makes the test for "is an ip address" use a more involved regex that tests for 4 sets of numbers with '.' characters, rather than a single dot.  Note: the test does *not* handle ipv6-style addresses, but then it doesn't *appear* the original would have done so either.
> 
> Hope that helps someone,
> Mike
> 
> -- 
> ________________________________________________
>  Mike C. Fletcher
>  Designer, VR Plumber, Coder
>  http://www.vrplumber.com
>  http://blog.vrplumber.com
> 
> <arno-vlan-parsing.patch>_______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl



More information about the Firewall mailing list