[Firewall] 2.0.0c (current on Ubuntu 12.04) fix vlan tagged explicit-interface ports [patch]

Mike C. Fletcher mcfletch at vrplumber.com
Fri Feb 7 16:13:15 CET 2014


Hi there,

I'm using the following configuration for arno.  When I use a 
vlan-tagged port in TCP_OPEN (or UDP_OPEN) I get errors from iptables 
(this is all on Ubuntu Server 12.04, where DC_OPEN_TCP is mapped to 
OPEN_TCP):

### Version 1 ###
DC_EXT_IF="eth1 eth2.3 "
DC_EXT_IF_DHCP_IP=1
# 22, 80, 443 and 161 (SNMP) should only be on the management interface, 
not the external data interface
DC_OPEN_TCP="eth2.3#22 eth2.3#80 eth2.3#443 eth2.3#161 "
DC_OPEN_UDP="eth1#8000 eth1#161 eth2.3#8000 eth2.3#161 "
DC_INT_IF="eth0 "
DC_NAT=1
DC_INTERNAL_NET="192.168.80.0/24"
DC_NAT_INTERNAL_NET="192.168.80.0/24"
DC_OPEN_ICMP=1

which produces these errors:

Starting Arno's Iptables Firewall...
/sbin/iptables -A EXT_INPUT_CHAIN -i + -d eth2.3 -p tcp --dport 22 -j ACCEPT
ERROR (2): iptables v1.4.12: host/network `eth2.3' not found
Try `iptables -h' or 'iptables --help' for more information.
/sbin/iptables -A EXT_INPUT_CHAIN -i + -d eth2.3 -p tcp --dport 80 -j ACCEPT
ERROR (2): iptables v1.4.12: host/network `eth2.3' not found
Try `iptables -h' or 'iptables --help' for more information.
/sbin/iptables -A EXT_INPUT_CHAIN -i + -d eth2.3 -p tcp --dport 443 -j 
ACCEPT
ERROR (2): iptables v1.4.12: host/network `eth2.3' not found
Try `iptables -h' or 'iptables --help' for more information.
/sbin/iptables -A EXT_INPUT_CHAIN -i + -d eth2.3 -p tcp --dport 161 -j 
ACCEPT
ERROR (2): iptables v1.4.12: host/network `eth2.3' not found
Try `iptables -h' or 'iptables --help' for more information.
/sbin/iptables -A EXT_INPUT_CHAIN -i + -d eth2.3 -p udp --dport 8000 -j 
ACCEPT
ERROR (2): iptables v1.4.12: host/network `eth2.3' not found
Try `iptables -h' or 'iptables --help' for more information.
/sbin/iptables -A EXT_INPUT_CHAIN -i + -d eth2.3 -p udp --dport 161 -j 
ACCEPT
ERROR (2): iptables v1.4.12: host/network `eth2.3' not found
Try `iptables -h' or 'iptables --help' for more information.
Feb 06 14:48:48 WARNING: Not all firewall rules are applied.

The problem can be addressed by applying the attached context diff 
(against the 2.0.0c release in Ubuntu) to the "environment" file; it 
just makes the test for "is an ip address" use a more involved regex 
that tests for 4 sets of numbers with '.' characters, rather than a 
single dot.  Note: the test does *not* handle ipv6-style addresses, but 
then it doesn't *appear* the original would have done so either.

Hope that helps someone,
Mike

-- 
________________________________________________
   Mike C. Fletcher
   Designer, VR Plumber, Coder
   http://www.vrplumber.com
   http://blog.vrplumber.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: arno-vlan-parsing.patch
Type: text/x-patch
Size: 1227 bytes
Desc: not available
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20140207/30ffb3ae/attachment.bin>


More information about the Firewall mailing list