Firewall questions I promised you.

Rick Stevens rstevens at vitalstream.com
Tue Jun 1 18:29:56 UTC 2004 

Bruce McDonald wrote:
> Hello all,
> 
> I have written my firewall rules using the examples in Linux Firewall Second
> Edition by Robert Zeigler.  Now, when I run the script I get a couple of
> errors.
> 
> One is:
> Bad argument `22'
> Try `iptables -h' or 'iptables --help' for more information.
> 
> This shows up after lines like:
> if [ "$CONNECTION_TRACKING" = "1" ]; then
>     iptables -A local-tcp-client-request -p tcp \
>              -d $SSH_CLIENT --dport 22 \
>              --syn -m state --state NEW \
>              -j ACCEPT
> fi
> 
> iptables -A local-tcp-client-request -p tcp \
>          -d $SSH_CLIENT --dport 22 \
>          -j ACCEPT
> 
> and:
> if [ "$CONNECTION_TRACKING" = "1" ]; then
>     iptables -A remote-tcp-client-request -p tcp \
>              -s $SSH_CLIENT --destination-port 22 \
>              -m state --state NEW \
>              -j ACCEPT
> fi
> 
> 
> iptables -A remote-tcp-client-request -p tcp \
>          -s $SSH_CLIENT --destination-port 22 \
>          -j ACCEPT
> 
> 
> I played with the order of the items on the line and did manage to get rid
> of Bad argument 22 by moving the (in the trial case I used a destination
> port line) --dport22 ahead of the destination itself.  This did generate a
> different complaint, which I have forgotten in the intervening time.

The problem is that some versions of iptables will not accept "--dport"
options.  It's a bug, but there it is.  Make sure you have the latest
version of iptables installed.

> 
> So, is there an error in the order of the layout of the iptables lines I
> have listed above?

No.  It's a bug in some versions of iptables.

> My next error is:
> iptables v1.2.7a: host/network `yahoo.com' not found
> Try `iptables -h' or 'iptables --help' for more information.
> 
> I assume this means the firewall is halting packets to or from my DNS
> server.  

Yup.

> I still have to check a little further into this,  I do have rules that are
> supposed to allow the traffic.  I will post them for your input once I
> figure that I don't see anything at all wrong with them.

It rather depends on how strict you want your firewall to be regarding
DNS.  Without seeing the entire iptables setup, I can't comment on what
you want to do.  However, somewhere near the top of your list you should
have something along the lines of:

	iptables -A INPUT -p udp -port 53 -j ACCEPT

This would accept all UDP DNS traffic (remember, 99% of DNS traffic is
UDP, not TCP).
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-     There are only 10 kinds of people in the world -- those who    -
-                 understand binary and those who don't              -
----------------------------------------------------------------------

More information about the Redhat-install-list mailing list