Firewall questions I promised you.
Rick Stevens
rstevens at vitalstream.com
Tue Jun 1 18:29:56 UTC 2004
Bruce McDonald wrote:
> Hello all,
>
> I have written my firewall rules using the examples in Linux Firewall Second
> Edition by Robert Zeigler. Now, when I run the script I get a couple of
> errors.
>
> One is:
> Bad argument `22'
> Try `iptables -h' or 'iptables --help' for more information.
>
> This shows up after lines like:
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> iptables -A local-tcp-client-request -p tcp \
> -d $SSH_CLIENT --dport 22 \
> --syn -m state --state NEW \
> -j ACCEPT
> fi
>
> iptables -A local-tcp-client-request -p tcp \
> -d $SSH_CLIENT --dport 22 \
> -j ACCEPT
>
> and:
> if [ "$CONNECTION_TRACKING" = "1" ]; then
> iptables -A remote-tcp-client-request -p tcp \
> -s $SSH_CLIENT --destination-port 22 \
> -m state --state NEW \
> -j ACCEPT
> fi
>
>
> iptables -A remote-tcp-client-request -p tcp \
> -s $SSH_CLIENT --destination-port 22 \
> -j ACCEPT
>
>
> I played with the order of the items on the line and did manage to get rid
> of Bad argument 22 by moving the (in the trial case I used a destination
> port line) --dport22 ahead of the destination itself. This did generate a
> different complaint, which I have forgotten in the intervening time.
The problem is that some versions of iptables will not accept "--dport"
options. It's a bug, but there it is. Make sure you have the latest
version of iptables installed.
>
> So, is there an error in the order of the layout of the iptables lines I
> have listed above?
No. It's a bug in some versions of iptables.
> My next error is:
> iptables v1.2.7a: host/network `yahoo.com' not found
> Try `iptables -h' or 'iptables --help' for more information.
>
> I assume this means the firewall is halting packets to or from my DNS
> server.
Yup.
> I still have to check a little further into this, I do have rules that are
> supposed to allow the traffic. I will post them for your input once I
> figure that I don't see anything at all wrong with them.
It rather depends on how strict you want your firewall to be regarding
DNS. Without seeing the entire iptables setup, I can't comment on what
you want to do. However, somewhere near the top of your list you should
have something along the lines of:
iptables -A INPUT -p udp -port 53 -j ACCEPT
This would accept all UDP DNS traffic (remember, 99% of DNS traffic is
UDP, not TCP).
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer rstevens at vitalstream.com -
- VitalStream, Inc. http://www.vitalstream.com -
- -
- There are only 10 kinds of people in the world -- those who -
- understand binary and those who don't -
----------------------------------------------------------------------
More information about the Redhat-install-list
mailing list