I am a newbie trying to create a firewall on RH9. I am using a script from the RH9 bible (p507). I am running a section at a time. What I have so far: # (1) Policies (default) iptables _P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP # (2) user-defined chain for ACCEPTED TCP packets iptables -N okay iptables -A okay -p TCP --syn -j ACCEPT iptables -A okay -p TCP -m state ESTABLISHED,RELATED -j ACCEPT iptables -A okay -p TCP -j DROP This line is giving me some grief: 'iptables -A okay -p TCP -m state ESTABLISHED,RELATED -j ACCEPT' Because I get this error when I run it. 'firescript: line 23: ESTABLISHED,RELATED: command not found' The author says this line "allows through packets associated with an ESTABLISHED connection (one that has already had traffic pass through the interface) or a RELATED connection (one that is starting a new connection related to an already-established connection) Are there other commands I could use or another line of script that would do the same job? Any help would be appreciated. Gun Caundle
This line is giving me some grief: 'iptables -A okay -p TCP -m state ESTABLISHED,RELATED -j ACCEPT' Because I get this error when I run it. 'firescript: line 23: ESTABLISHED,RELATED: command not found'
you forgot --state the correct syntax is iptables --append okay --protocol tcp -m state --state ESTABLISHES,RELATED --jump ACCEPT :)
Thanx Perry I inserted the '--state' but I still get the same error message; even when I insert a # at the beginning of the line and run it again! I'm using PICO text editor and saving it with a different name after modifying the script. Any other suggestions Kind regards Gun Caundle --- Original Message ----- From: "Perry Lorier" <perry(a)coders.net> To: "Waikato Linux Users Group" <wlug(a)list.waikato.ac.nz> Sent: Saturday, April 24, 2004 11:12 AM Subject: Re: [wlug] Firewall script problem
This line is giving me some grief: 'iptables -A okay -p TCP -m state ESTABLISHED,RELATED -j ACCEPT' Because I get this error when I run it. 'firescript: line 23: ESTABLISHED,RELATED: command not found'
you forgot --state the correct syntax is iptables --append okay --protocol tcp -m state --state ESTABLISHES,RELATED --jump ACCEPT
:) _______________________________________________ wlug mailing list | wlug(a)list.waikato.ac.nz Unsubscribe: http://list.waikato.ac.nz/mailman/listinfo/wlug
Hi Gun, On Sat, 2004-04-24 at 12:27, Gun Caundle wrote:
Thanx Perry I inserted the '--state' but I still get the same error message; even when I insert a # at the beginning of the line and run it again! I'm using PICO text editor and saving it with a different name after modifying the script. Any other suggestions Kind regards Gun Caundle
It sounds like you may have a syntax error or something in your shell script, try executing each command in the script directly from a console, if they all work that you can focus on looking for syntax errors. If you are still having problems, perhaps you could put the script on a webpage somewhere we could have a look at it. If you can't do that just email about 5 lines either side of the problematic statement. Regards -- Matt Brown Email: matt(a)mattb.net.nz GSM : 021 611 544
Thanx Matt, Mark and Aristotle. I ran each line of the script from the console and when I got to the problematic line I got: Unknown arg '--state' In 'iptables help' there is no '--state' option. Here is the section of the script: # (2) user-defined chain for ACCEPTED TCP packets iptables -N okay iptables -A okay -p TCP --syn -j ACCEPT iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A okay -p TCP -j DROP Is there another command I could instead of '--state'? It is used in further parts of the script as well. Kind regards Gun Caundle GunCom Computing Services 77 Maniapoto St. Otorohanga ph/fax 07 873 6575 gun(a)guncom.co.nz ----- Original Message ----- From: "Matt Brown" <matt(a)mattb.net.nz> To: "Waikato Linux Users Group" <wlug(a)list.waikato.ac.nz> Sent: Saturday, April 24, 2004 1:24 PM Subject: Re: [wlug] Firewall script problem
Hi Gun,
On Sat, 2004-04-24 at 12:27, Gun Caundle wrote:
Thanx Perry I inserted the '--state' but I still get the same error message; even when I insert a # at the beginning of the line and run it again! I'm using PICO text editor and saving it with a different name after modifying the script. Any other suggestions Kind regards Gun Caundle
It sounds like you may have a syntax error or something in your shell script, try executing each command in the script directly from a console, if they all work that you can focus on looking for syntax errors.
If you are still having problems, perhaps you could put the script on a webpage somewhere we could have a look at it. If you can't do that just email about 5 lines either side of the problematic statement.
Regards
-- Matt Brown Email: matt(a)mattb.net.nz GSM : 021 611 544
_______________________________________________ wlug mailing list | wlug(a)list.waikato.ac.nz Unsubscribe: http://list.waikato.ac.nz/mailman/listinfo/wlug
Unknown arg '--state' In 'iptables help' there is no '--state' option. Here is the section of the script:
This probably means you are running an older version of iptables could you run iptables --version and paste the answer back to the list? Also, which distribution version are you using? Daniel
Thanx Daniel Iptables v1.2.7a RH9 Kind regards Gun Caundle GunCom Computing Services 77 Maniapoto St. Otorohanga ph/fax 07 873 6575 gun(a)guncom.co.nz ----- Original Message ----- From: "Daniel Lawson" <daniel(a)meta.net.nz> To: "Waikato Linux Users Group" <wlug(a)list.waikato.ac.nz> Sent: Monday, April 26, 2004 8:53 AM Subject: Re: [wlug] Firewall script problem
Unknown arg '--state' In 'iptables help' there is no '--state' option. Here is the section of the script:
This probably means you are running an older version of iptables
could you run
iptables --version
and paste the answer back to the list? Also, which distribution version are you using?
Daniel _______________________________________________ wlug mailing list | wlug(a)list.waikato.ac.nz Unsubscribe: http://list.waikato.ac.nz/mailman/listinfo/wlug
On Mon, 2004-04-26 at 08:46, Gun Caundle wrote:
# (2) user-defined chain for ACCEPTED TCP packets iptables -N okay iptables -A okay -p TCP --syn -j ACCEPT iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A okay -p TCP -j DROP
Is there another command I could instead of '--state'? It is used in further parts of the script as well.
I am not aware of another command that implements the same functionality as state. Firewalling based on state requires the connection tracking module to be built and loaded, check your kernel config to ensure that this module is enabled, then use lsmod to see if it is loaded (it's called ip_conntrack). If it is not loaded use modprobe ip_conntrack (as root) to load it. The command above should work then Regards -- Matt Brown Email: matt(a)mattb.net.nz GSM : 021 611 544
* Gun Caundle <gun(a)paradise.net.nz> [2004-04-24 02:28]:
I'm using PICO text editor and saving it with a different name after modifying the script.
pico is notorious for autowrapping long lines. You can't even disable this behaviour from within the editor, only pass a parameter to disable wrapping when you launch it. Are you sure the parameters to the command are all on the same line, or has pico wrapped them? -- Regards, Aristotle "If you can't laugh at yourself, you don't take life seriously enough."
participants (5)
-
A. Pagaltzis -
Daniel Lawson -
Gun Caundle -
Matt Brown -
Perry Lorier