[Comm-en] setting up iptables

[Comm-en] setting up iptables

[djbouley]

[-- Attachment #1: Type: text/plain, Size: 1098 bytes --]


    "iptabes": was it copied over or typed in by hand? (so is it a
    typo somewhere in the package or not)

I typed it in by hand.  Of course it is entirely possible that there's an 
error in it that I'm just not seeing.

    OTOH /usr/lib/iptables/libipt_tcprules.so is not present on my
    system; need to look at iptables config file.

I cannot find it on my system either.

    > Try 'iptables-restore -h' or 'iptables-restore --help' for more 
    information 
    > [FAILED]
    > ===================================================

    Umm... could you run "rpm -V iptables" and quote the output?
    (should be something like this:
    ..?..... c /etc/sysconfig/iptables
    ..?..... c /etc/sysconfig/iptables_modules
    )

Running rpm -V iptables produced this:
SM5....T c /etc/sysconfig/iptables
..?..... c /etc/sysconfig/iptables_modules

    > I double checked the previous files I created and they're okay.

    Attaching /etc/sysconfig/iptables could help too.

    > Any suggestions?  I'm almost there... I can 'feel' it!  :o)

Here's the contents of /etc/sysconfig/iptables:


[-- Attachment #2: tcpout.txt --]
[-- Type: text/plain, Size: 369 bytes --]

*filter
-A INPUT -j tcprules
-A FORWARD -j tcprules
-A tcprules -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A tcprules -i ! eth1 -m state --state NEW -j ACCEPT
-A tcprules -i eth1 -m state --state INVALID,NEW -j DROP
-A tcprules -i eth1 -j REJECT --reject-with icmp-host-unreachable
COMMIT
*nat
-A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE
COMMIT

Re: [Comm-en] setting up iptables

[Michael Shigorin]

On Tue, Apr 08, 2003 at 06:52:26AM -0600, djbouley wrote:
> >    OTOH /usr/lib/iptables/libipt_tcprules.so is not present on my
> I cannot find it on my system either.

Argh, it's my fault -- underreconstructed local configuration.

> Here's the contents of /etc/sysconfig/iptables:

Should be like this: (add one line)

> *filter
:tcprules - [0:0]
> -A INPUT -j tcprules
> -A FORWARD -j tcprules
> -A tcprules -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A tcprules -i ! eth1 -m state --state NEW -j ACCEPT
> -A tcprules -i eth1 -m state --state INVALID,NEW -j DROP
> -A tcprules -i eth1 -j REJECT --reject-with icmp-host-unreachable
> COMMIT
> *nat
> -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE
> COMMIT

The story: we've asked iptables to use a specific chain (which
gets reused), but haven't created ("declared") it and no specific
module was found to be used for it.

Somewhat more elaborate config is attached, you can have some
more interesting examples in its comments.

-- 
 ---- WBR, Michael Shigorin <mike@altlinux.ru>
  ------ Linux.Kiev http://www.linux.kiev.ua/