Hello Everyone



By reading New Riders “Linux Firewalls” by Robert L. Ziegler I’m just starting to study iptables. I have a stand-alone firewall offline and off the local network running RHL 7.3 with Kernel 2.4.18-3 and iptables 1.2.5.



I’ve just started writing the script to allow DNS Loopkups as a client with the following:



if [ "$CONNECTION_TRACKING" = "1" ]; then

iptables -A OUTPUT -o $INTERNET -p udp \

-s $IPADDR --sport $UNPRIVPORTS \

-d $NAMESERVER --dport 53 \

-m state --state NEW -j ACCEPT

fi



iptables -A OUTPUT -o $INTERNET -p udp \

-s $IPADDR --sport $UNPRIVPORTS \

-d $NAMESERVER --dport 53 -j ACCEPT



iptables -A INPUT -i $INTERNET -p udp \

-s $NAMESERVER --sport 53 \

-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT



When I execute the script with sh /etc/rc.d/rc.firewalls I receive Bad argument `53' for every instance of either --dport 53 or --sport 53. I’ve also tried --destination-port and --source-port with out any success.



Can anyone shed some light on my problem?

Dave

dport is used by the INPUT chain only, and sport is used by the OUTPUT chain only. That's where your problems lie.

If you are adding a rule to the OUTPUT chain, then you can only specify a sourceport and.... if you are adding a rule to the INPUT chain, you can only specify the destination port.

Maybe I'm a little confused but, let me take as an example a DNS lookup. The client using an unprivlaged port as the source port (--sport $UNPRIVPORTS) will make a call on Port 53 of the DNS server (--dport 53) throught the OUTPUT chain. In responce the DNS server will contact the client again this time through the INPUT chain with the source port as 53 (--sport 53) and the destination port as the clients Unprivleged Port (--dport $UNPRIVPORTS).

Therefore both --dport and --sport can be specified in either the INPUT or OUTPUT chains. As ion a two-way connection here is always a source and a destination. Am I right or have I missed the concept completly?

Dave

Regardless of how the DNS stuff works, in my experience, iptables will not use --dport with the OUTPUT chain and iptables will not use --sport with the INPUT chain.

Change your rules, or comment out the lines that are giving you errors and atleast give it a try.

Well this is what I did. I removed the reference to --dport in the OUTPUT chains on the first two lines:

if [ "$CONNECTION_TRACKING" = "1" ]; then
iptables -A OUTPUT -o $INTERNET -p udp \
-s $IPADDR --sport $UNPRIVPORTS \
-d $NAMESERVER -m state --state NEW -j ACCEPT
fi

But received Bad Argument 'state'

iptables -A OUTPUT -o $INTERNET -p udp \
-s $IPADDR --sport $UNPRIVPORTS \
-d $NAMESERVER -j ACCEPT

Received Bad Argument 'ACCEPT'

Finally I removed the reference to source ports in the INPUT chain

iptables -A INPUT -i $INTERNET -p udp \
-s $NAMESERVER \
-d $IPADDR --dport $UNPRIVPORTS -j ACCEPT

But received Bad Argument 'xxx.xxx.xxx.xxx'

What do you think is going on here.

Try these....


#----------------------------------------
#Routing Internal -> Out |
#----------------------------------------
iptables -A OUTPUT -o $EXTINT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $INTINT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#----------------------------------------
#Routing Related External -> In |
#----------------------------------------
iptables -A INPUT -i $EXTINT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $INTINT -m state --state ESTABLISHED,RELATED -j ACCEPT

Mychl,

I loaded the script you recommended and received the following error on every time the script called to load the state module.

Warning: wierd character in interface `-m' (No aliases, :, ! or *).Bad argument `state'

I'm starting to think I have a buggy version of IPTABLES and may try recompiling the IPTABLES with a newer version. Do you have any further recommendations?

Originally posted by dstrauch
Mychl,

I loaded the script you recommended and received the following error on every time the script called to load the state module.

Warning: wierd character in interface `-m' (No aliases, :, ! or *).Bad argument `state'

I'm starting to think I have a buggy version of IPTABLES and may try recompiling the IPTABLES with a newer version. Do you have any further recommendations?


mychl's script used two variables ...
EXTINT
INTINT

These variables WERE NOT SET when you ran the script. You must add their definitions to the script, or manually replace them..
i.e.

iptables -A OUTPUT -o $EXTINT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

becoiptables -A OUTPUT -o ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPTmes