Stateful Inspection of packets with iptables

gthank · n00b Joined: 08 Feb 2005 Posts: 15

I've got almost everything set up on my server here at work, but when iptables is running, I can't do things like DNS. I suspect this is because I'm denying everything by default and only allowing specific protocols through the firewall. I'm trying to set my INPUT chain to accept packets that are ESTABLISHED or RELATED, but iptables won't let me add the rule. Here's the command I'm using.

tdemarest · Posted: Sat Feb 12, 2005 6:02 am Post subject:

That's the same line I have. Are you sure the error is happening with this particular line, or some earlier line?

gthank · n00b Joined: 08 Feb 2005 Posts: 15

In fact, it's the only line I'm executing. I'm trying to add one rule to an existing (functioning) instance of iptables.

gthank
_________________
". . . from hell's heart I stab at thee; for hate's sake I spit my last breath at thee."

nightblade

markkuk · Guru Joined: 29 Nov 2002 Posts: 446

Remember that "iptables -A" adds the rule at the end of the chain, if there are any rules with REJECT, DROP or jumps to different chains before it the new rule will have no effect. Try inserting the rule at the head of the chain with "iptables -I"

gthank · n00b Joined: 08 Feb 2005 Posts: 15

Would you believe I proofread that post like 3 times and still didn't notice that I'd forgotten to paste in the error? Anyway, when I try to add the rule (it doesn't matter whether I'm inserting or appending), I get the following error:

iptables: No chain/target/match by that name
Thanks again for all the help,

gthank

P.S. I'm using a cut-and-paste to put in the exact command I'm executing

tdemarest · Posted: Sun Feb 13, 2005 12:45 am Post subject:

I did a little of googling on this and the most promising item I found was to make sure the ipt_state option is built as a module or into your kernel. Make sure that you have the following enabled:

cd /usr/src/linux
make menuconfig (or your favorite kernel configurator)
Locate:
Device->Networking->Networking Options->Network packet filtering->IP: Netfilter Configuration->IP Tables support->

[*] Connection state match support
[*] Connection tracking match support

If not, enable, recompile, install new kernel and reboot.

gthank · n00b Joined: 08 Feb 2005 Posts: 15

Thanks! I didn't have those options enabled because they weren't listed under the iptables section until I enabled another option that said it was required for NAT/Masq. Since I'm not doing any of that, I had it disabled to avoid cluttering up the kernel. The kernel is compiling at the moment, but I'm pretty sure this will fix that problem. With a little good luck, the next time I post I'll be able to report having a fully functional server. Thanks again.

gthank
_________________
". . . from hell's heart I stab at thee; for hate's sake I spit my last breath at thee."

gthank · n00b Joined: 08 Feb 2005 Posts: 15

Everything is, to quote Chico, "lookin' good!" Thanks again for all the help everyone.

gthank
_________________
". . . from hell's heart I stab at thee; for hate's sake I spit my last breath at thee."

tdemarest · Posted: Tue Feb 15, 2005 3:40 pm Post subject:

Sounds great. Glad to hear you fixed your problem.