| View previous topic :: View next topic |
| Author |
Message |
keratos68
Guru
Joined: 27 Dec 2002
Posts: 561
Location: Blackpool, Lancashire, UK.
|
 Posted: Thu Jan 16, 2003 4:41 pm Post subject: IPTABLES command gives invalid argument. |
 |
|
I have a problem with iptables. I've compiled iptables into the (WOLK)kernel (2.4.18-wolk3. and built most (not the EXPERIMENTAL) drivers as modules.
So, this is my set of modules:
| Code: | dazzle68 netfilter # ls /lib/modules/2.4.18-wolk3.8/kernel/net/ipv4/netfilter/
ip_conntrack.o ipt_MARK.o ipt_ah.o ipt_psd.o
ip_conntrack_ftp.o ipt_MASQUERADE.o ipt_conntrack.o ipt_random.o
ip_conntrack_irc.o ipt_NETLINK.o ipt_dscp.o ipt_recent.o
ip_conntrack_rpc_tcp.o ipt_NETMAP.o ipt_esp.o ipt_record_rpc.o
ip_conntrack_rpc_udp.o ipt_POOL.o ipt_helper.o ipt_state.o
ip_conntrack_talk.o ipt_REDIRECT.o ipt_iplimit.o ipt_stealth.o
ip_nat_ftp.o ipt_REJECT.o ipt_isdev.o ipt_tcpmss.o
ip_nat_irc.o ipt_RMARK.o ipt_length.o ipt_tos.o
ip_nat_talk.o ipt_SAME.o ipt_limit.o ipt_ttl.o
ip_pool.o ipt_SMASQ.o ipt_mac.o iptable_filter.o
ip_tables.o ipt_TCPMSS.o ipt_mark.o iptable_mangle.o
ipt_DSCP.o ipt_TOS.o ipt_mport.o iptable_nat.o
ipt_IMQ.o ipt_TPROXY.o ipt_multiport.o iptable_tproxy.o
ipt_IPV4OPTSSTRIP.o ipt_TTL.o ipt_nth.o
ipt_LOG.o ipt_ULOG.o ipt_pool.o |
And this is my loaded module list:
| Code: | dazzle68 netfilter # lsmod
Module Size Used by Tainted: P
ipt_REDIRECT 792 0 (unused)
iptable_nat 17336 0 [ipt_REDIRECT]
sr_mod 15544 0 (autoclean)
cdrom 31104 0 (autoclean) [sr_mod]
floppy 51264 0 (autoclean)
nvidia 1468928 10 (autoclean)
ipt_REJECT 3128 0 (autoclean)
serial 49252 0 (autoclean)
ip_conntrack_ftp 4112 0 (unused)
ip_conntrack_irc 2896 0 (unused)
parport_pc 27880 1 (autoclean)
lp 6784 0 (autoclean)
parport 26816 1 (autoclean) [parport_pc lp]
ipt_LOG 3544 6 (autoclean)
ipt_limit 984 6 (autoclean)
ipt_state 568 28 (autoclean)
ip_conntrack 24864 4 (autoclean) [ipt_REDIRECT iptable_nat ip_conntrack_ftp ip_conntrack_irc ipt_state]
iptable_filter 1740 1 (autoclean)
ip_tables 12152 9 [ipt_REDIRECT iptable_nat ipt_REJECT ipt_LOG ipt_limit ipt_state iptable_filter]
af_packet 14924 1 (autoclean)
rtc 7936 0 (autoclean)
usbcore 63200 1
snd-pcm-oss 37540 0 (unused)
snd-mixer-oss 10584 1 [snd-pcm-oss]
snd-fm801 8812 1
snd-pcm 54944 0 [snd-pcm-oss snd-fm801]
snd-mpu401-uart 3456 0 [snd-fm801]
snd-rawmidi 13984 0 [snd-mpu401-uart]
snd-opl3-lib 6372 0 [snd-fm801]
snd-seq-device 3884 0 [snd-rawmidi snd-opl3-lib]
snd-timer 11368 0 [snd-pcm snd-opl3-lib]
snd-hwdep 3808 0 [snd-opl3-lib]
snd-ac97-codec 26820 0 [snd-fm801]
snd 28100 0 [snd-pcm-oss snd-mixer-oss snd-fm801 snd-pcm snd-mpu401-uart snd-rawmidi snd-opl3-lib snd-seq-device snd-timer snd-hwdep snd-ac97-codec]
khttpd 22752 1
ide-scsi 8752 0
scsi_mod 93976 2 [sr_mod ide-scsi]
8139too 15528 1
mii 1232 0 [8139too]
unix 18024 199 (autoclean) |
This is setting up a chain:
| Code: | dazzle68 root # sh -x /etc/rc.firewall
+ DISABLE_GUARDDOG=0
+ test -z
+ GUARDDOG_VERBOSE=0
+ '[' 0 -eq 0 ']'
+ PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/sbin
+ FILTERSYS=0
+ '[' -e /sbin/ipchains ']'
+ '[' -e /usr/sbin/ipchains ']'
+ '[' -e /usr/local/sbin/ipchains ']'
+ '[' -e /proc/sys/kernel/osrelease ']'
++ sed 's/^\([0-9][0-9]*\.[0-9][0-9]*\).*$/\1/'
+ KERNEL_VERSION=2.4
+ '[' 2.4 == 2.5 ']'
+ '[' 2.4 == 2.4 ']'
+ '[' -e /sbin/iptables ']'
+ FILTERSYS=2
+ '[' -e /usr/sbin/iptables ']'
+ '[' -e /usr/local/sbin/iptables ']'
+ FILTERSYS=2
+ '[' 2 -eq 0 ']'
+ '[' 2 -eq 1 ']'
+ '[' 2 -eq 2 ']'
+ logger -p auth.info -t guarddog Configuring iptables firewall now.
+ '[' 0 -eq 1 ']'
+ '[' 0 -eq 1 ']'
+ iptables -P FORWARD DROP
+ iptables -P INPUT DROP
+ iptables -P OUTPUT DROP
+ iptables -F
+ iptables -X
+ '[' 0 -eq 1 ']'
+ modprobe ip_conntrack_irc
+ modprobe ip_conntrack_ftp
+ '[' 0 -eq 1 ']'
+ echo 1
+ echo 1
+ test -e /proc/sys/net/ipv4/tcp_syncookies
+ echo 0
+ echo 0
+ echo 1
+ echo 1
+ echo 1
+ echo 1
+ echo '1024 5999'
+ '[' 0 -eq 1 ']'
+ iptables -N logdrop2
+ iptables -A logdrop2 -j LOG --log-prefix 'DROPPED ' --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence
+ iptables -A logdrop2 -j DROP
+ iptables -N logdrop
+ iptables -A logdrop -m limit --limit 1/second --limit-burst 10 -j logdrop2
+ iptables -A logdrop -m limit --limit 2/minute --limit-burst 1 -j LOG --log-prefix 'LIMITED ' --log-level 4
+ iptables -A logdrop -j DROP
+ iptables -N logreject2
+ iptables -A logreject2 -j LOG --log-prefix 'REJECTED ' --log-level 4 --log-ip-options --log-tcp-options --log-tcp-sequence
+ iptables -A logreject2 -p tcp -j REJECT --reject-with tcp-reset
iptables: Invalid argument
+ iptables -A logreject2 -p udp -j REJECT --reject-with icmp-port-unreachable
iptables: Invalid argument
+ iptables -A logreject2 -j DROP
+ iptables -N logreject
+ iptables -A logreject -m limit --limit 1/second --limit-burst 10 -j logreject2
+ iptables -A logreject -m limit --limit 2/minute --limit-burst 1 -j LOG --log-prefix 'LIMITED ' --log-level 4
+ iptables -A logreject -p tcp -j REJECT --reject-with tcp-reset
iptables: Invalid argument
+ iptables -A logreject -p udp -j REJECT --reject-with icmp-port-unreachable
iptables: Invalid argument
...
...
... |
The "-j REJECT ..." seems to be the problem, I've modprobed the ipt_REJECT.o module to no avail?
BTW, | Code: | dazzle68 root # iptables --version
iptables v1.2.7a |
I've tried unloading and loaded certain combinations of modules, however I'm a "iptables" newbie , so any assist from you gurus would be MTW!!
Any ideas guys?
TIA
_________________
Someone told me that "..they only ever made one mistake...."
...and that's when they said they were wrong!! |
|
| Back to top |
|
 |
gumbootcha
n00b
Joined: 23 Apr 2002
Posts: 5
Location: Philippines
|
| Posted: Sat Jan 18, 2003 3:42 pm Post subject: |
|
|
i also get the same message but with the -j MASQUERADE option...
i've also compiled iptables, etc into the kernel. i tried compiling them as modules but it still doesn't work... i wonder if the iptables program is the problem? |
|
| Back to top |
|
|
FuzzeX
Tux's lil' helper
Joined: 08 Jan 2003
Posts: 96
|
| Posted: Sat Jan 18, 2003 9:26 pm Post subject: |
|
|
hmm, I'm by no means a guru, but for some reason I have a fondness for IPtables scripts.
All of your aruguments seem to be correct. My inital suggestion might be to try replacing your tcp and udp with TCP and UDP. I don't think that IPtables is case sensitive here, but it would take two seconds and if it doesn't work oh well.
Next is really just trouble shooting it. Try replacing those lines with something like:
| Code: | | iptables -A logreject -j REJECT |
If that works great, try adding:
| Code: | | iptables -A logreject -p tcp -j REJECT |
And then replace with your original line. I'm not sure if this will fix it, but it might shed some more light so people more competent than I could tell you what's wrong. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
