Thesniperofdeath
n00b
Joined: 07 Jan 2011
Posts: 32
Location: Canada
|
 Posted: Tue Jan 25, 2011 1:22 am Post subject: Shorewall firewall iptables-restore Failed |
 |
|
| Code: | iptables-restore: line 208 failed
ERROR: iptables-restore Failed. Input is in /var/lib/shorewall/.iptables-restore-input
/usr/share/shorewall/lib.common: line 69: 652 Terminated $SHOREWALL_SHELL $script $options $@ [ !! ] |
/var/lib/shorewall/.iptables-restore-input(Last line is 208)
| Code: | #
# Generated by Shorewall 4.4.16.1 - Mon Jan 24 17:38:30 2011
#
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:tcfor - [0:0]
:tcin - [0:0]
:tcout - [0:0]
:tcpost - [0:0]
:tcpre - [0:0]
-A PREROUTING -j tcpre
-A INPUT -j tcin
-A FORWARD -j MARK --set-mark 0/0xff
-A FORWARD -j tcfor
-A OUTPUT -j tcout
-A POSTROUTING -j tcpost
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:@fw2lan - [0:0]
:@fw2net - [0:0]
:@fw2wlan - [0:0]
:@lan2fw - [0:0]
:@lan2net - [0:0]
:@lan2wlan - [0:0]
:@net2fw - [0:0]
:@net2lan - [0:0]
:@net2wlan - [0:0]
:@wlan2fw - [0:0]
:@wlan2lan - [0:0]
:@wlan2net - [0:0]
:Drop - [0:0]
:Reject - [0:0]
:dropBcast - [0:0]
:dropInvalid - [0:0]
:dropNotSyn - [0:0]
:dynamic - [0:0]
:fw2lan - [0:0]
:fw2net - [0:0]
:fw2wlan - [0:0]
:lan2fw - [0:0]
:lan2net - [0:0]
:lan2wlan - [0:0]
:lan_frwd - [0:0]
:logdrop - [0:0]
:logreject - [0:0]
:net2fw - [0:0]
:net2lan - [0:0]
:net2wlan - [0:0]
:net_frwd - [0:0]
:reject - [0:0]
:wlan2fw - [0:0]
:wlan2lan - [0:0]
:wlan2net - [0:0]
:wlan_frwd - [0:0]
-A INPUT -m conntrack --ctstate NEW,INVALID -j dynamic
-A INPUT -i ppp0 -j net2fw
-A INPUT -i eth0 -j lan2fw
-A INPUT -i wlan0 -j wlan2fw
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -j Drop
-A INPUT -j LOG --log-level 6 --log-prefix "Shorewall:INPUT:DROP:"
-A INPUT -j DROP
-A FORWARD -m conntrack --ctstate NEW,INVALID -j dynamic
-A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i ppp0 -j net_frwd
-A FORWARD -i eth0 -j lan_frwd
-A FORWARD -i wlan0 -j wlan_frwd
-A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -j Reject
-A FORWARD -j LOG --log-level 6 --log-prefix "Shorewall:FORWARD:REJECT:"
-A FORWARD -g reject
-A OUTPUT -o ppp0 -j fw2net
-A OUTPUT -o eth0 -j fw2lan
-A OUTPUT -o wlan0 -j fw2wlan
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -j Reject
-A OUTPUT -j LOG --log-level 6 --log-prefix "Shorewall:OUTPUT:REJECT:"
-A OUTPUT -g reject
-A @fw2lan -m limit --limit 3/sec --limit-burst 3 -j RETURN
-A @fw2lan -j DROP
-A @fw2net -m limit --limit 6/sec --limit-burst 10 -j RETURN
-A @fw2net -j DROP
-A @fw2wlan -m limit --limit 3/sec --limit-burst 3 -j RETURN
-A @fw2wlan -j DROP
-A @lan2fw -m limit --limit 3/sec --limit-burst 3 -j RETURN
-A @lan2fw -j DROP
-A @lan2net -m limit --limit 3/sec --limit-burst 3 -j RETURN
-A @lan2net -j DROP
-A @lan2wlan -m limit --limit 3/sec --limit-burst 3 -j RETURN
-A @lan2wlan -j DROP
-A @net2fw -m limit --limit 6/sec --limit-burst 15 -j RETURN
-A @net2fw -j DROP
-A @net2lan -m limit --limit 10/sec --limit-burst 10 -j RETURN
-A @net2lan -j DROP
-A @net2wlan -m limit --limit 10/sec --limit-burst 10 -j RETURN
-A @net2wlan -j DROP
-A @wlan2fw -m limit --limit 3/sec --limit-burst 3 -j RETURN
-A @wlan2fw -j DROP
-A @wlan2lan -m limit --limit 3/sec --limit-burst 3 -j RETURN
-A @wlan2lan -j DROP
-A @wlan2net -m limit --limit 3/sec --limit-burst 3 -j RETURN
-A @wlan2net -j DROP
-A Drop
-A Drop -p 6 --dport 113 -j reject
-A Drop -j dropBcast
-A Drop -p 1 --icmp-type 3/4 -j ACCEPT
-A Drop -p 1 --icmp-type 11 -j ACCEPT
-A Drop -j dropInvalid
-A Drop -p 17 -m multiport --dports 135,445 -j DROP
-A Drop -p 17 --dport 137:139 -j DROP
-A Drop -p 17 --dport 1024:65535 --sport 137 -j DROP
-A Drop -p 6 -m multiport --dports 135,139,445 -j DROP
-A Drop -p 17 --dport 1900 -j DROP
-A Drop -p 6 -j dropNotSyn
-A Drop -p 17 --sport 53 -j DROP
-A Reject
-A Reject -p 6 --dport 113 -j reject
-A Reject -j dropBcast
-A Reject -p 1 --icmp-type 3/4 -j ACCEPT
-A Reject -p 1 --icmp-type 11 -j ACCEPT
-A Reject -j dropInvalid
-A Reject -p 17 -m multiport --dports 135,445 -j reject
-A Reject -p 17 --dport 137:139 -j reject
-A Reject -p 17 --dport 1024:65535 --sport 137 -j reject
-A Reject -p 6 -m multiport --dports 135,139,445 -j reject
-A Reject -p 17 --dport 1900 -j DROP
-A Reject -p 6 -j dropNotSyn
-A Reject -p 17 --sport 53 -j DROP
-A dropBcast -m addrtype --dst-type BROADCAST -j DROP
-A dropBcast -d 224.0.0.0/4 -j DROP
-A dropInvalid -m conntrack --ctstate INVALID -j DROP
-A dropNotSyn -p 6 ! --syn -j DROP
-A fw2lan -p udp --dport 67:68 -j ACCEPT
-A fw2lan -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A fw2lan -p tcp --syn -j @fw2lan
-A fw2lan -j ACCEPT
-A fw2net -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A fw2net -j Reject
-A fw2net -g reject
-A fw2wlan -p udp --dport 67:68 -j ACCEPT
-A fw2wlan -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A fw2wlan -p tcp --syn -j @fw2wlan
-A fw2wlan -j ACCEPT
-A lan2fw -p udp --dport 67:68 -j ACCEPT
-A lan2fw -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A lan2fw -p tcp --syn -j @lan2fw
-A lan2fw -j ACCEPT
-A lan2net -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A lan2net -p tcp --syn -j @lan2net
-A lan2net -j ACCEPT
-A lan2wlan -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A lan2wlan -j Drop
-A lan2wlan -j DROP
-A lan_frwd -o ppp0 -j lan2net
-A lan_frwd -o wlan0 -j lan2wlan
-A logdrop -j LOG --log-level 0 --log-prefix "Shorewall:logdrop:DROP:"
-A logdrop -j DROP
-A logreject -j LOG --log-level 0 --log-prefix "Shorewall:logreject:REJECT:"
-A logreject -j reject
-A net2fw -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A net2fw -j Drop
-A net2fw -j DROP
-A net2lan -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A net2lan -p tcp --syn -j @net2lan
-A net2lan -j ACCEPT
-A net2wlan -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A net2wlan -p tcp --syn -j @net2wlan
-A net2wlan -j ACCEPT
-A net_frwd -o eth0 -j net2lan
-A net_frwd -o wlan0 -j net2wlan
-A reject -m addrtype --src-type BROADCAST -j DROP
-A reject -s 224.0.0.0/4 -j DROP
-A reject -p 2 -j DROP
-A reject -p 6 -j REJECT --reject-with tcp-reset
-A reject -p 17 -j REJECT
-A reject -p 1 -j REJECT --reject-with icmp-host-unreachable
-A reject -j REJECT --reject-with icmp-host-prohibited
-A wlan2fw -p udp --dport 67:68 -j ACCEPT
-A wlan2fw -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A wlan2fw -p tcp --syn -j @wlan2fw
-A wlan2fw -j ACCEPT
-A wlan2lan -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A wlan2lan -j Drop
-A wlan2lan -j DROP
-A wlan2net -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A wlan2net -p tcp --syn -j @wlan2net
-A wlan2net -j ACCEPT
-A wlan_frwd -o ppp0 -j wlan2net
-A wlan_frwd -o eth0 -j wlan2lan
COMMIT |
Kernel Config
| Code: | #
# Networking options
#
CONFIG_PACKET=y
CONFIG_UNIX=y
CONFIG_XFRM=y
CONFIG_XFRM_USER=m
# CONFIG_XFRM_SUB_POLICY is not set
# CONFIG_XFRM_MIGRATE is not set
# CONFIG_XFRM_STATISTICS is not set
CONFIG_XFRM_IPCOMP=m
CONFIG_NET_KEY=m
# CONFIG_NET_KEY_MIGRATE is not set
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_ASK_IP_FIB_HASH=y
# CONFIG_IP_FIB_TRIE is not set
CONFIG_IP_FIB_HASH=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_VERBOSE=y
CONFIG_IP_PNP=y
CONFIG_IP_PNP_DHCP=y
CONFIG_IP_PNP_BOOTP=y
CONFIG_IP_PNP_RARP=y
CONFIG_NET_IPIP=m
CONFIG_NET_IPGRE=m
CONFIG_NET_IPGRE_BROADCAST=y
CONFIG_IP_MROUTE=y
CONFIG_IP_MROUTE_MULTIPLE_TABLES=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
# CONFIG_ARPD is not set
# CONFIG_SYN_COOKIES is not set
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_XFRM_TUNNEL=m
CONFIG_INET_TUNNEL=m
CONFIG_INET_XFRM_MODE_TRANSPORT=m
CONFIG_INET_XFRM_MODE_TUNNEL=m
CONFIG_INET_XFRM_MODE_BEET=m
CONFIG_INET_LRO=y
CONFIG_INET_DIAG=m
CONFIG_INET_TCP_DIAG=m
CONFIG_TCP_CONG_ADVANCED=y
CONFIG_TCP_CONG_BIC=m
CONFIG_TCP_CONG_CUBIC=y
CONFIG_TCP_CONG_WESTWOOD=m
CONFIG_TCP_CONG_HTCP=m
# CONFIG_TCP_CONG_HSTCP is not set
# CONFIG_TCP_CONG_HYBLA is not set
# CONFIG_TCP_CONG_VEGAS is not set
# CONFIG_TCP_CONG_SCALABLE is not set
# CONFIG_TCP_CONG_LP is not set
# CONFIG_TCP_CONG_VENO is not set
# CONFIG_TCP_CONG_YEAH is not set
# CONFIG_TCP_CONG_ILLINOIS is not set
CONFIG_DEFAULT_CUBIC=y
# CONFIG_DEFAULT_RENO is not set
CONFIG_DEFAULT_TCP_CONG="cubic"
# CONFIG_TCP_MD5SIG is not set
# CONFIG_IPV6 is not set
CONFIG_NETWORK_SECMARK=y
# CONFIG_NETWORK_PHY_TIMESTAMPING is not set
CONFIG_NETFILTER=y
# CONFIG_NETFILTER_DEBUG is not set
CONFIG_NETFILTER_ADVANCED=y
#
# Core Netfilter Configuration
#
CONFIG_NETFILTER_NETLINK=m
# CONFIG_NETFILTER_NETLINK_QUEUE is not set
# CONFIG_NETFILTER_NETLINK_LOG is not set
CONFIG_NF_CONNTRACK=m
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_SECMARK=y
CONFIG_NF_CONNTRACK_EVENTS=y
# CONFIG_NF_CT_PROTO_DCCP is not set
# CONFIG_NF_CT_PROTO_SCTP is not set
# CONFIG_NF_CT_PROTO_UDPLITE is not set
# CONFIG_NF_CONNTRACK_AMANDA is not set
# CONFIG_NF_CONNTRACK_FTP is not set
# CONFIG_NF_CONNTRACK_H323 is not set
# CONFIG_NF_CONNTRACK_IRC is not set
# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
# CONFIG_NF_CONNTRACK_PPTP is not set
# CONFIG_NF_CONNTRACK_SANE is not set
# CONFIG_NF_CONNTRACK_SIP is not set
# CONFIG_NF_CONNTRACK_TFTP is not set
CONFIG_NF_CT_NETLINK=m
# CONFIG_NETFILTER_TPROXY is not set
CONFIG_NETFILTER_XTABLES=m
#
# Xtables combined modules
#
CONFIG_NETFILTER_XT_MARK=m
CONFIG_NETFILTER_XT_CONNMARK=m
#
# Xtables targets
#
CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
# CONFIG_NETFILTER_XT_TARGET_CONNSECMARK is not set
# CONFIG_NETFILTER_XT_TARGET_CT is not set
# CONFIG_NETFILTER_XT_TARGET_DSCP is not set
CONFIG_NETFILTER_XT_TARGET_HL=m
# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set
# CONFIG_NETFILTER_XT_TARGET_LED is not set
CONFIG_NETFILTER_XT_TARGET_MARK=m
# CONFIG_NETFILTER_XT_TARGET_NFLOG is not set
# CONFIG_NETFILTER_XT_TARGET_NFQUEUE is not set
# CONFIG_NETFILTER_XT_TARGET_NOTRACK is not set
# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
# CONFIG_NETFILTER_XT_TARGET_TEE is not set
CONFIG_NETFILTER_XT_TARGET_TRACE=m
# CONFIG_NETFILTER_XT_TARGET_SECMARK is not set
# CONFIG_NETFILTER_XT_TARGET_TCPMSS is not set
# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
#
# Xtables matches
#
# CONFIG_NETFILTER_XT_MATCH_CLUSTER is not set
# CONFIG_NETFILTER_XT_MATCH_COMMENT is not set
# CONFIG_NETFILTER_XT_MATCH_CONNBYTES is not set
CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m
CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
# CONFIG_NETFILTER_XT_MATCH_CPU is not set
# CONFIG_NETFILTER_XT_MATCH_DCCP is not set
# CONFIG_NETFILTER_XT_MATCH_DSCP is not set
# CONFIG_NETFILTER_XT_MATCH_ESP is not set
# CONFIG_NETFILTER_XT_MATCH_HASHLIMIT is not set
# CONFIG_NETFILTER_XT_MATCH_HELPER is not set
CONFIG_NETFILTER_XT_MATCH_HL=m
CONFIG_NETFILTER_XT_MATCH_IPRANGE=m
CONFIG_NETFILTER_XT_MATCH_LENGTH=m
CONFIG_NETFILTER_XT_MATCH_LIMIT=m
# CONFIG_NETFILTER_XT_MATCH_MAC is not set
CONFIG_NETFILTER_XT_MATCH_MARK=m
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
# CONFIG_NETFILTER_XT_MATCH_OSF is not set
CONFIG_NETFILTER_XT_MATCH_OWNER=m
# CONFIG_NETFILTER_XT_MATCH_POLICY is not set
# CONFIG_NETFILTER_XT_MATCH_PKTTYPE is not set
# CONFIG_NETFILTER_XT_MATCH_QUOTA is not set
# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set
# CONFIG_NETFILTER_XT_MATCH_REALM is not set
# CONFIG_NETFILTER_XT_MATCH_RECENT is not set
# CONFIG_NETFILTER_XT_MATCH_SCTP is not set
CONFIG_NETFILTER_XT_MATCH_STATE=m
# CONFIG_NETFILTER_XT_MATCH_STATISTIC is not set
CONFIG_NETFILTER_XT_MATCH_STRING=m
# CONFIG_NETFILTER_XT_MATCH_TCPMSS is not set
# CONFIG_NETFILTER_XT_MATCH_TIME is not set
# CONFIG_NETFILTER_XT_MATCH_U32 is not set
# CONFIG_IP_VS is not set
#
# IP: Netfilter Configuration
#
CONFIG_NF_DEFRAG_IPV4=m
CONFIG_NF_CONNTRACK_IPV4=m
# CONFIG_NF_CONNTRACK_PROC_COMPAT is not set
# CONFIG_IP_NF_QUEUE is not set
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
CONFIG_IP_NF_MATCH_AH=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_NF_NAT=m
CONFIG_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_NF_NAT_SNMP_BASIC=m
# CONFIG_NF_NAT_FTP is not set
# CONFIG_NF_NAT_IRC is not set
# CONFIG_NF_NAT_TFTP is not set
# CONFIG_NF_NAT_AMANDA is not set
# CONFIG_NF_NAT_PPTP is not set
# CONFIG_NF_NAT_H323 is not set
# CONFIG_NF_NAT_SIP is not set
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_CLUSTERIP=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_RAW=m
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
# CONFIG_IP_DCCP is not set
CONFIG_IP_SCTP=m
# CONFIG_SCTP_DBG_MSG is not set
# CONFIG_SCTP_DBG_OBJCNT is not set
# CONFIG_SCTP_HMAC_NONE is not set
# CONFIG_SCTP_HMAC_SHA1 is not set
CONFIG_SCTP_HMAC_MD5=y
# CONFIG_RDS is not set
# CONFIG_TIPC is not set
CONFIG_ATM=m
CONFIG_ATM_CLIP=m
# CONFIG_ATM_CLIP_NO_ICMP is not set
CONFIG_ATM_LANE=m
CONFIG_ATM_MPOA=m
CONFIG_ATM_BR2684=m
# CONFIG_ATM_BR2684_IPFILTER is not set
# CONFIG_L2TP is not set
# CONFIG_BRIDGE is not set
# CONFIG_NET_DSA is not set
CONFIG_VLAN_8021Q=m
# CONFIG_VLAN_8021Q_GVRP is not set
# CONFIG_DECNET is not set
# CONFIG_LLC2 is not set
# CONFIG_IPX is not set
# CONFIG_ATALK is not set
# CONFIG_X25 is not set
# CONFIG_LAPB is not set
# CONFIG_ECONET is not set
# CONFIG_WAN_ROUTER is not set
# CONFIG_PHONET is not set
# CONFIG_IEEE802154 is not set
# CONFIG_NET_SCHED is not set
# CONFIG_DCB is not set
CONFIG_DNS_RESOLVER=y
CONFIG_RPS=y |
I am missing a module? |
|
Networking & Security
