bad argument '*mangle' with iptables

By Colin-uk
in Linux

 Share

Recommended Posts

Grand Master

Colin-uk Veteran

Posted
  • Veteran
Posted

Hey all,

im getting the error message "Bad argument '*mangle' when i try "iptables-restore < /etc/iptables.rules" from the shell, does anyone know what the problem could be?

if i comment out the '*mangle' section completely then i get the error message "Bad argument '*filter'. its probably some stupid syntax typo that i cant see (hopefully :p)

my iptables.rules file is below

btw this file has been manually created with nano, and not generated with iptables-save, im a bit of a noob when it comes to iptables, still learning :p

Thanks,

Colin-uk :) 

###### pre-routing ######
*nat
:PREROUTING ACCEPT [127173:7033011]
:POSTROUTING ACCEPT [31583:2332178]
:OUTPUT ACCEPT [32021:2375633] 

###### block/confuse port scans ######
*mangle
:PREROUTING ACCEPT [444:43563] 
:INPUT ACCEPT [444:43563] :FORWARD ACCEPT [0:0] 
:OUTPUT ACCEPT [402:144198] 
:POSTROUTING ACCEPT [402:144198] 
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP 
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP 
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP 
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP 

###### block everything (incoming, outgoing and forwarded) ######
*filter
:INPUT DROP [1:242]
:FORWARD DROP [0:0] 
:OUTPUT DROP [0:0]
:icmp_packets - [0:0]

###### allow connections from local machine ######
-A INPUT -s 127.0.0.1 -j ACCEPT

###### allow all existing (establised) or related incomming connections ######
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#SSH
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

###### OpenVPN Specific rules ######

#accept all incoming connections on the tun interface
-A INPUT -i tun+ -j ACCEPT

#accept all incoming connections on the tap interface
-A INPUT -i tap+ -j ACCEPT

#accept all forwarded connections on the tun interface
-A FORWARD -i tun+ -j ACCEPT

#accept all forwarded connections on the tap interface
-A FORWARD -i tap+ -j ACCEPT

###### open these incoming ports ######

#FTP Data Control
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT

#FTP
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

#Bitlbee
-A INPUT -p tcp -m tcp --dport 6667 -j ACCEPT

#psyBNC
-A INPUT -p tcp -m tcp --dport 6668 -j ACCEPT

#SMTP
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT

#SMTP over SSL (&amp;TLS)
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT

#DNS
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p udp -m tcp --dport 53 -j ACCEPT

#HTTP
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

#POP3
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT

#POP3 over SSL (&amp;TLS)
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT

#IMAP
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT

#IMAP over SSL (&amp;TLS)
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT

#SSL
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

#MYSQL
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT

###### block icmp pings &amp; log dropped packets ######
-A INPUT -s 127.0.0.1 -j ACCEPT 
-A INPUT -p icmp -j icmp_packets 
-A INPUT -j LOG --log-prefix "IPTABLES-IN Default Drop: " --log-level 7 

###### allow all existing (establised) or related outgoing connections ######
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

###### open these outgoing ports ######
#FTP Data Control
-A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT

#FTP
-A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT

#Bitlbee
-A OUTPUT -p tcp -m tcp --dport 6667 -j ACCEPT

#psyBNC
-A OUTPUT -p tcp -m tcp --dport 6668 -j ACCEPT

#SMTP
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT

#SMTP over SSL (&amp;TLS)
-A OUTPUT -p tcp -m tcp --dport 465 -j ACCEPT

#DNS
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m tcp --dport 53 -j ACCEPT

#HTTP
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT

#POP3
-A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT

#POP3 over SSL (&amp;TLS)
-A OUTPUT -p tcp -m tcp --dport 995 -j ACCEPT

#IMAP
-A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT

#IMAP over SSL (&amp;TLS)
-A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT

#SSL
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT

#MYSQL
-A OUTPUT -p tcp -m tcp --dport 3306 -j ACCEPT

###### block icmp pings and log dropped packets ######
-A OUTPUT -d 127.0.0.1 -j ACCEPT 
-A OUTPUT -p icmp -j icmp_packets 
-A OUTPUT -j LOG --log-prefix "IPTABLES-OUT Default Drop: " --log-level 7 

-A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEPT 
-A icmp_packets -s 127.0.0.1 -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP 
-A icmp_packets -p icmp -m icmp --icmp-type 3 -j ACCEPT 
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT

###### allow all exisitng (established) and related forwarded connections ######
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT

Link to comment
https://www.neowin.net/forum/topic/665456-bad-argument-mangle-with-iptables/
Share on other sites
  • 1 month later...
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Claude on Windows is eating up massive amounts of RAM, with no way to stop it

      By fernan99 · Posted

      Stopped using Windows as my main workflow. Migrated completed to Linux. Been happier than a clam without a single issue nor windows annoyance. Leaving Windows has shown me the light at the end of the tunnel, or rather I went through the tunnel and I'm already at the light.
    • AirPods Pro 3 are now available for only $179

      By TarasBuria · Posted

      AirPods Pro 3 are now available for only $179 by Taras Buria Apple's third-gen AirPods Pro 3 introduced a few important upgrades over the previous generation while retaining the old $249 price. Still, that is quite a lot of money for a pair of earbuds, but the good news is that right now, you can save quite a lot of money on them, thanks to a new all-time low price. AirPods Pro 3 retain their classic look and form factor, with changes focused on the inside. These earbuds now come with five sets of foam-silicone tips, which sit much more securely in your ear, making the earbuds a perfect choice for physical activities and workouts. Additionally, new tips provide better passive noise cancellation. Speaking of noise cancellation, ANC is now much better at blocking outside noise, with Apple claiming the AirPods Pro mute up to two times more sound than the AirPods Pro 2. The AirPods Pro 3 also have heart rate sensors for activity tracking during workouts. They also support Live Translation and Hearing Aid mode. As for battery life, you get up to 8 hours on a single charge, with the case adding 20 more. The case supports wireless (Qi or Apple Watch charger) and wired charging over USB Type-C (cable not included). AirPods Pro 3 - $179 | $50 off on Amazon US This Amazon deal is US-specific and not available in other regions unless specified. This is a first-party seller link (at the time of article publishing); ensure that you also purchase from a first-party seller link only. If you don't like it or want to look at more options, check out the previous deals that we have covered, OR you can also visit the Amazon US deals page. Get Prime (SNAP), Prime Video, Audible Plus, or Kindle / Music Unlimited. Free for 30 days. As an Amazon Associate, we earn from qualifying purchases.
    • [Official] Doctor Who Thread

      By _neutrino · Posted

      Everything I have read is that the BBC is still Pro Doctor Who but wants a solid plan before they let anyone else try to do it. Which is fair.
    • EU Commission explains why Siri AI isn't launching in the EU, and Apple is to blame

      By +Good Bot, Bad Bot · Posted

      I totally agree no one should trust governments AND big tech companies that have near monopolies in certain market segments. The difference is of course citizens at least have some say in government. Yes, requiring Apple to open up Sirsi to other AI backends is in the interest of EU customers and certainly "opens" up the platform a crack. What are you saying? I wish the US would regulate tech companies more here and even break them up in some cases. Granted trusting the government to do it right is a crap shot at best but what is the alternative? To allow a few tech companies to continue to run everything and just print money? It's crazy to me for example that in most of the world 99% of communications go thru Facebook servers via WhatsApp. What kind of dystopian world are we living in?
    • Should Microsoft be forced to stop promoting Edge over other browsers?

      By _neutrino · Posted

      You can.. make sure you have ADB tools on whatever OS you are running, plug your phone into your PC give it approval to talk to the phone then run this command. adb shell pm uninstall -k --user 0 com.android.chrome So long as you leave Android Webview untouched it wont break anything on your Phone to do this. I have been using exclusively Firefox mobile since it was released.

  • Recent Achievements

    • One Month Later
      Tommi118 earned a badge
      One Month Later
    • One Month Later
      sjbousquet earned a badge
      One Month Later
    • Week One Done
      sjbousquet earned a badge
      Week One Done
    • First Post
      DragonOfMercy earned a badge
      First Post
    • First Post
      bella52 earned a badge
      First Post

  • Popular Contributors

    1. 1
      +primortal
      497
    2. 2
      PsYcHoKiLLa
      204
    3. 3
      +Edouard
      154
    4. 4
      Steven P.
      83
    5. 5
      FloatingFatMan
      72
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!