Colin-uk Veteran Posted September 4, 2008 Veteran Share Posted September 4, 2008 Hey all, im getting the error message "Bad argument '*mangle' when i try "iptables-restore < /etc/iptables.rules" from the shell, does anyone know what the problem could be? if i comment out the '*mangle' section completely then i get the error message "Bad argument '*filter'. its probably some stupid syntax typo that i cant see (hopefully :p) my iptables.rules file is below btw this file has been manually created with nano, and not generated with iptables-save, im a bit of a noob when it comes to iptables, still learning :p Thanks, Colin-uk :) ###### pre-routing ###### *nat :PREROUTING ACCEPT [127173:7033011] :POSTROUTING ACCEPT [31583:2332178] :OUTPUT ACCEPT [32021:2375633] ###### block/confuse port scans ###### *mangle :PREROUTING ACCEPT [444:43563] :INPUT ACCEPT [444:43563] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [402:144198] :POSTROUTING ACCEPT [402:144198] -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP ###### block everything (incoming, outgoing and forwarded) ###### *filter :INPUT DROP [1:242] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :icmp_packets - [0:0] ###### allow connections from local machine ###### -A INPUT -s 127.0.0.1 -j ACCEPT ###### allow all existing (establised) or related incomming connections ###### -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #SSH -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT ###### OpenVPN Specific rules ###### #accept all incoming connections on the tun interface -A INPUT -i tun+ -j ACCEPT #accept all incoming connections on the tap interface -A INPUT -i tap+ -j ACCEPT #accept all forwarded connections on the tun interface -A FORWARD -i tun+ -j ACCEPT #accept all forwarded connections on the tap interface -A FORWARD -i tap+ -j ACCEPT ###### open these incoming ports ###### #FTP Data Control -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT #FTP -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT #Bitlbee -A INPUT -p tcp -m tcp --dport 6667 -j ACCEPT #psyBNC -A INPUT -p tcp -m tcp --dport 6668 -j ACCEPT #SMTP -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT #SMTP over SSL (&TLS) -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT #DNS -A INPUT -p udp -m udp --dport 53 -j ACCEPT -A INPUT -p udp -m tcp --dport 53 -j ACCEPT #HTTP -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT #POP3 -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT #POP3 over SSL (&TLS) -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT #IMAP -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT #IMAP over SSL (&TLS) -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT #SSL -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT #MYSQL -A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT ###### block icmp pings & log dropped packets ###### -A INPUT -s 127.0.0.1 -j ACCEPT -A INPUT -p icmp -j icmp_packets -A INPUT -j LOG --log-prefix "IPTABLES-IN Default Drop: " --log-level 7 ###### allow all existing (establised) or related outgoing connections ###### -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ###### open these outgoing ports ###### #FTP Data Control -A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT #FTP -A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT #Bitlbee -A OUTPUT -p tcp -m tcp --dport 6667 -j ACCEPT #psyBNC -A OUTPUT -p tcp -m tcp --dport 6668 -j ACCEPT #SMTP -A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT #SMTP over SSL (&TLS) -A OUTPUT -p tcp -m tcp --dport 465 -j ACCEPT #DNS -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -p udp -m tcp --dport 53 -j ACCEPT #HTTP -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT #POP3 -A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT #POP3 over SSL (&TLS) -A OUTPUT -p tcp -m tcp --dport 995 -j ACCEPT #IMAP -A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT #IMAP over SSL (&TLS) -A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT #SSL -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT #MYSQL -A OUTPUT -p tcp -m tcp --dport 3306 -j ACCEPT ###### block icmp pings and log dropped packets ###### -A OUTPUT -d 127.0.0.1 -j ACCEPT -A OUTPUT -p icmp -j icmp_packets -A OUTPUT -j LOG --log-prefix "IPTABLES-OUT Default Drop: " --log-level 7 -A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEPT -A icmp_packets -s 127.0.0.1 -p icmp -m icmp --icmp-type 8 -j ACCEPT -A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP -A icmp_packets -p icmp -m icmp --icmp-type 3 -j ACCEPT -A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT ###### allow all exisitng (established) and related forwarded connections ###### -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT COMMIT Link to comment Share on other sites More sharing options...
Our Giant Posted October 15, 2008 Share Posted October 15, 2008 Colin, try adding a 'COMMIT' statement at the end of each table definition. Link to comment Share on other sites More sharing options...
Recommended Posts