bad argument '*mangle' with iptables

By Colin-uk
in Linux

 Share

Recommended Posts

Grand Master

Colin-uk Veteran

Posted
  • Veteran
Posted

Hey all,

im getting the error message "Bad argument '*mangle' when i try "iptables-restore < /etc/iptables.rules" from the shell, does anyone know what the problem could be?

if i comment out the '*mangle' section completely then i get the error message "Bad argument '*filter'. its probably some stupid syntax typo that i cant see (hopefully :p)

my iptables.rules file is below

btw this file has been manually created with nano, and not generated with iptables-save, im a bit of a noob when it comes to iptables, still learning :p

Thanks,

Colin-uk :) 

###### pre-routing ######
*nat
:PREROUTING ACCEPT [127173:7033011]
:POSTROUTING ACCEPT [31583:2332178]
:OUTPUT ACCEPT [32021:2375633] 

###### block/confuse port scans ######
*mangle
:PREROUTING ACCEPT [444:43563] 
:INPUT ACCEPT [444:43563] :FORWARD ACCEPT [0:0] 
:OUTPUT ACCEPT [402:144198] 
:POSTROUTING ACCEPT [402:144198] 
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP 
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP 
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP 
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP 

###### block everything (incoming, outgoing and forwarded) ######
*filter
:INPUT DROP [1:242]
:FORWARD DROP [0:0] 
:OUTPUT DROP [0:0]
:icmp_packets - [0:0]

###### allow connections from local machine ######
-A INPUT -s 127.0.0.1 -j ACCEPT

###### allow all existing (establised) or related incomming connections ######
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#SSH
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

###### OpenVPN Specific rules ######

#accept all incoming connections on the tun interface
-A INPUT -i tun+ -j ACCEPT

#accept all incoming connections on the tap interface
-A INPUT -i tap+ -j ACCEPT

#accept all forwarded connections on the tun interface
-A FORWARD -i tun+ -j ACCEPT

#accept all forwarded connections on the tap interface
-A FORWARD -i tap+ -j ACCEPT

###### open these incoming ports ######

#FTP Data Control
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT

#FTP
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

#Bitlbee
-A INPUT -p tcp -m tcp --dport 6667 -j ACCEPT

#psyBNC
-A INPUT -p tcp -m tcp --dport 6668 -j ACCEPT

#SMTP
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT

#SMTP over SSL (&amp;TLS)
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT

#DNS
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p udp -m tcp --dport 53 -j ACCEPT

#HTTP
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

#POP3
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT

#POP3 over SSL (&amp;TLS)
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT

#IMAP
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT

#IMAP over SSL (&amp;TLS)
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT

#SSL
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

#MYSQL
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT

###### block icmp pings &amp; log dropped packets ######
-A INPUT -s 127.0.0.1 -j ACCEPT 
-A INPUT -p icmp -j icmp_packets 
-A INPUT -j LOG --log-prefix "IPTABLES-IN Default Drop: " --log-level 7 

###### allow all existing (establised) or related outgoing connections ######
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

###### open these outgoing ports ######
#FTP Data Control
-A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT

#FTP
-A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT

#Bitlbee
-A OUTPUT -p tcp -m tcp --dport 6667 -j ACCEPT

#psyBNC
-A OUTPUT -p tcp -m tcp --dport 6668 -j ACCEPT

#SMTP
-A OUTPUT -p tcp -m tcp --dport 25 -j ACCEPT

#SMTP over SSL (&amp;TLS)
-A OUTPUT -p tcp -m tcp --dport 465 -j ACCEPT

#DNS
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p udp -m tcp --dport 53 -j ACCEPT

#HTTP
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT

#POP3
-A OUTPUT -p tcp -m tcp --dport 110 -j ACCEPT

#POP3 over SSL (&amp;TLS)
-A OUTPUT -p tcp -m tcp --dport 995 -j ACCEPT

#IMAP
-A OUTPUT -p tcp -m tcp --dport 143 -j ACCEPT

#IMAP over SSL (&amp;TLS)
-A OUTPUT -p tcp -m tcp --dport 993 -j ACCEPT

#SSL
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT

#MYSQL
-A OUTPUT -p tcp -m tcp --dport 3306 -j ACCEPT

###### block icmp pings and log dropped packets ######
-A OUTPUT -d 127.0.0.1 -j ACCEPT 
-A OUTPUT -p icmp -j icmp_packets 
-A OUTPUT -j LOG --log-prefix "IPTABLES-OUT Default Drop: " --log-level 7 

-A icmp_packets -p icmp -m icmp --icmp-type 0 -j ACCEPT 
-A icmp_packets -s 127.0.0.1 -p icmp -m icmp --icmp-type 8 -j ACCEPT 
-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP 
-A icmp_packets -p icmp -m icmp --icmp-type 3 -j ACCEPT 
-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT

###### allow all exisitng (established) and related forwarded connections ######
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT

Link to comment
https://www.neowin.net/forum/topic/665456-bad-argument-mangle-with-iptables/
Share on other sites
  • 1 month later...
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Popular Now

  • Posts

    • Windows 11's big performance boost is finally available for all

      By George P · Posted

      There really isn't anything magical about the low latency profile, other OS's do this as well. All they're doing is using your CPUs boost clock options in a more smarter way.
    • Windows 11's big performance boost is finally available for all

      By +Good Bot, Bad Bot · Posted

      So we shouldn't have the option because of people using their laptops on battery? OK? LOL
    • Windows 11's big performance boost is finally available for all

      By George P · Posted

      If you hear that fans for a limited time the CPU spikes to open a app I don't think the problem is with the software. There shouldn't be enough time spent at the higher clocks to produce enough heat to peak the fans. Maybe it's time to crack those dell laptops open and clean them out?
    • ActivePresenter 10.5.1

      By Copernic · Posted

      ActivePresenter 10.5.1 by Razvan Serea ActivePresenter is a screen recording, video editing, and eLearning authoring tool with a range variety of powerful features, helping you to capture screen and edit captured videos in a matter of minutes. Create professional screencasts that contain stunning annotations and effects, high-resolution graphics, videos, and voiceovers. You can capture any application on your computer, customize it easily by adding background music, closed caption, zoom-n-pan, etc., and finally export it to popular outputs (video, document) that can run on any device or platform. ActivePresenter allows you to generate the presentations in many different output forms such as image, videos (MP4, MKV, and AVI), HTML SlideShows, HTML5 simulations, and documents. More importantly, ActivePresenter free version provides full access to all video editing features, and you can edit and export videos without time limit, watermarks, or ads. ActivePresenter Free Edition features: Advanced recording features: Full Motion Recording, Smart Capture Video editing: Cut, Crop, Join, Change Volume, Speed Up, Slow Down, Blur Multiple Audio/Video Layers Rich annotations: Shapes, Image, Zoom-n-Pan, Closed Caption, Cursor Path, Audio/Video Overlays Automatic Smart Annotation Export to: MP4, FLV, AVI, WMV, WebM, MKV No Watermark and No Time Limit Clean & Safe: No adware, No Annoying Ads ActivePresenter 10.5.1 fixes: [Import PowerPoint]: Only the first slide is imported from some Canva-generated PowerPoint presentations. [Import PowerPoint]: Some Chinese theme fonts are resolved incorrectly. Embedded YouTube videos cannot generate preview thumbnails in the editor or play in HTML5 preview. [macOS]: Resources could be inserted into the current slide unintentionally when clicking or dragging in the Resources pane. [Publish uPresenter]: "Failed to process the presentation" error sometimes appears when publishing projects to uPresenter. [SCORM]: User responses are not reported to the LMS for Mouse Click and Key Stroke interactions. Custom hotkeys are reset or incorrectly remapped after updating from version 10.1.2 or earlier. Download: ActivePresenter 10.5.1 | 176.0 MB (Free, paid upgrade available) Download: ActivePresenter 10.5.1 for macOS | 227.0 MB Links: ActivePresenter Website | Demos | Tutorials | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • The official Funny Pictures thread

      By +primortal · Posted

  • Recent Achievements

    • Week One Done
      FBSPL earned a badge
      Week One Done
    • One Year In
      Jim Dugan earned a badge
      One Year In
    • One Month Later
      Tommi118 earned a badge
      One Month Later
    • One Month Later
      sjbousquet earned a badge
      One Month Later
    • Week One Done
      sjbousquet earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      495
    2. 2
      PsYcHoKiLLa
      198
    3. 3
      +Edouard
      155
    4. 4
      Steven P.
      84
    5. 5
      ATLien_0
      69
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!