• Re: Slackware 14.0 iptables failing on working Slackware 13.0 iptables

    From Lew Pitcher@110:110/2002 to All on Fri Nov 1 16:20:56 2013
    Subject: Re: Slackware 14.0 iptables failing on working Slackware 13.0 iptables commands

    On Friday 01 November 2013 11:14, in alt.os.linux.slackware, "Lew Pitcher" <lew.pitcher@digitalfreehold.ca> wrote:

    I've just upgraded a machine to Slackware 14.0, and am having a problem
    with my (previously working) firewall rules.

    Assuming that my public IP address is 192.168.0.1, and given the following commands:
    /usr/sbin/iptables -t filter -N abc.in
    /usr/sbin/iptables -t filter -A abc.in -s 10.0.0.0/8 -j DROP
    /usr/sbin/iptables -t filter -A abc.in -d 192.168.0.1 -p icmp
    --icmp-type echo-request -j DROP /usr/sbin/iptables -t filter -A abc.in
    -d 192.168.0.1 -p icmp -j ACCEPT /usr/sbin/iptables -t filter -A abc.in
    -p tcp --dport domain -j DROP
    the first four commands work, creating a filter table called abc.in,
    and adding rules to DROP packets coming from the 10.0.0.0/8 IP address
    range, drop ICMP echo-request packets, and to accept all other ICMP
    packets.

    However, the fifth rule, which (in Slackware 13.0) added a rule to DROP incoming tcp packets destined for domain (my internal caching dns server),
    no longer compiles with iptables. Instead, I get an
    "iptables: No chain/target/match by that name" message
    instead, and a non-zero returncode from iptables.

    I've narrowed the problem down to the --dport option; apparently, in my configuration of Slackware 14.0 iptables
    (package iptables-1.4.14-i486-2_slack14.0), the destination-port and source-port options cause some sort of error.

    Does anyone have a hint at what I should be looking at to fix this?
    My goal is to filter by tcp and udp port number, so as to selectively
    permit or deny outside access to some of my network services.

    Note: this part of my firewall script runs within the confines of the pppoe/pppd ip_up script. The rules really look like...

    /usr/sbin/iptables -t filter -N $1.in
    /usr/sbin/iptables -t filter -A $1.in -s 10.0.0.0/8 -j DROP
    /usr/sbin/iptables -t filter -A $1.in -d $4 -p icmp --icmp-type
    echo-request -j DROP /usr/sbin/iptables -t filter -A $1.in -d $4 -p icmp
    -j ACCEPT /usr/sbin/iptables -t filter -A $1.in -d $4 -p tcp --dport
    domain -j DROP

    where
    $1 is the name of the interface that the PPP connection was
    established on (typically, ppp0)
    $4 is the IP address assigned to my end of the PPP connection
    (my "public" IP address, as it were)

    Additional information:

    Slackware 13.0
    - kernel was at version 2.6.29.6, compiled with smp support
    - iptables was at version 1.4.3.2

    Slackware 14.0
    - kernel at version 3.2.29, compiled with smp support
    - iptables at version 1.4.14

    Tried modprobing for ip_tables, ip_conntrack, iptable_filter and ipt_state
    as per some recommendations, but still get the "iptables: No
    chain/target/match by that name" when I use a --dport or --sport option to qualify the rule.

    Any suggestions on how to fix this?
    --
    Lew Pitcher
    "In Skills, We Trust"
    PGP public key available upon request


    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: The Pitcher Digital Freehold (110:110/2002@linuxnet)