wprauchholz
2006-05-10, 09:20 AM CDT
I run a server with 2 NIX; 1 internal (eth0) and external (eth1)
I want to modify the firewall in such a way that I can access my webserver from the www. But have 2 syntax errors I am not able to find. The error message I get is as follows:
- Bad argument `eth0'
- iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
My firewall script is:
# Private network address is 192.168.5.0 using Ethernet device INT_DEV
# Web site address is 192.168.1.2
#Definition of interfaces
EXT_DEV=eth1
INT_DEV=eth0
#The Gateway
ip route add default via 192.168.1.1
# Loading firewall modules
modprobe ip_conntrack
modprobe ip_conntrack_ftp
#modprobe ip_conntrack_sip
#modprobe ip_nat_sip
# Remoce all previous rules, and delete any user defined chains
iptables -F
iptables -X
iptables -t nat -F
# set default policy rules to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# IP spoofing, deny any packets on the internal network that have an external source address
iptables -A INPUT -j LOG -i $INT_DEV ! -s 192.168.5.0/24
iptables -A INPUT -j DROP -i $INT_DEV ! -s 192.168.5.0/24
iptables -A FORWARD -j DROP -i $INT_DEV ! -s 192.168.5.0/24
# IP spoofing, deny any outside packets (any not on INT_DEV) that have the source address of the internal network
iptables -A INPUT -j DROP ! $INT_DEV -s 192.168.5.0/24
iptables -A FORWARD -j DROP ! $INT_DEV -s 192.168.5.0/24
# IP spoofing, deny outside packets with localhost address (packets not on the lo interface
# (any on INT_DEV or eth1) that have the source address of localhost)
iptables -A INPUT -j DROP -i ! lo -s 127.0.0.0/255.0.0.0
iptables -A FORWARD -j DROP -i ! lo -s 127.0.0.0/255.0.0.0
# Allow all incoming messages for users on firewall system
iptables -A INPUT -j ACCEPT -i lo
# Allow communication to the Web server (address 192.168.5.1), port www
iptables -A input -j ACCEPT -p tcp -i $EXT_DEV --dport www -s 192.168.5.1
# Allow established connections from the Web server to internal network
iptables -A input -m state --state ESTABLISHED,RELATED -i $EXT_DEV -p tcp --sport www -s 192.168.5.1 -d 192.168.5.0/24 -j ACCEPT
# Prevent new connections from Web server to internal network
iptables -A OUTPUT -m state --state NEW -o $EXT_DEV -p tcp --sport www -d 192.168.1.0/24 -j DROP
# Allow established and related outside communication to your system
# Allow outside communication to the firewall, except for ICMP packets
iptables -A INPUT -m state --state ESTABLISHED,RELATED -i $EXT_DEV -p ! icmp -j ACCEPT
# Prevent outside initiated connections
iptables -A INPUT -m state --state NEW -i $EXT_DEV -j DROP
iptables -A FORWARD -m state --state NEW -i $EXT_DEV -j DROP
# Allow all local communication to and from the firewall on INT_DEV from the local network
iptables -A input -j ACCEPT -p all -i $INT_DEV -s 192.168.5.0/24
# Setup masquerading to allow internal machines to access to outside network
iptables -t nat -A POSTROUTING -o $EXT_DEV -j MASQUERADE
# Accept ICMP ping and destination unreachable messages
# Others will be rejected by INPUT and OUTPUT DROP policy
iptables -A input -j ACCEPT -p icmp -i $EXT_DEV --icmp-type echo-reply -d 192.168.1.2
iptables -A input -j ACCEPT -p icmp -i $EXT_DEV --icmp-type echo-request -d 192.168.1.2
iptables -A input -j ACCEPT -p icmp -i $EXT_DEV --icmp-type destination-unreachable -d 192.168.1.2
I want to modify the firewall in such a way that I can access my webserver from the www. But have 2 syntax errors I am not able to find. The error message I get is as follows:
- Bad argument `eth0'
- iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
My firewall script is:
# Private network address is 192.168.5.0 using Ethernet device INT_DEV
# Web site address is 192.168.1.2
#Definition of interfaces
EXT_DEV=eth1
INT_DEV=eth0
#The Gateway
ip route add default via 192.168.1.1
# Loading firewall modules
modprobe ip_conntrack
modprobe ip_conntrack_ftp
#modprobe ip_conntrack_sip
#modprobe ip_nat_sip
# Remoce all previous rules, and delete any user defined chains
iptables -F
iptables -X
iptables -t nat -F
# set default policy rules to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# IP spoofing, deny any packets on the internal network that have an external source address
iptables -A INPUT -j LOG -i $INT_DEV ! -s 192.168.5.0/24
iptables -A INPUT -j DROP -i $INT_DEV ! -s 192.168.5.0/24
iptables -A FORWARD -j DROP -i $INT_DEV ! -s 192.168.5.0/24
# IP spoofing, deny any outside packets (any not on INT_DEV) that have the source address of the internal network
iptables -A INPUT -j DROP ! $INT_DEV -s 192.168.5.0/24
iptables -A FORWARD -j DROP ! $INT_DEV -s 192.168.5.0/24
# IP spoofing, deny outside packets with localhost address (packets not on the lo interface
# (any on INT_DEV or eth1) that have the source address of localhost)
iptables -A INPUT -j DROP -i ! lo -s 127.0.0.0/255.0.0.0
iptables -A FORWARD -j DROP -i ! lo -s 127.0.0.0/255.0.0.0
# Allow all incoming messages for users on firewall system
iptables -A INPUT -j ACCEPT -i lo
# Allow communication to the Web server (address 192.168.5.1), port www
iptables -A input -j ACCEPT -p tcp -i $EXT_DEV --dport www -s 192.168.5.1
# Allow established connections from the Web server to internal network
iptables -A input -m state --state ESTABLISHED,RELATED -i $EXT_DEV -p tcp --sport www -s 192.168.5.1 -d 192.168.5.0/24 -j ACCEPT
# Prevent new connections from Web server to internal network
iptables -A OUTPUT -m state --state NEW -o $EXT_DEV -p tcp --sport www -d 192.168.1.0/24 -j DROP
# Allow established and related outside communication to your system
# Allow outside communication to the firewall, except for ICMP packets
iptables -A INPUT -m state --state ESTABLISHED,RELATED -i $EXT_DEV -p ! icmp -j ACCEPT
# Prevent outside initiated connections
iptables -A INPUT -m state --state NEW -i $EXT_DEV -j DROP
iptables -A FORWARD -m state --state NEW -i $EXT_DEV -j DROP
# Allow all local communication to and from the firewall on INT_DEV from the local network
iptables -A input -j ACCEPT -p all -i $INT_DEV -s 192.168.5.0/24
# Setup masquerading to allow internal machines to access to outside network
iptables -t nat -A POSTROUTING -o $EXT_DEV -j MASQUERADE
# Accept ICMP ping and destination unreachable messages
# Others will be rejected by INPUT and OUTPUT DROP policy
iptables -A input -j ACCEPT -p icmp -i $EXT_DEV --icmp-type echo-reply -d 192.168.1.2
iptables -A input -j ACCEPT -p icmp -i $EXT_DEV --icmp-type echo-request -d 192.168.1.2
iptables -A input -j ACCEPT -p icmp -i $EXT_DEV --icmp-type destination-unreachable -d 192.168.1.2