| Author |
Message |
hthb
Joined: 19 Feb 2004
Posts: 14
Location: Iceland
|
| Posted: Fri Apr 09, 2004 1:47 pm Post subject: iptables debian stable problem |
|
|
When I run my firewall BASH script, this error comes up: Unknown arg --destination-port
Then I replaced every --destination-port with -dport, and then it complains about : Bad Argument '22' (22 being the SSH port).
This works perfectly at home on my Knoppix debian box.
Any ideas? |
|
| Back to top |
|
caker
Joined: 15 Apr 2003
Posts: 2392
Location: Galloway, NJ
|
| Posted: Fri Apr 09, 2004 2:44 pm Post subject: |
|
|
I'll venture to guess iptables versions are different??
What's the full line that you're trying to execute?
From the Debian iptables man page:
Code:
MATCH EXTENSIONS
tcp
These extensions are loaded if `--protocol tcp' is specified. It
provides the following options:
(snip)
--destination-port [!] port[:port]
Destination port or port range specification. The flag --dport
is a convenient alias for this option.
-Chris |
|
| Back to top |
|
hthb
Joined: 19 Feb 2004
Posts: 14
Location: Iceland
|
| Posted: Fri Apr 09, 2004 3:47 pm Post subject: here comes the original line |
|
|
iptables -A INPUT -s xxx.xxx.xxx.xxx -p tcp --destination-port ssh -j LOG --log-level 1 --log-prefix STRING -m limit
iptables -A INPUT -s xxx.xxx.xxx.xxx -p tcp --destination-port ssh -j ACCEPT
The other line is just the same, but with -dport instead of --destination-port and 22 instead of ssh.
The version on both debians (the knoppix and stable) is 1.2.9.
Hope this clarifies... |
|
| Back to top |
|
caker
Joined: 15 Apr 2003
Posts: 2392
Location: Galloway, NJ
|
| Posted: Fri Apr 09, 2004 4:14 pm Post subject: |
|
|
Code:
li-20:~# cat /etc/debian_version
3.0
li-20:~# uname -a
Linux li-20.members.linode.com 2.4.25-linode24-1um #2 Sun Mar 28 15:14:01 EST 2004 i686 unknown
li-20:~# apt-get install iptables
Reading Package Lists... Done
Building Dependency Tree... Done
Sorry, iptables is already the newest version.
li-20:~# iptables -V
iptables v1.2.6a
li-20:~# iptables -A INPUT -s 192.168.1.0 -p tcp --destination-port ssh -j LOG --log-level 1 --log-prefix STRING -m limit
li-20:~# iptables -A INPUT -s 192.168.1.0 -p tcp --destination-port ssh -j ACCEPT
li-20:~#
Seems to have worked for me... ?
Maybe some funky-ness in your script?
-Chris |
|
| Back to top |
|
hthb
Joined: 19 Feb 2004
Posts: 14
Location: Iceland
|
| Posted: Fri Apr 09, 2004 5:19 pm Post subject: Ok, fixed |
|
|
I executed my script line by line, and the last line was causing problems!
Thanks for the help. Happy holidays. :) |
|
| Back to top |
|
smerritt
Joined: 18 Nov 2003
Posts: 30
|
| Posted: Fri Apr 09, 2004 9:07 pm Post subject: |
|
|
One little note: if you want to use -m owner with Debian stable, you'll need to compile iptables against a new kernel source. Somewhere around 2.4.20, they added another member to a struct that iptables uses, breaking old iptables binaries.
It's pretty simple, IIRC. I just downloaded the latest kernel from kernel.org, unpacked it, downloaded the latest iptables, and told the iptables build process where the kernel source was. If you do this, install in /usr/local instead of /usr so you don't overwrite Debian's iptables. Otherwise, if Debian releases a new iptables version that's still older than your hand-compiled one, the update will overwrite yours and break your firewall scripts. |
|
| Back to top |
|
| |
