I went to reload (iptables-restore) my iptables configuration and obtained an error at the COMMIT statement. No further details were provided even when I ran restore with the -v option. I determined that none of my backed up configuration files going back to October will load either. This is more than passing strange because I altered and uploaded the iptables configuration on this host several times in December alone. These alterations certainly applied without error at the time. Through painful trial and error (it is a fairly large configuration) I discovered that I cannot add any rule using the __recent__ module. Adding a single rule referencing that module inevitably results in a load error reported at the following COMMIT statement. An example of an actual rule that fails follows: . . . :BRUTE_FORCE - [0:0] . . . -A BRUTE_FORCE -p tcp -m tcp -m state -m recent --set -i eth0 --dport 22 --state NEW -A BRUTE_FORCE -m comment -j RETURN --comment "Return to calling chain" COMMIT Perhaps I am missing something obvious but as far as I can determine the rule using the recent module should simply add all traffic coming in over i/f eth0 consigned to port 22 on any ip-addr to the DEFAULT list. I do not expect it to give an error. If I remove this statement then the iptables file loads without error. An interesting thing happens if I simply add a trailing -j to the end of recent module rule above. It fails with this specific error: -c packet counter not numeric Does anyone see what I am doing wrong? Sincerely, -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Quoting "James B. Byrne" <byrnejb at harte-lyne.ca>:> I went to reload (iptables-restore) my iptables configuration and > obtained an error at the COMMIT statement. No further details were > provided even when I ran restore with the -v option. > > I determined that none of my backed up configuration files going > back to October will load either. This is more than passing strange > because I altered and uploaded the iptables configuration on this > host several times in December alone. These alterations certainly > applied without error at the time. > > Through painful trial and error (it is a fairly large configuration) > I discovered that I cannot add any rule using the __recent__ module. > Adding a single rule referencing that module inevitably results in > a load error reported at the following COMMIT statement. An example > of an actual rule that fails follows: > > . . . > :BRUTE_FORCE - [0:0] > . . . > -A BRUTE_FORCE -p tcp -m tcp -m state -m recent --set -i eth0 > --dport 22 --state NEW > -A BRUTE_FORCE -m comment -j RETURN --comment "Return to calling chain" > COMMIT > > Perhaps I am missing something obvious but as far as I can determine > the rule using the recent module should simply add all traffic > coming in over i/f eth0 consigned to port 22 on any ip-addr to the > DEFAULT list. I do not expect it to give an error. If I remove > this statement then the iptables file loads without error. > > An interesting thing happens if I simply add a trailing -j to the > end of recent module rule above. It fails with this specific error: > > -c packet counter not numeric > > Does anyone see what I am doing wrong?I don't think you need the -m state ..>From the iptables man page ...# iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROP # iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROP Barry
On Friday 08 January 2010 15:32, James B. Byrne wrote:> :BRUTE_FORCE - [0:0] > > . . . > -A BRUTE_FORCE -p tcp -m tcp -m state -m recent --set -i eth0 > --dport 22 --state NEW > -A BRUTE_FORCE -m comment -j RETURN --comment "Return to calling chain" > COMMITCheck out this TUTORIAL http://www.zoominternet.net/~lazydog/iptables-tutorial.html#RECENTMATCH -- Regards Robert Linux User #296285 http://counter.li.org
On Fri, January 8, 2010 15:32, James B. Byrne wrote:> I went to reload (iptables-restore) my iptables configuration and > obtained an error at the COMMIT statement. No further details were > provided even when I ran restore with the -v option. >I ran lsmod and I do not find that ipt_recent is loaded. In fact, I don not see any ipt modules other than itp_LOG. There was a recent kernel update. Does anyone know if this had any adverse effects on loading ipt_recent? . . . ip_tables 17029 3 iptable_nat,iptable_mangle,iptable_filter ipt_LOG 10049 6 ipv6 267489 23 ip6t_REJECT . . . And this does not look good either: # modprobe --first-time ipt_recent FATAL: Error inserting ipt_recent (/lib/modules/2.6.18-164.9.1.el5/kernel/net/ipv4/netfilter/ipt_recent.ko): Unknown symbol in module, or unknown parameter (see dmesg) There is no entry in /var/log/dmesg relating to this problem. -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
> Check out this TUTORIAL > http://www.zoominternet.net/~lazydog/iptables- > tutorial.html#RECENTMATCHI do not seem to be making myself clear. I do not need a tutorial on how to use the recent module of iptables. The recent module itself seems not to be available on this particular host anymore. There seems a problem with the module itself and it will not load even if I try to do this manually using modprobe. I will revert to the previous kernel as soon as I can and see if the problem disappears, as I think likely. -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3