[gentoo-user] arno-iptables-firewall and kernel-3.4.9-gentoo - gentoo-user

From:	Mick <michaelkintzios@×××××.com>
To:	gentoo-user@l.g.o
Subject:	[gentoo-user] arno-iptables-firewall and kernel-3.4.9-gentoo
Date:	Sat, 25 Aug 2012 07:54:37
Message-Id:	`201208250849.38809.michaelkintzios@gmail.com`

1

Hi All,

2

3

Can you please check if you are using arno's script whether you are also 

4

getting errors like these on start up?

5

===========================================

6

 # /etc/init.d/arno-iptables-firewall start

7

 * Use of the opts variable is deprecated and will be

8

 * removed in the future.

9

 * Please use extra_commands, extra_started_commands or 

10

extra_stopped_commands.

11

 * Loading Firewall... ...

12

Arno's Iptables Firewall Script v1.9.2d

13

-------------------------------------------------------------------------------

14

NOTE: External interface ppp0 does NOT exist (yet?)

15

Sanity checks passed...OK

16

Checking/probing IPv4 Iptables modules:

17

 Module check done...

18

Setting the kernel ring buffer to only log panic messages to the console

19

Setup kernel settings:

20

 Setting the max. amount of simultaneous connections to 16384

21

 Setting default conntrack timeouts

22

 Enabling protection against source routed packets

23

 DISABLING packet forwarding

24

 Enabling reduction of the DoS'ing ability

25

 Enabling anti-spoof with rp_filter

26

 Enabling SYN-flood protection via SYN-cookies

27

 Disabling the logging of martians

28

 Disabling the acception of ICMP-redirect messages

29

 Setting default TTL=64

30

 Disabling ECN (Explicit Congestion Notification)

31

 Enabling kernel support for dynamic IPs

32

 Flushing route table

33

 Kernel setup done...

34

Initializing firewall chains

35

 Setting default INPUT/FORWARD policy to DROP

36

(Re)loading list of BLOCKED hosts from /etc/arno-iptables-firewall/blocked-

37

hosts...

38

 0 line(s) read. 0 host(s) blocked.

39

Using loglevel "info" for syslogd

40

41

Setting up firewall rules:

42

-------------------------------------------------------------------------------

43

Enabling setting the maximum packet size via MSS

44

Logging of stealth scans (nmap probes etc.) enabled

45

(1) iptables: No chain/target/match by that name.

46

(1) iptables: No chain/target/match by that name.

47

(1) iptables: No chain/target/match by that name.

48

(1) iptables: No chain/target/match by that name.

49

(1) iptables: No chain/target/match by that name.

50

(1) iptables: No chain/target/match by that name.

51

(1) iptables: No chain/target/match by that name.

52

Logging of packets with bad TCP-flags enabled

53

(1) iptables: No chain/target/match by that name.

54

(1) iptables: No chain/target/match by that name.

55

... [snip ...]

56

57

Security is ENFORCED for external interface(s) in the FORWARD chain

58

(1) iptables: No chain/target/match by that name.

59

60

Aug 25  7:59:36 WARNING: Not all firewall rules are applied.

61

 * WARNING: Failed to load Firewall                                [ !! ]

62

 * ERROR: arno-iptables-firewall failed to start

63

===========================================

64

65

They repeat themselves a number of times, usually after "Logging of packets 

66

..." statements.  Despite the failed to start message above, iptables seem to 

67

have loaded fine:

68

===========================================

69

# /sbin/iptables -L -v -n

70

Chain INPUT (policy DROP 0 packets, 0 bytes)

71

 pkts bytes target     prot opt in     out     source               

72

destination         

73

    0     0 BASE_INPUT_CHAIN  all  --  *      *       0.0.0.0/0            

74

0.0.0.0/0           

75

    0     0 INPUT_CHAIN  all  --  *      *       0.0.0.0/0            

76

0.0.0.0/0           

77

    0     0 HOST_BLOCK  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

78

    0     0 SPOOF_CHK  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

79

    0     0 VALID_CHK  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           

80

    0     0 EXT_INPUT_CHAIN !icmp --  eth0   *       0.0.0.0/0            

81

0.0.0.0/0            state NEW

82

    0     0 EXT_INPUT_CHAIN  icmp --  eth0   *       0.0.0.0/0            

83

0.0.0.0/0            state NEW limit: avg 60/sec burst 100

84

    0     0 EXT_ICMP_FLOOD_CHAIN  icmp --  eth0   *       0.0.0.0/0            

85

0.0.0.0/0            state NEW

86

    0     0 VALID_CHK  all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           

87

    0     0 EXT_INPUT_CHAIN !icmp --  wlan0  *       0.0.0.0/0            

88

0.0.0.0/0            state NEW

89

    0     0 EXT_INPUT_CHAIN  icmp --  wlan0  *       0.0.0.0/0            

90

0.0.0.0/0            state NEW limit: avg 60/sec burst 100

91

    0     0 EXT_ICMP_FLOOD_CHAIN  icmp --  wlan0  *       0.0.0.0/0            

92

0.0.0.0/0            state NEW

93

[snip ...]

94

===========================================

95

96

97

I diff'ed the previous kernel-3.3.8-gentoo and the new kernel-3.4.9-gentoo and 

98

I can't see any changes that would cause these errors.  I attach it for the 

99

more eagle-eye amongst you.

100

101

Any ideas?

102

--

103

Regards,

104

Mick

File name	MIME type
diff_oldconfig.txt.bz2	application/x-bzip
signature.asc	application/pgp-signature

Subject	Author
[gentoo-user] Re: arno-iptables-firewall and kernel-3.4.9-gentoo	Mick <michaelkintzios@×××××.com>
[gentoo-user] Re: arno-iptables-firewall and kernel-3.4.9-gentoo	James <wireless@×××××××××××.com>

Gentoo Archives: gentoo-user

Attachments

Replies

1	Hi All,
2
3	Can you please check if you are using arno's script whether you are also
4	getting errors like these on start up?
5	===========================================
6	# /etc/init.d/arno-iptables-firewall start
7	* Use of the opts variable is deprecated and will be
8	* removed in the future.
9	* Please use extra_commands, extra_started_commands or
10	extra_stopped_commands.
11	* Loading Firewall... ...
12	Arno's Iptables Firewall Script v1.9.2d
13	-------------------------------------------------------------------------------
14	NOTE: External interface ppp0 does NOT exist (yet?)
15	Sanity checks passed...OK
16	Checking/probing IPv4 Iptables modules:
17	Module check done...
18	Setting the kernel ring buffer to only log panic messages to the console
19	Setup kernel settings:
20	Setting the max. amount of simultaneous connections to 16384
21	Setting default conntrack timeouts
22	Enabling protection against source routed packets
23	DISABLING packet forwarding
24	Enabling reduction of the DoS'ing ability
25	Enabling anti-spoof with rp_filter
26	Enabling SYN-flood protection via SYN-cookies
27	Disabling the logging of martians
28	Disabling the acception of ICMP-redirect messages
29	Setting default TTL=64
30	Disabling ECN (Explicit Congestion Notification)
31	Enabling kernel support for dynamic IPs
32	Flushing route table
33	Kernel setup done...
34	Initializing firewall chains
35	Setting default INPUT/FORWARD policy to DROP
36	(Re)loading list of BLOCKED hosts from /etc/arno-iptables-firewall/blocked-
37	hosts...
38	0 line(s) read. 0 host(s) blocked.
39	Using loglevel "info" for syslogd
40
41	Setting up firewall rules:
42	-------------------------------------------------------------------------------
43	Enabling setting the maximum packet size via MSS
44	Logging of stealth scans (nmap probes etc.) enabled
45	(1) iptables: No chain/target/match by that name.
46	(1) iptables: No chain/target/match by that name.
47	(1) iptables: No chain/target/match by that name.
48	(1) iptables: No chain/target/match by that name.
49	(1) iptables: No chain/target/match by that name.
50	(1) iptables: No chain/target/match by that name.
51	(1) iptables: No chain/target/match by that name.
52	Logging of packets with bad TCP-flags enabled
53	(1) iptables: No chain/target/match by that name.
54	(1) iptables: No chain/target/match by that name.
55	... [snip ...]
56
57	Security is ENFORCED for external interface(s) in the FORWARD chain
58	(1) iptables: No chain/target/match by that name.
59
60	Aug 25 7:59:36 WARNING: Not all firewall rules are applied.
61	* WARNING: Failed to load Firewall [ !! ]
62	* ERROR: arno-iptables-firewall failed to start
63	===========================================
64
65	They repeat themselves a number of times, usually after "Logging of packets
66	..." statements. Despite the failed to start message above, iptables seem to
67	have loaded fine:
68	===========================================
69	# /sbin/iptables -L -v -n
70	Chain INPUT (policy DROP 0 packets, 0 bytes)
71	pkts bytes target prot opt in out source
72	destination
73	0 0 BASE_INPUT_CHAIN all -- * * 0.0.0.0/0
74	0.0.0.0/0
75	0 0 INPUT_CHAIN all -- * * 0.0.0.0/0
76	0.0.0.0/0
77	0 0 HOST_BLOCK all -- * * 0.0.0.0/0 0.0.0.0/0
78	0 0 SPOOF_CHK all -- * * 0.0.0.0/0 0.0.0.0/0
79	0 0 VALID_CHK all -- eth0 * 0.0.0.0/0 0.0.0.0/0
80	0 0 EXT_INPUT_CHAIN !icmp -- eth0 * 0.0.0.0/0
81	0.0.0.0/0 state NEW
82	0 0 EXT_INPUT_CHAIN icmp -- eth0 * 0.0.0.0/0
83	0.0.0.0/0 state NEW limit: avg 60/sec burst 100
84	0 0 EXT_ICMP_FLOOD_CHAIN icmp -- eth0 * 0.0.0.0/0
85	0.0.0.0/0 state NEW
86	0 0 VALID_CHK all -- wlan0 * 0.0.0.0/0 0.0.0.0/0
87	0 0 EXT_INPUT_CHAIN !icmp -- wlan0 * 0.0.0.0/0
88	0.0.0.0/0 state NEW
89	0 0 EXT_INPUT_CHAIN icmp -- wlan0 * 0.0.0.0/0
90	0.0.0.0/0 state NEW limit: avg 60/sec burst 100
91	0 0 EXT_ICMP_FLOOD_CHAIN icmp -- wlan0 * 0.0.0.0/0
92	0.0.0.0/0 state NEW
93	[snip ...]
94	===========================================
95
96
97	I diff'ed the previous kernel-3.3.8-gentoo and the new kernel-3.4.9-gentoo and
98	I can't see any changes that would cause these errors. I attach it for the
99	more eagle-eye amongst you.
100
101	Any ideas?
102	--
103	Regards,
104	Mick