1 |
Hi All, |
2 |
|
3 |
Can you please check if you are using arno's script whether you are also |
4 |
getting errors like these on start up? |
5 |
=========================================== |
6 |
# /etc/init.d/arno-iptables-firewall start |
7 |
* Use of the opts variable is deprecated and will be |
8 |
* removed in the future. |
9 |
* Please use extra_commands, extra_started_commands or |
10 |
extra_stopped_commands. |
11 |
* Loading Firewall... ... |
12 |
Arno's Iptables Firewall Script v1.9.2d |
13 |
------------------------------------------------------------------------------- |
14 |
NOTE: External interface ppp0 does NOT exist (yet?) |
15 |
Sanity checks passed...OK |
16 |
Checking/probing IPv4 Iptables modules: |
17 |
Module check done... |
18 |
Setting the kernel ring buffer to only log panic messages to the console |
19 |
Setup kernel settings: |
20 |
Setting the max. amount of simultaneous connections to 16384 |
21 |
Setting default conntrack timeouts |
22 |
Enabling protection against source routed packets |
23 |
DISABLING packet forwarding |
24 |
Enabling reduction of the DoS'ing ability |
25 |
Enabling anti-spoof with rp_filter |
26 |
Enabling SYN-flood protection via SYN-cookies |
27 |
Disabling the logging of martians |
28 |
Disabling the acception of ICMP-redirect messages |
29 |
Setting default TTL=64 |
30 |
Disabling ECN (Explicit Congestion Notification) |
31 |
Enabling kernel support for dynamic IPs |
32 |
Flushing route table |
33 |
Kernel setup done... |
34 |
Initializing firewall chains |
35 |
Setting default INPUT/FORWARD policy to DROP |
36 |
(Re)loading list of BLOCKED hosts from /etc/arno-iptables-firewall/blocked- |
37 |
hosts... |
38 |
0 line(s) read. 0 host(s) blocked. |
39 |
Using loglevel "info" for syslogd |
40 |
|
41 |
Setting up firewall rules: |
42 |
------------------------------------------------------------------------------- |
43 |
Enabling setting the maximum packet size via MSS |
44 |
Logging of stealth scans (nmap probes etc.) enabled |
45 |
(1) iptables: No chain/target/match by that name. |
46 |
(1) iptables: No chain/target/match by that name. |
47 |
(1) iptables: No chain/target/match by that name. |
48 |
(1) iptables: No chain/target/match by that name. |
49 |
(1) iptables: No chain/target/match by that name. |
50 |
(1) iptables: No chain/target/match by that name. |
51 |
(1) iptables: No chain/target/match by that name. |
52 |
Logging of packets with bad TCP-flags enabled |
53 |
(1) iptables: No chain/target/match by that name. |
54 |
(1) iptables: No chain/target/match by that name. |
55 |
... [snip ...] |
56 |
|
57 |
Security is ENFORCED for external interface(s) in the FORWARD chain |
58 |
(1) iptables: No chain/target/match by that name. |
59 |
|
60 |
Aug 25 7:59:36 WARNING: Not all firewall rules are applied. |
61 |
* WARNING: Failed to load Firewall [ !! ] |
62 |
* ERROR: arno-iptables-firewall failed to start |
63 |
=========================================== |
64 |
|
65 |
They repeat themselves a number of times, usually after "Logging of packets |
66 |
..." statements. Despite the failed to start message above, iptables seem to |
67 |
have loaded fine: |
68 |
=========================================== |
69 |
# /sbin/iptables -L -v -n |
70 |
Chain INPUT (policy DROP 0 packets, 0 bytes) |
71 |
pkts bytes target prot opt in out source |
72 |
destination |
73 |
0 0 BASE_INPUT_CHAIN all -- * * 0.0.0.0/0 |
74 |
0.0.0.0/0 |
75 |
0 0 INPUT_CHAIN all -- * * 0.0.0.0/0 |
76 |
0.0.0.0/0 |
77 |
0 0 HOST_BLOCK all -- * * 0.0.0.0/0 0.0.0.0/0 |
78 |
0 0 SPOOF_CHK all -- * * 0.0.0.0/0 0.0.0.0/0 |
79 |
0 0 VALID_CHK all -- eth0 * 0.0.0.0/0 0.0.0.0/0 |
80 |
0 0 EXT_INPUT_CHAIN !icmp -- eth0 * 0.0.0.0/0 |
81 |
0.0.0.0/0 state NEW |
82 |
0 0 EXT_INPUT_CHAIN icmp -- eth0 * 0.0.0.0/0 |
83 |
0.0.0.0/0 state NEW limit: avg 60/sec burst 100 |
84 |
0 0 EXT_ICMP_FLOOD_CHAIN icmp -- eth0 * 0.0.0.0/0 |
85 |
0.0.0.0/0 state NEW |
86 |
0 0 VALID_CHK all -- wlan0 * 0.0.0.0/0 0.0.0.0/0 |
87 |
0 0 EXT_INPUT_CHAIN !icmp -- wlan0 * 0.0.0.0/0 |
88 |
0.0.0.0/0 state NEW |
89 |
0 0 EXT_INPUT_CHAIN icmp -- wlan0 * 0.0.0.0/0 |
90 |
0.0.0.0/0 state NEW limit: avg 60/sec burst 100 |
91 |
0 0 EXT_ICMP_FLOOD_CHAIN icmp -- wlan0 * 0.0.0.0/0 |
92 |
0.0.0.0/0 state NEW |
93 |
[snip ...] |
94 |
=========================================== |
95 |
|
96 |
|
97 |
I diff'ed the previous kernel-3.3.8-gentoo and the new kernel-3.4.9-gentoo and |
98 |
I can't see any changes that would cause these errors. I attach it for the |
99 |
more eagle-eye amongst you. |
100 |
|
101 |
Any ideas? |
102 |
-- |
103 |
Regards, |
104 |
Mick |