Announcement

Collapse
No announcement yet.

iptables "requires a chain and a policy"

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    iptables "requires a chain and a policy"

    I have just installed Kubuntu 10.10 and want to change the default firewall policy from ACCEPT to DROP by default.

    At the moment, "iptables -L" generates the following:

    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    From doing research into iptables, I believe that the following should provide greater protection from external attack:

    Code:
    # the following is in a bash script run under sudo

# flush existing rules
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -X

# set policies to block traffic by default
iptables -P INPUT -j DROP
iptables -P OUTPUT -j DROP
iptables -P FORWARD -j DROP

# allow all loopback traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# allow all outgoing traffic
iptables -A OUTPUT -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# log incoming traffic if not allowed
iptables -N firewall
iptables -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall
iptables -A firewall -j DROP
iptables -A INPUT -j firewall

# save
iptables save active
iptables restart
    The first 5 commands work, but I get an error message when I try the "iptables -P INPUT -j DROP" command:

    iptables v1.4.4: -P requires a chain and a policy
    Try 'iptables -h' or 'iptables -help' for more information.

    This then causes problems with other parts of the script. I have read the man pages and I don't see the problem. As far as I can see, I have specified the chain and policy ("INPUT -j DROP").

    Any ideas whats wrong or what I'm missing?
    Tags: None
    • Top
    • Bottom
    #2
    Re: iptables "requires a chain and a policy"

    That's bloody typical, I've been trying to solve this for days, and within 30 mins of posting it, I find the solution... the correct syntax to do the DROP is without the '-j' flag:

    Code:
    # set policies to block traffic by default
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
    Now I just need to correct the following:

    + iptables 'save'
    Bad argument 'save'

    + iptables 'restart'
    Bad argument 'restart'

    Then load my script on system startup.
    • Top
    • Bottom

    Comment

      #3
      Re: iptables "requires a chain and a policy"

      Why not install ufw and use it?
      "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
      – John F. Kennedy, February 26, 1962.
      • Top
      • Bottom

      Comment

        #4
        Re: iptables "requires a chain and a policy"

        Originally posted by GreyGeek
        Why not install ufw and use it?
        I tried using kmyfirewall and wasn't impressed, so I decided that if I was going to go through a learning curve, I wanted to know what was going on in the background so I could tell if the tool I eventually chose was doing what I wanted.
        • Top
        • Bottom

        Comment

          #5
          Re: iptables "requires a chain and a policy"

          There is also guarddog (and guidedog) and shorewall in the repository.
          "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
          – John F. Kennedy, February 26, 1962.
          • Top
          • Bottom

          Comment

          Previous template Next
          Working...
          X