 |
Linode Forum
Linode Community Forums
|
| Author |
Message |
pepsi_can
Joined: 08 Jul 2010
Posts: 3
|
| Posted: Sat Jul 10, 2010 7:09 pm Post subject: Warning When Starting arno-iptalbes-firewall |
|
|
Hi,
I'm using kernel 2.6.26-2-xen-686 with Debian Lenny.
I was following the tutorial at http://library.linode.com/networking/security-guides/arno-iptables-firewall-debian-lenny except I get this warning on startup:
Code:
Warning: weird character in interface `eth0:0' (No aliases, :, ! or *).
My first thought was I made a typo using ethO:O instead of eth0:0 but that doesn't seem to be the case.
Additionally I don't think the firewall starts up. I don't see any arno-iptables-firewall using htop after running:
Code:
sudo /etc/init.d/arno-iptables-firewall start
Here is the entire output:
Code:
$ sudo /etc/init.d/arno-iptables-firewall startArno's Iptables Firewall Script v1.8.8o
-------------------------------------------------------------------------------
Sanity checks passed...OK
Checking/probing Iptables modules:
Module check done...
Setting the kernel ring buffer to only log panic messages to the console
Configuring /proc/.... settings:
Enabling anti-spoof with rp_filter
Enabling SYN-flood protection via SYN-cookies
Disabling the logging of martians
Disabling the acception of ICMP-redirect messages
Setting the max. amount of simultaneous connections to 16384
Setting default conntrack timeouts
Enabling protection against source routed packets
Enabling reduction of the DoS'ing ability
Setting Default TTL=64
Disabling ECN (Explicit Congestion Notification)
Enabling support for dynamic IP's
Flushing route table
/proc/ setup done...
Setting up firewall chains
Setting default INPUT/FORWARD policy to DROP
Using loglevel "info" for syslogd
Setting up firewall rules:
-------------------------------------------------------------------------------
Accepting packets from the local loopback device
Enabling setting the maximum packet size via MSS
Enabling mangling TOS
Warning: weird character in interface `eth0:0' (No aliases, :, ! or *).
Warning: weird character in interface `eth0:0' (No aliases, :, ! or *).
Logging of stealth scans (nmap probes etc.) enabled
Logging of packets with bad TCP-flags enabled
Logging of INVALID TCP packets disabled
Logging of INVALID UDP packets disabled
Logging of INVALID ICMP packets disabled
Logging of fragmented packets enabled
Logging of access from reserved addresses enabled
Setting up (antispoof) INTERNAL net(s): 192.168.139.0/24 Warning: weird character in interface `eth0:0' (No aliases, :, ! or *).
Reading custom rules from /etc/arno-iptables-firewall/custom-rules
Checking for (user) plugins in /usr/share/arno-iptables-firewall/plugins...
UPnP plugin v0.12
Loaded 1 plugin(s)...
Setting up INPUT policy for the external net (INET):
Enabling support for DHCP-assigned-IP (DHCP client)
Logging of explicitly blocked hosts enabled
Logging of denied local output connections enabled
Packets will NOT be checked for private source addresses
Allowing the whole world to connect to TCP port(s): 22 25 80
Denying the whole world to send ICMP-requests(ping)
Logging of dropped ICMP-request(ping) packets enabled
Logging of dropped other ICMP packets enabled
Logging of possible stealth scans enabled
Logging of (other) connection attempts to PRIVILEGED TCP ports enabled
Logging of (other) connection attempts to PRIVILEGED UDP ports enabled
Logging of (other) connection attempts to UNPRIVILEGED TCP ports enabled
Logging of (other) connection attempts to UNPRIVILEGED UDP ports enabled
Logging of other IP protocols (non TCP/UDP/ICMP) connection attempts enabled
Logging of ICMP flooding enabled
Setting up OUTPUT policy for the external net (INET):
Allowing all (other) ports/protocols
Applying INET policy to external interface: eth0 (without an external subnet specified)
Setting up INPUT policy for internal (LAN) interface(s): eth0:0
Allowing ICMP-requests(ping)
Allowing all (other) ports/protocols
Warning: weird character in interface `eth0:0' (No aliases, :, ! or *).
Setting up FORWARD policy for internal (LAN) interface(s): eth0:0
Logging of denied LAN->INET FORWARD connections enabled
Setting up LAN->INET policy:
Allowing ICMP-requests(ping)
Allowing all (other) ports/protocols
Warning: weird character in interface `eth0:0' (No aliases, :, ! or *).
Warning: weird character in interface `eth0:0' (No aliases, :, ! or *).
Warning: weird character in interface `eth0:0' (No aliases, :, ! or *).
Security is ENFORCED for external interface(s) in the FORWARD chain
Jul 11 0:00:21 All firewall rules applied.
Here is the htop output. (I don't see arno-iptables-firewall, should I?)
Code:
1049 root 16 -4 10248 684 492 S 0.0 0.1 0:00.00 /sbin/auditd
1062 root 12 -8 11024 724 584 S 0.0 0.1 0:00.00 /sbin/audispd
1050 root 12 -8 11024 724 584 S 0.0 0.1 0:00.00 /sbin/audispd
1048 root 16 -4 10248 684 492 S 0.0 0.1 0:00.00 /sbin/auditd
1537 root 20 0 2064 416 296 S 0.0 0.1 0:00.00 dhclient3 -pf /var/run/dhclient.eth0.pid -lf /var/lib/dhcp3/dhclient.eth0.leases eth0
1645 root 20 0 27076 1288 896 S 0.0 0.2 0:00.04 /usr/sbin/rsyslogd -c3
1646 root 20 0 27076 1288 896 S 0.0 0.2 0:00.00 /usr/sbin/rsyslogd -c3
1647 root 20 0 27076 1288 896 S 0.0 0.2 0:00.02 /usr/sbin/rsyslogd -c3
1644 root 20 0 27076 1288 896 S 0.0 0.2 0:00.07 /usr/sbin/rsyslogd -c3
3546 flicea 20 0 3340 1900 1268 S 0.0 0.4 0:00.04 bash
3545 flicea 20 0 2388 1092 888 S 0.0 0.2 0:00.00 su flicea
2076 root 20 0 2828 1612 1240 S 0.0 0.3 0:00.06 bash
2075 root 20 0 2388 1060 860 S 0.0 0.2 0:00.00 su root
2070 flicea 20 0 3316 1820 1216 S 0.0 0.3 0:00.00 -bash
2069 flicea 20 0 8340 1872 1112 S 0.0 0.4 0:00.38 sshd: flicea@pts/0
2067 root 20 0 8024 2640 2180 S 0.0 0.5 0:00.02 sshd: flicea [priv]
1658 root 20 0 5280 996 640 S 0.0 0.2 0:00.00 /usr/sbin/sshd
2000 root 20 0 3100 1684 228 S 0.0 0.3 0:00.00 /usr/sbin/restorecond
2031 root 20 0 2044 828 668 S 0.0 0.2 0:00.00 /usr/sbin/cron
2047 root 20 0 23896 4624 1892 S 0.0 0.9 0:00.36 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock
2048 root 20 0 23896 4624 1892 S 0.0 0.9 0:00.24 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock
2046 root 20 0 23896 4624 1892 S 0.0 0.9 0:00.69 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock
2064 root 20 0 1652 516 448 S 0.0 0.1 0:00.00 /sbin/getty 38400 tty1
1 root 20 0 1988 692 592 S 0.0 0.1 0:00.09 init [2]
4226 flicea 20 0 2504 1308 928 R 0.0 0.2 0:00.36 htop
|
|
| Back to top |
|
challonge
Joined: 19 Jul 2010
Posts: 2
|
| Posted: Mon Jul 19, 2010 10:07 am Post subject: |
|
|
You can verify that the firewall is up with `/etc/init.d/arno-iptables-firewall status` or `iptables -L`
I'm having a similar issue trying to divide my internal and external networks. Given that Linode internal IPs use an aliased interface, has anyone had any luck with arno/iptables in splitting their networks? |
|
| Back to top |
|
challonge
Joined: 19 Jul 2010
Posts: 2
|
| Posted: Mon Jul 19, 2010 10:40 am Post subject: |
|
|
I'm pretty new to iptables, but I'll post more if I get a nice arno configuration figured out. Here's the issue (from arno's FAQ):
Q: How can I use aliased network interfaces with your firewall (like eth0:0) in rules?
A: The current Linux implementation doesn't allow distinction between eth0 or eth0:0 in eg. iptables/netfilter rules. You can only specify eth0 which automatically includes eth0:0 (and other aliased interfaces). You can however use the IP address of the aliased interface for rules like OPEN_TCP="aliased-ip~22" |
|
| Back to top |
|
chesty
Joined: 19 Feb 2008
Posts: 52
|
| Posted: Mon Jul 19, 2010 10:46 am Post subject: |
|
|
Not that I know the firewall in question, but I'm surprised to see eth0:0 in the configuration for an interface. eth0:0 isn't an interface, it's a label to an ip address added to the eth0 interface.
try replacing eth0:0 with eth0 |
|
| Back to top |
|
| |
|