Linode Forum :: E: unknown error applying new iptables ruleset

Linode Forum https://forum.linode.com/

E: unknown error applying new iptables ruleset https://forum.linode.com/viewtopic.php?f=19&t=9725	Page 1 of 1

Author:

vegaskev [ Sun Jan 20, 2013 2:24 am ]

Post subject:

E: unknown error applying new iptables ruleset

I have attempted to setup some basic iptables based on the linode tut here: http://library.linode.com/securing-your-server. I didn't modify anything from the suggested rules, however, when I go to activate the rules using the command:

Code:

iptables-restore < /etc/iptables.firewall.rules

Zero luck at all. It gives the error I used in this topic title:

Quote:

E: unknown error applying new iptables ruleset

For clarification (and so you don't have to go the the tut page for the code) here is what I entered into my iptables.firewall.rules :

Code:

*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

#  Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allow SSH connections
#
#  The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmp -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT

When it didn't work, I logged in as root to try and activate it, but had no luck. It was calling the error on line 33...which is the 'COMMIT' command. I obviously cannot remove that, so I'm a bit stumped.

I even went so far as to scp in and copy and paste the rules from the tut into the file directly and got the same error as when I created the file in ssh. Finally, I deleted the file and tried to start from scratch (which I did twice) and still cannot seem to activate the new iptables file. I get the error every time.

Any thoughts would be extremely helpful. Thank you in advance.

Author:	dwfreed [ Sun Jan 20, 2013 2:38 am ]
Post subject:	Re: E: unknown error applying new iptables ruleset
My suggestion would be to apply each of these rules manually using iptables as root or with sudo, and then use iptables-save to save the resulting ruleset in your iptables.firewall.rules. For example: Code: iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -d 127.0.0.0/8 -j REJECT # and so on for each of your rules iptables-save > /etc/iptables.firewall.rules You'll want to verify that you have no existing rules (with iptables -L -nv) prior to doing this, or stuff may get whacky. iptables-save will always generate a file that can be read back in with iptables-restore, so you don't have to worry about getting this issue again.

Author:	vegaskev [ Sun Jan 20, 2013 3:38 am ]
Post subject:	Re: E: unknown error applying new iptables ruleset
Worked like a charm. Thanks for the help, I appreciate it. P.S. Is there a way to mark a thread as 'solved'? If so, please let me know how to do so, I couldn't see a way to do so on my own. Thanks again. dwfreed wrote: My suggestion would be to apply each of these rules manually using iptables as root or with sudo, and then use iptables-save to save the resulting ruleset in your iptables.firewall.rules. For example: Code: iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -d 127.0.0.0/8 -j REJECT # and so on for each of your rules iptables-save > /etc/iptables.firewall.rules You'll want to verify that you have no existing rules (with iptables -L -nv) prior to doing this, or stuff may get whacky. iptables-save will always generate a file that can be read back in with iptables-restore, so you don't have to worry about getting this issue again.

Page 1 of 1	All times are UTC-04:00
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/