1

I have made the following iptables rules file :

*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:sshguard - [0:0]

-A INPUT -i enp3s0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "Allow incoming SSH"
-A INPUT -i enp3s0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT -m comment --comment "Allow outgoing SSH"
-A INPUT -i enp3s0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "Allow incoming HTTP"
-A INPUT -i enp3s0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT -m comment --comment "Allow incoming HTTPS"
-A INPUT -i enp3s0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT -m comment --comment "Allow outgoing HTTP"
-A INPUT -i enp3s0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT -m comment --comment "Allow outgoing HTTPS"
-A INPUT -i enp3s0 -p udp --sport 53 -j ACCEPT -m comment --comment "Allow outgoing DNS"

-A INPUT -i lo -j ACCEPT -m comment --comment "Allow ALL from localhost"

-A INPUT -p icmp --icmp-type echo-request -j ACCEPT -m comment --comment "Allow incoming ping"
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT -m comment --comment "Allow outgoing ping"
-A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT -m comment --comment "Prevent DoS attacks"
-A INPUT -p tcp --dport 443 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT -m comment --comment "Prevent DoS attacks"
-A INPUT -p tcp -m tcp --dport 22 -j sshguard -m comment --comment "SSH access protection"
COMMIT

But when i try to load it with iptables-restore < iptables.rules, i have this error :

iptables-restore: line 22 failed

Did I made something wrong ?

EDIT :

  • my linux version is : linux44 4.4.48-1
  • my iptables version is : iptables 1.6.0-1
  • uname : Linux ARCH 4.4.41-1-MANJARO #1 SMP PREEMPT Mon Jan 9 12:43:09 UTC 2017 i686 GNU/Linux

EDIT 2: After muliple tests, it seems that the ipt_state.ko.gz and ipt_comment.ko.gz modules are missing in the directory /lib/modules/4.4.48-1-MANJARO/kernel/net/ipv4/netfilter

Does anyone know how to add these modules ?

Dynamite
  • 151
  • 6
  • I tried your ruleset and it was imported successfully! What is the version of iptables you are using. Maybe, there is a missing module. – Khaled Feb 20 '17 at 11:02
  • @Khaled guess he hasn't configured his arch linux properly. This isn't iptables preventing him from restoring. –  Feb 20 '17 at 11:04
  • This imports correctly on a CentOS 6 box I have to hand. – user9517 Feb 20 '17 at 11:04
  • Can you please update your question with the output of `pacman -Q linux` and `uname -a`?? Thanks. –  Feb 20 '17 at 11:05
  • Have you tried to flush your iptables first and restore right after? To do so, use `iptables -F && iptables -X && iptables-restore < iptables.rules` as root user. –  Feb 20 '17 at 11:27
  • @FarazX Same result : `iptables-restore: line 22 failed` – Dynamite Feb 20 '17 at 11:37
  • @FarazX Okay so after multiple tests it seems that each time i try to use a module (with -m xxxx) i have this error `iptables: No chain/target/match by that name.` Any ideas ? – Dynamite Feb 20 '17 at 13:26
  • Let's do something so we can better find out what your problem is. IPTables-restore will only show the line which COMMIT is put in, so that's why you always get your error telling you about line 22 failure. Let's put one COMMIT after every line and remove them one by one after making sure that a line works fine. In other words, let's put COMMIT after all your lines so as to find out which line will be detected as error. In fact, I want to see if this is iptables that is preventing your work, or it is happening because of an unloaded module or etc. in your system and not iptables. –  Feb 20 '17 at 20:23
  • BTW, do three more steps before going any further, and keep me informed of results. Install `mlocate` by using pacman, then use `updatedb` command and then use `locate yourModules` to check if mentioned modules in your new updates do not exist anywhere else. The second thing that I highly recommend is updating your kernel. Due to security concerns and many other things, 4.4.41-1 is too old, you should use 4.9.9-1. Finally right after updating your kernel, update all your packages by using ` pacman -Syu`. –  Feb 20 '17 at 20:34

1 Answers1

2

Okay so following that forum : https://bbs.archlinux.org/viewtopic.php?id=195108, I realized that my kernel was recently updated from -41 to -48, and the module discovering is based on the uname (wich was outdated), that's why the modules couldn't load. A simple reboot fixed all issues :D

Dynamite
  • 151
  • 6