Thread: [Fwbuilder-discussion] Using --days
Brought to you by:
mikehorn
From: Doug L. <su...@dr...> - 2008-04-26 12:35:37
Attachments:
rule.png
weekdays.png
|
I've been upgrading an old Mandrake 10.0 firewall to Mandriva 2008.0. I've noted that Mandriva hasn't built iptables with libipt_time.so support, so I went out and grabbed the current iptables (v1.4.0) and built it against a home rolled Linux 2.6.23.14 kernel. I'm using time restrictions for the office that only allows access to the internet from 7am to 7:30pm, Mondays though Fridays. Apparently, --days is no longer the correct command. I found that it's now --weekdays. The following rules are generated by fwbuilder 1.1.18. I manually changed the --days to --weekdays: $IPTABLES -N RULE_8 $IPTABLES -A INPUT -s 192.168.3.0/24 -m state --state NEW -m time --timestart 07:00 --timestop 19:30 --weekdays Mon,Tue,Wed,Thu,Fri -j RULE_8 $IPTABLES -A OUTPUT -s 192.168.3.0/24 -m state --state NEW -m time --timestart 07:00 --timestop 19:30 --weekdays Mon,Tue,Wed,Thu,Fri -j RULE_8 $IPTABLES -A FORWARD -s 192.168.3.0/24 -m state --state NEW -m time --timestart 07:00 --timestop 19:30 --weekdays Mon,Tue,Wed,Thu,Fri -j RULE_8 $IPTABLES -A RULE_8 -j LOG --log-level info --log-prefix "RULE 8 -- ACCEPT " --log-tcp-options --log-ip-options $IPTABLES -A RULE_8 -j ACCEPT When applying this rule, I get the following: Rule 8 (global) iptables: No chain/target/match by that name iptables: No chain/target/match by that name iptables: No chain/target/match by that name Any suggestions? Screen shots in png format attached: -- Ben Franklin quote: "Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety." |
From: Vadim K. ✎ <va...@vk...> - 2008-04-26 16:13:23
|
did you recompile both kernel part of iptables and command line tool iptables ? --vk On Apr 26, 2008, at 5:35 AM, Doug Lytle wrote: > I've been upgrading an old Mandrake 10.0 firewall to Mandriva 2008.0. > I've noted that Mandriva hasn't built iptables with libipt_time.so > support, so I went out and grabbed the current iptables (v1.4.0) and > built it against a home rolled Linux 2.6.23.14 kernel. > > I'm using time restrictions for the office that only allows access to > the internet from 7am to 7:30pm, Mondays though Fridays. Apparently, > --days is no longer the correct command. I found that it's now > --weekdays. > > The following rules are generated by fwbuilder 1.1.18. I manually > changed the --days to --weekdays: > > $IPTABLES -N RULE_8 > $IPTABLES -A INPUT -s 192.168.3.0/24 -m state --state NEW -m time > --timestart 07:00 --timestop 19:30 --weekdays Mon,Tue,Wed,Thu,Fri -j > RULE_8 > $IPTABLES -A OUTPUT -s 192.168.3.0/24 -m state --state NEW -m time > --timestart 07:00 --timestop 19:30 --weekdays Mon,Tue,Wed,Thu,Fri -j > RULE_8 > $IPTABLES -A FORWARD -s 192.168.3.0/24 -m state --state NEW -m time > --timestart 07:00 --timestop 19:30 --weekdays Mon,Tue,Wed,Thu,Fri -j > RULE_8 > $IPTABLES -A RULE_8 -j LOG --log-level info --log-prefix "RULE 8 -- > ACCEPT " --log-tcp-options --log-ip-options > $IPTABLES -A RULE_8 -j ACCEPT > > When applying this rule, I get the following: > > Rule 8 (global) > iptables: No chain/target/match by that name > iptables: No chain/target/match by that name > iptables: No chain/target/match by that name > > Any suggestions? Screen shots in png format attached: > > > > > > -- > Ben Franklin quote: > > "Those who would give up Essential Liberty to purchase a little > Temporary Safety, deserve neither Liberty nor Safety." > > > <rule.png><weekdays.png>---------------------------------------------- > --------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don't miss this year's exciting event. There's still time to save > $100. > Use priority code J8TL2D2. > http://ad.doubleclick.net/clk;198757673;13503038;p?http:// > java.sun.com/javaone_______________________________________________ > Fwbuilder-discussion mailing list > Fwb...@li... > https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion |
From: Doug L. <su...@dr...> - 2008-04-26 16:37:24
|
Vadim Kurland ✎ wrote: > > did you recompile both kernel part of iptables and command line tool > iptables ? Yes, at least I think I did. cat .config|grep -i iptable CONFIG_IP_NF_IPTABLES=m CONFIG_IP6_NF_IPTABLES=m cat .config|grep -i netfilter CONFIG_NETFILTER=y CONFIG_NETFILTER_DEBUG=y CONFIG_BRIDGE_NETFILTER=y # Core Netfilter Configuration CONFIG_NETFILTER_NETLINK=m CONFIG_NETFILTER_NETLINK_QUEUE=m CONFIG_NETFILTER_NETLINK_LOG=m CONFIG_NETFILTER_XTABLES=m CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m CONFIG_NETFILTER_XT_TARGET_CONNMARK=m CONFIG_NETFILTER_XT_TARGET_DSCP=m CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m CONFIG_NETFILTER_XT_TARGET_NFLOG=m CONFIG_NETFILTER_XT_TARGET_NOTRACK=m CONFIG_NETFILTER_XT_TARGET_TRACE=m CONFIG_NETFILTER_XT_TARGET_SECMARK=m CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m CONFIG_NETFILTER_XT_TARGET_TCPMSS=m CONFIG_NETFILTER_XT_MATCH_COMMENT=m CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m CONFIG_NETFILTER_XT_MATCH_CONNMARK=m CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m CONFIG_NETFILTER_XT_MATCH_DCCP=m CONFIG_NETFILTER_XT_MATCH_DSCP=m CONFIG_NETFILTER_XT_MATCH_ESP=m CONFIG_NETFILTER_XT_MATCH_HELPER=m CONFIG_NETFILTER_XT_MATCH_LENGTH=m CONFIG_NETFILTER_XT_MATCH_LIMIT=m CONFIG_NETFILTER_XT_MATCH_MAC=m CONFIG_NETFILTER_XT_MATCH_MARK=m CONFIG_NETFILTER_XT_MATCH_POLICY=m CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m CONFIG_NETFILTER_XT_MATCH_QUOTA=m CONFIG_NETFILTER_XT_MATCH_REALM=m CONFIG_NETFILTER_XT_MATCH_SCTP=m CONFIG_NETFILTER_XT_MATCH_STATE=m CONFIG_NETFILTER_XT_MATCH_STATISTIC=m CONFIG_NETFILTER_XT_MATCH_STRING=m CONFIG_NETFILTER_XT_MATCH_TCPMSS=m CONFIG_NETFILTER_XT_MATCH_U32=m CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m Doug -- Ben Franklin quote: "Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety." |
From: Vadim K. ✎ <va...@vk...> - 2008-04-26 17:12:48
|
On Apr 26, 2008, at 9:37 AM, Doug Lytle wrote: > Vadim Kurland ✎ wrote: >> >> did you recompile both kernel part of iptables and command line >> tool iptables ? > > Yes, at least I think I did. > cat .config|grep -i iptable > > CONFIG_IP_NF_IPTABLES=m > CONFIG_IP6_NF_IPTABLES=m > > > cat .config|grep -i netfilter > > CONFIG_NETFILTER=y > CONFIG_NETFILTER_DEBUG=y > CONFIG_BRIDGE_NETFILTER=y > # Core Netfilter Configuration > CONFIG_NETFILTER_NETLINK=m > CONFIG_NETFILTER_NETLINK_QUEUE=m > CONFIG_NETFILTER_NETLINK_LOG=m > CONFIG_NETFILTER_XTABLES=m > CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m > CONFIG_NETFILTER_XT_TARGET_CONNMARK=m > CONFIG_NETFILTER_XT_TARGET_DSCP=m > CONFIG_NETFILTER_XT_TARGET_MARK=m > CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m > CONFIG_NETFILTER_XT_TARGET_NFLOG=m > CONFIG_NETFILTER_XT_TARGET_NOTRACK=m > CONFIG_NETFILTER_XT_TARGET_TRACE=m > CONFIG_NETFILTER_XT_TARGET_SECMARK=m > CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m > CONFIG_NETFILTER_XT_TARGET_TCPMSS=m > CONFIG_NETFILTER_XT_MATCH_COMMENT=m > CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m > CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m > CONFIG_NETFILTER_XT_MATCH_CONNMARK=m > CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m > CONFIG_NETFILTER_XT_MATCH_DCCP=m > CONFIG_NETFILTER_XT_MATCH_DSCP=m > CONFIG_NETFILTER_XT_MATCH_ESP=m > CONFIG_NETFILTER_XT_MATCH_HELPER=m > CONFIG_NETFILTER_XT_MATCH_LENGTH=m > CONFIG_NETFILTER_XT_MATCH_LIMIT=m > CONFIG_NETFILTER_XT_MATCH_MAC=m > CONFIG_NETFILTER_XT_MATCH_MARK=m > CONFIG_NETFILTER_XT_MATCH_POLICY=m > CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m > CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m > CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m > CONFIG_NETFILTER_XT_MATCH_QUOTA=m > CONFIG_NETFILTER_XT_MATCH_REALM=m > CONFIG_NETFILTER_XT_MATCH_SCTP=m > CONFIG_NETFILTER_XT_MATCH_STATE=m > CONFIG_NETFILTER_XT_MATCH_STATISTIC=m > CONFIG_NETFILTER_XT_MATCH_STRING=m > CONFIG_NETFILTER_XT_MATCH_TCPMSS=m > CONFIG_NETFILTER_XT_MATCH_U32=m > CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m > > that's all kernel stuff. Try "iptables -v" and see if that is the right one. May be command line tool got installed in /usr/local/sbin but you still use the one in /sbin ? --vk |
From: Doug L. <su...@dr...> - 2008-04-26 17:28:53
Attachments:
properties.png
|
Vadim Kurland ✎ wrote: > > that's all kernel stuff. Try "iptables -v" and see if that is the > right one. May be command line tool got installed in /usr/local/sbin > but you still use the one in /sbin ? > Yes, that was intended. The binary was installed into /usr/local/sbin. I've made the appropriate changes in firewall builder though. -- Ben Franklin quote: "Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety." |
From: Vadim K. ✎ <va...@vk...> - 2008-04-26 17:58:54
|
On Apr 26, 2008, at 10:28 AM, Doug Lytle wrote: > Vadim Kurland ✎ wrote: >> >> that's all kernel stuff. Try "iptables -v" and see if that is the >> right one. May be command line tool got installed in /usr/local/ >> sbin but you still use the one in /sbin ? >> > > Yes, that was intended. The binary was installed into /usr/local/ > sbin. I've made the appropriate changes in firewall builder though. > > ok, so try /usr/local/sbin/iptables -m time --help and see if it recognizes all the options you are trying to use --vk |
From: Doug L. <su...@dr...> - 2008-04-26 18:52:48
|
Vadim Kurland ✎ wrote: > ok, so try /usr/local/sbin/iptables -m time --help and see if it > recognizes all the options you are trying to use /usr/local/sbin/iptables -m time --help iptables v1.4.0 TIME v1.4.0 options: --datestart time Start and stop time, to be given in ISO 8601 --datestop time (YYYY[-MM[-DD[Thh[:mm[:ss]]]]]) --timestart time Start and stop daytime (hh:mm[:ss]) --timestop time (between 00:00:00 and 23:59:59) --monthdays value List of days on which to match, separated by comma (Possible days: 1 to 31; defaults to all) --weekdays value List of weekdays on which to match, sep. by comma (Possible days: Mon,Tue,Wed,Thu,Fri,Sat,Sun or 1 to 7 Defaults to all weekdays.) --localtz/--utc Time is interpreted as UTC/local time As long as I don't use -m time option, the script works fine. Manually doing the following, it fails to find RULE_8 service iptables stop /usr/local/sbin/iptables -N RULE_8 /usr/local/bin/iptables -A INPUT -s 192.168.3.0/24 -m state --state NEW -m time --timestart 07:00 --timestop 19:30 --weekdays Mon,Tue,Wed,Thu,Fri -j RULE_8 iptables: No chain/target/match by that name /usr/local/sbin/iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RULE_8 (0 references) target prot opt source destination This is probably something I'm doing that very stupid. Doug -- Ben Franklin quote: "Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety." |
From: Vadim K. ✎ <va...@vk...> - 2008-04-26 19:20:05
|
On Apr 26, 2008, at 11:52 AM, Doug Lytle wrote: > Vadim Kurland ✎ wrote: >> ok, so try /usr/local/sbin/iptables -m time --help and see if it >> recognizes all the options you are trying to use > > > /usr/local/sbin/iptables -m time --help > > iptables v1.4.0 > > TIME v1.4.0 options: > --datestart time Start and stop time, to be given in ISO 8601 > --datestop time (YYYY[-MM[-DD[Thh[:mm[:ss]]]]]) > --timestart time Start and stop daytime (hh:mm[:ss]) > --timestop time (between 00:00:00 and 23:59:59) > --monthdays value List of days on which to match, separated by > comma > (Possible days: 1 to 31; defaults to all) > --weekdays value List of weekdays on which to match, sep. by > comma > (Possible days: Mon,Tue,Wed,Thu,Fri,Sat,Sun > or 1 to 7 > Defaults to all weekdays.) > --localtz/--utc Time is interpreted as UTC/local time > > this looks fine > As long as I don't use -m time option, the script works fine. > > Manually doing the following, it fails to find RULE_8 > > service iptables stop > > /usr/local/sbin/iptables -N RULE_8 > /usr/local/bin/iptables -A INPUT -s 192.168.3.0/24 -m state --state > NEW -m time --timestart 07:00 --timestop 19:30 --weekdays > Mon,Tue,Wed,Thu,Fri -j RULE_8 > > iptables: No chain/target/match by that name > I hope the second command is really /usr/local/sbin/iptables the error message is not very helpful cause it is not clear which part it did not recognize, the chain, match or target. It could be that it can not find chain RULE_8 but "iptables -L" shows it, so it can't be the target. Chain "INPUT" is standard so it can't be that either. What is left is "match", which in this case one of the parameters to the module time. You can try different combinations to see which one it does not recognize. In any case this seems to be a problem with this particular copy of iptables which claims to support some parameters in --help but really does not. --vk > /usr/local/sbin/iptables -L > > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Chain RULE_8 (0 references) > target prot opt source destination > > This is probably something I'm doing that very stupid. > > Doug > > > > -- > Ben Franklin quote: > > "Those who would give up Essential Liberty to purchase a little > Temporary Safety, deserve neither Liberty nor Safety." > > > ---------------------------------------------------------------------- > --- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don't miss this year's exciting event. There's still time to save > $100. > Use priority code J8TL2D2. > http://ad.doubleclick.net/clk;198757673;13503038;p?http:// > java.sun.com/javaone > _______________________________________________ > Fwbuilder-discussion mailing list > Fwb...@li... > https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion |
From: Doug L. <su...@dr...> - 2008-04-26 19:33:10
|
Vadim Kurland ✎ wrote: > I hope the second command is really /usr/local/sbin/iptables > That it was, I mis-typed. I'll see if I can downgrade and give it another go. Thanks for your input. Doug -- Ben Franklin quote: "Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety." |