Re: [IPCop-user] iptables: Bad rule (does a matching rule exist in that chain?)

[John E. <jo...@co...>]

On Mon, Mar 07, 2005 at 09:44:40AM +1300, John Zoetebier wrote:
> On Mon, 07 Mar 2005 00:39, you wrote:
>> On Sun, Mar 06, 2005 at 05:08:15PM +1300, John Zoetebier wrote:
>>> This is rc.firewall.local:
>>> =>
>>> #!/bin/sh
>>> # Used for private firewall rules
>>>
>>> # See how we were called.
>>> case "$1" in
>>>   start)
>>> 	## add your 'start' rules here
>>> 	/sbin/iptables -A CUSTOMFORWARD -i eth0 -o eth2 -p tcp -m mport --dports
>>> 80,81,443,3128,6588,8000,8080,8081 -j DROP
>>>         ;;
>>>   stop)
>>> 	## add your 'stop' rules here
>>> 	/sbin/iptables -D CUSTOMFORWARD -i eth0 -o eth2 -p tcp -m mport --dports
>>> 80,81,443,3128,6588,8000,8080,8081 -j DROP
>>>         ;;
>>>   *)
>>> 	echo "Usage: $0 {start|stop}"
>>> esac
>>> =>
>>>
>>> When I type: rc.firewall restart
>>> I get this message:
>>> iptables: Bad rule (does a matching rule exist in that chain?)
>>>
>>> It looks like the problem is in the stop rule.
>>> Apart fromt that seems the rule to be working.
>>> Any suggestions ?
>>
>> A "restart" is considered to be a stop then a start, so if this is
>> the first time that the script is run then rule does not exist, hence
>> it will not be deleted and you will get the above error message. The
>> second time you restart rc.firewall you should not get this message.
>>
>> To see if the rule does exist you can run:
>> 	iptables -vnL
> 
> The restart logic is something I had already checked.
> The iptables rule exists.
> Wen I start the firewall, than a stop, I still get the same error message.

For which action do you get the error message - start or stop ?  
A restart does both, so you need to run each independently to 
find the source of the problem.

To help with findind the source of the problem you could try running 
the rc scripts with the "-x" option will print out the commands that 
are run as well as their output:
	sh -x /etc/rc.d/rc.firewall stop

Check if you get the error when you run the custom stop command on it's own:
	/sbin/iptables -D CUSTOMFORWARD -i eth0 -o eth2 -p tcp -m mport --dports 80,81,443,3128,6588,8000,8080,8081 -j DROP
(beware of long line)

Lastly you should check that the above iptables commands are on the 
same line and that your text editor has not line wrapped them.


>> ps. You may wish to use $GREEN_DEV and $RED_DEV instead of eth0 and eth2,
>> which will make things easy if the network cards are changed or someone
>> else wants to use your script.
> 
> This gives:
> =>
> root@tsl001:/etc/rc.d # ./rc.firewall restart
> Warning: wierd character in interface `-o' (No aliases, :, ! or *).
> iptables: Bad rule (does a matching rule exist in that chain?)
> Warning: wierd character in interface `-o' (No aliases, :, ! or *).
> root@tsl001:/etc/rc.d #
> =>

Sorry, I hadn't realised you script was in shell instead of perl.


-- 
#---------------------------------------------------------#
|       John Edwards    Email: Joh...@uk...        |
|                                                         |
| A. Because it breaks the logical sequence of discussion |
| Q. Why is top posting bad ?                             |
#---------------------------------------------------------#