Something seems to go wrong here after update from updates-testing What i do not understand is that there is no address-range in "iptables.save", at the end of the buhreport you will find the "iptables.sh" that generates the rules: [root@arrakis:~]$ rpm -qa | grep iptables iptables-1.4.1-1.fc9.x86_64 [root@arrakis:~]$ service iptables start : Firewall-Regeln anwenden: iptables-restore v1.4.1: iprange match: You must specify `--src-range' or `--dst-range' Error occurred at line: 15 Try `iptables-restore -h' or 'iptables-restore --help' for more information. [FEHLGESCHLAGEN] # Generated by iptables-save v1.4.1 on Thu Jun 19 12:44:40 2008 *filter :INPUT DROP [4:160] :FORWARD DROP [0:0] :OUTPUT ACCEPT [11:1848] -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m multiport --dports 20,21,22,80,443 -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m tcp --dport 10000:10100 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT -A INPUT -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT -A INPUT -p tcp -m iprange -m multiport --dports 20,21,22,53,80,139,443,445,3306 -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p tcp -m iprange -m multiport --dports 20,21,22,53,80,139,443,445,3306 -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -p udp -m iprange -m state --state NEW -j ACCEPT -A INPUT -p icmp -m iprange -m state --state NEW -j ACCEPT -A INPUT -p udp -m iprange -m state --state NEW -j ACCEPT -A INPUT -p icmp -m iprange -m state --state NEW -j ACCEPT -A INPUT -s 62.178.218.100/32 -p tcp -m multiport --dports 20,21,22,53,80,139,443,445,3306 -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -s 62.178.218.100/32 -p udp -m state --state NEW -j ACCEPT -A INPUT -s 62.178.218.100/32 -p icmp -m state --state NEW -j ACCEPT -A INPUT -s 80.108.8.51/32 -p tcp -m multiport --dports 20,21,22,53,80,139,443,445,3306 -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -s 80.108.8.51/32 -p udp -m state --state NEW -j ACCEPT -A INPUT -s 80.108.8.51/32 -p icmp -m state --state NEW -j ACCEPT -A INPUT -s 85.124.176.242/32 -p tcp -m multiport --dports 20,21,22,53,80,139,443,445,3306 -m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT -A INPUT -s 85.124.176.242/32 -p udp -m state --state NEW -j ACCEPT -A INPUT -s 85.124.176.242/32 -p icmp -m state --state NEW -j ACCEPT -A INPUT -p udp -m iprange -m state --state NEW -j ACCEPT -A INPUT -p icmp -m iprange -m state --state NEW -j ACCEPT -A INPUT -p udp -m iprange -m state --state NEW -j ACCEPT -A INPUT -p icmp -m iprange -m state --state NEW -j ACCEPT -A INPUT -s 85.124.176.242/32 -p udp -m udp --dport 3478:3479 -m state --state NEW -j ACCEPT -A INPUT -s 85.124.176.242/32 -p udp -m udp --dport 5000:5100 -m state --state NEW -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-port-unreachable COMMIT # Completed on Thu Jun 19 12:44:40 2008 # Generated by iptables-save v1.4.1 on Thu Jun 19 12:44:40 2008 *nat :PREROUTING ACCEPT [5:855] :POSTROUTING ACCEPT [7:462] :OUTPUT ACCEPT [7:462] COMMIT # Completed on Thu Jun 19 12:44:40 2008 _____________ #! /bin/bash clear echo "Firewall-Konfiguration fuer alle Interfaces" echo "Konfiguriere: $HOSTNAME" uname -rv echo "14.06.2008 Reindl Harald" echo "----------------------------------------------------------------------------------" echo "" # Skript-Konfiguration, Maximal 15 Multi-Range-Angaben pro Aufruf erlaubt! export IPTABLES="/sbin/iptables" IPTABLES_SAVE="/sbin/service iptables save" LAN_IPS="10.0.0.1-10.0.0.254" VM_IPS="192.168.196.1-192.168.196.254" LOCAL_RHSOFT="62.178.218.100" LOUNGE_NETWORK1="195.34.141.18-195.34.141.58" LOUNGE_NETWORK2="195.206.96.86-195.206.96.90" LOUNGE_VOIP="85.124.176.242" PM_HOME="80.108.8.51" FTP_PORTS="10000:10100" LAN_PORTS="20,21,22,53,80,139,443,445,3306" PUBLIC_PORTS="20,21,22,80,443" echo "Setze Regeln zurueck" $IPTABLES -F $IPTABLES -t nat -F $IPTABLES -X $IPTABLES -t nat -X echo "Blockiere eingehende Anfragen zu Beginn vollstaendig" $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP echo "" echo "Loopback erlauben" $IPTABLES -A INPUT -i lo -j ACCEPT echo "" echo "Ausgehende Pakete erlauben" $IPTABLES -P OUTPUT ACCEPT echo "" echo "Antwortpakete per TCP/ICMP/UDP erlauben" $IPTABLES -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT echo "" echo "Public-Ports aus allen Netzen erlauben" echo "$PUBLIC_PORTS" $IPTABLES -A INPUT -p tcp -m multiport --destination-port $PUBLIC_PORTS -m state --state NEW --syn -j ACCEPT echo "" echo "FTP-Passiv-Ports oeffnen" echo "$FTP_PORTS" $IPTABLES -A INPUT -p tcp --dport $FTP_PORTS -m state --state NEW --syn -j ACCEPT echo "" echo "FTP-Client-Ports oeffnen" $IPTABLES -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT echo "" echo "Zugriffe aus dem lokalen Netz und von Admins freigeben" echo "$LAN_IPS $VM_IPS $LOCAL_RHSOFT $PM_HOME $LOUNGE_VOIP" echo "$LAN_PORTS" $IPTABLES -A INPUT -p tcp -m iprange --src-range $LAN_IPS -m multiport --destination-port $LAN_PORTS -m state --state NEW --syn -j ACCEPT $IPTABLES -A INPUT -p tcp -m iprange --src-range $VM_IPS -m multiport --destination-port $LAN_PORTS -m state --state NEW --syn -j ACCEPT $IPTABLES -A INPUT -p udp -m iprange --src-range $LAN_IPS -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p icmp -m iprange --src-range $LAN_IPS -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p udp -m iprange --src-range $VM_IPS -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p icmp -m iprange --src-range $VM_IPS -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p tcp -s $LOCAL_RHSOFT -m multiport --destination-port $LAN_PORTS -m state --state NEW --syn -j ACCEPT $IPTABLES -A INPUT -p udp -s $LOCAL_RHSOFT -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p icmp -s $LOCAL_RHSOFT -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p tcp -s $PM_HOME -m multiport --destination-port $LAN_PORTS -m state --state NEW --syn -j ACCEPT $IPTABLES -A INPUT -p udp -s $PM_HOME -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p icmp -s $PM_HOME -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p tcp -s $LOUNGE_VOIP -m multiport --destination-port $LAN_PORTS -m state --state NEW --syn -j ACCEPT $IPTABLES -A INPUT -p udp -s $LOUNGE_VOIP -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p icmp -s $LOUNGE_VOIP -m state --state NEW -j ACCEPT echo "" echo "UDP/ICMP von Lounge-Adressen freigeben" echo "$LOUNGE_NETWORK1" echo "$LOUNGE_NETWORK2" echo "$LOUNGE_VOIP" $IPTABLES -A INPUT -p udp -m iprange --src-range $LOUNGE_NETWORK1 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p icmp -m iprange --src-range $LOUNGE_NETWORK1 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p udp -m iprange --src-range $LOUNGE_NETWORK2 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p icmp -m iprange --src-range $LOUNGE_NETWORK2 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p udp -s $LOUNGE_VOIP --dport 3478:3479 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p udp -s $LOUNGE_VOIP --dport 5000:5100 -m state --state NEW -j ACCEPT echo "" echo "Alle anderen Ports freundlich abweisen" $IPTABLES -A INPUT -p icmp --icmp-type 8 -j ACCEPT $IPTABLES -A INPUT -j REJECT $IPTABLES_SAVE echo "" MY_TIME=$(date "+%d-%m-%Y %H:%M:%S") echo "$MY_TIME Firewall-Konfiguration wurde aktualisiert" >> /var/log/scriptlog echo ""
iptables-1.4.1.1-1.fc9 has been submitted as an update for Fedora 9
Thank you! Problem is solved with the new package from koji [root@arrakis:/downloads]$ service iptables restart : Firewall-Regeln löschen: [ OK ] iptables: Ketten auf Richtlinie ACCEPT setzen: filter nat [ OK ] : Module entladen: [ OK ] : Firewall-Regeln anwenden: [ OK ] [root@arrakis:/downloads]$ rpm -qa | grep iptables iptables-1.4.1.1-1.fc9.x86_64 [root@arrakis:/downloads]$ uname -a Linux arrakis.vmware.local 2.6.25.7-64.fc9.x86_64 #1 SMP Mon Jun 16 22:54:03 EDT 2008 x86_64 x86_64 x86_64 GNU/Linux [root@arrakis:/downloads]$
iptables-1.4.1.1-1.fc9 has been pushed to the Fedora 9 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update iptables'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-5960
iptables-1.4.1.1-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.