Bug 452095 - iptables-1.4.1-1.fc9.x86_64: iptables-restore v1.4.1: iprange match: You must specify `--src-range' or `--dst-range'
iptables-1.4.1-1.fc9.x86_64: iptables-restore v1.4.1: iprange match: You must...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: iptables (Show other bugs)
9
x86_64 Linux
low Severity low
: ---
: ---
Assigned To: Thomas Woerner
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-19 06:51 EDT by Reindl Harald
Modified: 2008-07-09 17:48 EDT (History)
1 user (show)

See Also:
Fixed In Version: 1.4.1.1-1.fc9
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-09 17:48:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Reindl Harald 2008-06-19 06:51:21 EDT
Something seems to go wrong here
after update from updates-testing
What i do not understand is that there is no address-range in "iptables.save",
at the end of the buhreport you will find the "iptables.sh" that generates the
rules:

[root@arrakis:~]$ rpm -qa | grep iptables
iptables-1.4.1-1.fc9.x86_64

[root@arrakis:~]$ service iptables start
: Firewall-Regeln anwenden: iptables-restore v1.4.1: iprange match: You must
specify `--src-range' or `--dst-range'
Error occurred at line: 15
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
                                                           [FEHLGESCHLAGEN]


# Generated by iptables-save v1.4.1 on Thu Jun 19 12:44:40 2008
*filter
:INPUT DROP [4:160]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [11:1848]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport --dports 20,21,22,80,443 -m state --state NEW -m
tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000:10100 --tcp-flags FIN,SYN,RST,ACK SYN -m
state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state
ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m iprange -m multiport --dports 20,21,22,53,80,139,443,445,3306
-m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p tcp -m iprange -m multiport --dports 20,21,22,53,80,139,443,445,3306
-m state --state NEW -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p udp -m iprange -m state --state NEW -j ACCEPT
-A INPUT -p icmp -m iprange -m state --state NEW -j ACCEPT
-A INPUT -p udp -m iprange -m state --state NEW -j ACCEPT
-A INPUT -p icmp -m iprange -m state --state NEW -j ACCEPT
-A INPUT -s 62.178.218.100/32 -p tcp -m multiport --dports
20,21,22,53,80,139,443,445,3306 -m state --state NEW -m tcp --tcp-flags
FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 62.178.218.100/32 -p udp -m state --state NEW -j ACCEPT
-A INPUT -s 62.178.218.100/32 -p icmp -m state --state NEW -j ACCEPT
-A INPUT -s 80.108.8.51/32 -p tcp -m multiport --dports
20,21,22,53,80,139,443,445,3306 -m state --state NEW -m tcp --tcp-flags
FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 80.108.8.51/32 -p udp -m state --state NEW -j ACCEPT
-A INPUT -s 80.108.8.51/32 -p icmp -m state --state NEW -j ACCEPT
-A INPUT -s 85.124.176.242/32 -p tcp -m multiport --dports
20,21,22,53,80,139,443,445,3306 -m state --state NEW -m tcp --tcp-flags
FIN,SYN,RST,ACK SYN -j ACCEPT
-A INPUT -s 85.124.176.242/32 -p udp -m state --state NEW -j ACCEPT
-A INPUT -s 85.124.176.242/32 -p icmp -m state --state NEW -j ACCEPT
-A INPUT -p udp -m iprange -m state --state NEW -j ACCEPT
-A INPUT -p icmp -m iprange -m state --state NEW -j ACCEPT
-A INPUT -p udp -m iprange -m state --state NEW -j ACCEPT
-A INPUT -p icmp -m iprange -m state --state NEW -j ACCEPT
-A INPUT -s 85.124.176.242/32 -p udp -m udp --dport 3478:3479 -m state --state
NEW -j ACCEPT
-A INPUT -s 85.124.176.242/32 -p udp -m udp --dport 5000:5100 -m state --state
NEW -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Thu Jun 19 12:44:40 2008
# Generated by iptables-save v1.4.1 on Thu Jun 19 12:44:40 2008
*nat
:PREROUTING ACCEPT [5:855]
:POSTROUTING ACCEPT [7:462]
:OUTPUT ACCEPT [7:462]
COMMIT
# Completed on Thu Jun 19 12:44:40 2008

_____________

#! /bin/bash

clear
echo "Firewall-Konfiguration fuer alle Interfaces"
echo "Konfiguriere: $HOSTNAME"
uname -rv
echo "14.06.2008 Reindl Harald"
echo
"----------------------------------------------------------------------------------"
echo ""

# Skript-Konfiguration, Maximal 15 Multi-Range-Angaben pro Aufruf erlaubt!
export IPTABLES="/sbin/iptables"
IPTABLES_SAVE="/sbin/service iptables save"
LAN_IPS="10.0.0.1-10.0.0.254"
VM_IPS="192.168.196.1-192.168.196.254"
LOCAL_RHSOFT="62.178.218.100"
LOUNGE_NETWORK1="195.34.141.18-195.34.141.58"
LOUNGE_NETWORK2="195.206.96.86-195.206.96.90"
LOUNGE_VOIP="85.124.176.242"
PM_HOME="80.108.8.51"
FTP_PORTS="10000:10100"
LAN_PORTS="20,21,22,53,80,139,443,445,3306"
PUBLIC_PORTS="20,21,22,80,443"

echo "Setze Regeln zurueck"
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X
$IPTABLES -t nat -X

echo "Blockiere eingehende Anfragen zu Beginn vollstaendig"
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
echo ""

echo "Loopback erlauben"
$IPTABLES -A INPUT -i lo -j ACCEPT
echo ""

echo "Ausgehende Pakete erlauben"
$IPTABLES -P OUTPUT ACCEPT
echo ""

echo "Antwortpakete per TCP/ICMP/UDP erlauben"
$IPTABLES -A INPUT -p tcp  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p udp  -m state --state ESTABLISHED,RELATED -j ACCEPT
echo ""

echo "Public-Ports aus allen Netzen erlauben"
echo "$PUBLIC_PORTS"
$IPTABLES -A INPUT -p tcp -m multiport --destination-port $PUBLIC_PORTS -m state
--state NEW --syn -j ACCEPT
echo ""

echo "FTP-Passiv-Ports oeffnen"
echo "$FTP_PORTS"
$IPTABLES -A INPUT -p tcp --dport $FTP_PORTS -m state --state NEW --syn -j ACCEPT
echo ""

echo "FTP-Client-Ports oeffnen"
$IPTABLES -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state
ESTABLISHED -j ACCEPT
echo ""

echo "Zugriffe aus dem lokalen Netz und von Admins freigeben"
echo "$LAN_IPS $VM_IPS $LOCAL_RHSOFT $PM_HOME $LOUNGE_VOIP"
echo "$LAN_PORTS"
$IPTABLES -A INPUT -p tcp  -m iprange --src-range $LAN_IPS -m multiport
--destination-port $LAN_PORTS -m state --state NEW --syn -j ACCEPT
$IPTABLES -A INPUT -p tcp  -m iprange --src-range $VM_IPS -m multiport
--destination-port $LAN_PORTS -m state --state NEW --syn -j ACCEPT
$IPTABLES -A INPUT -p udp  -m iprange --src-range $LAN_IPS -m state --state NEW
-j ACCEPT
$IPTABLES -A INPUT -p icmp -m iprange --src-range $LAN_IPS -m state --state NEW
-j ACCEPT
$IPTABLES -A INPUT -p udp  -m iprange --src-range $VM_IPS -m state --state NEW
-j ACCEPT
$IPTABLES -A INPUT -p icmp -m iprange --src-range $VM_IPS -m state --state NEW
-j ACCEPT
$IPTABLES -A INPUT -p tcp  -s $LOCAL_RHSOFT -m multiport --destination-port
$LAN_PORTS -m state --state NEW --syn -j ACCEPT
$IPTABLES -A INPUT -p udp  -s $LOCAL_RHSOFT -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p icmp -s $LOCAL_RHSOFT -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp  -s $PM_HOME -m multiport --destination-port
$LAN_PORTS -m state --state NEW --syn -j ACCEPT
$IPTABLES -A INPUT -p udp  -s $PM_HOME -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p icmp -s $PM_HOME -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp  -s $LOUNGE_VOIP -m multiport --destination-port
$LAN_PORTS -m state --state NEW --syn -j ACCEPT
$IPTABLES -A INPUT -p udp  -s $LOUNGE_VOIP -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p icmp -s $LOUNGE_VOIP -m state --state NEW -j ACCEPT
echo ""

echo "UDP/ICMP von Lounge-Adressen freigeben"
echo "$LOUNGE_NETWORK1"
echo "$LOUNGE_NETWORK2"
echo "$LOUNGE_VOIP"
$IPTABLES -A INPUT -p udp  -m iprange --src-range $LOUNGE_NETWORK1 -m state
--state NEW -j ACCEPT
$IPTABLES -A INPUT -p icmp -m iprange --src-range $LOUNGE_NETWORK1 -m state
--state NEW -j ACCEPT
$IPTABLES -A INPUT -p udp  -m iprange --src-range $LOUNGE_NETWORK2 -m state
--state NEW -j ACCEPT
$IPTABLES -A INPUT -p icmp -m iprange --src-range $LOUNGE_NETWORK2 -m state
--state NEW -j ACCEPT
$IPTABLES -A INPUT -p udp -s $LOUNGE_VOIP --dport 3478:3479 -m state --state NEW
-j ACCEPT
$IPTABLES -A INPUT -p udp -s $LOUNGE_VOIP --dport 5000:5100 -m state --state NEW
-j ACCEPT
echo ""

echo "Alle anderen Ports freundlich abweisen"
$IPTABLES -A INPUT -p icmp --icmp-type 8 -j ACCEPT
$IPTABLES -A INPUT -j REJECT

$IPTABLES_SAVE

echo ""
MY_TIME=$(date "+%d-%m-%Y %H:%M:%S")
echo "$MY_TIME  Firewall-Konfiguration wurde aktualisiert" >> /var/log/scriptlog
echo ""
Comment 1 Fedora Update System 2008-07-01 06:18:58 EDT
iptables-1.4.1.1-1.fc9 has been submitted as an update for Fedora 9
Comment 2 Reindl Harald 2008-07-01 17:51:19 EDT
Thank you! Problem is solved with the new package from koji

[root@arrakis:/downloads]$ service iptables restart
: Firewall-Regeln löschen:                                 [  OK  ]
iptables: Ketten auf Richtlinie ACCEPT setzen: filter nat  [  OK  ]
: Module entladen:                                         [  OK  ]
: Firewall-Regeln anwenden:                                [  OK  ]
[root@arrakis:/downloads]$ rpm -qa | grep iptables
iptables-1.4.1.1-1.fc9.x86_64
[root@arrakis:/downloads]$ uname -a
Linux arrakis.vmware.local 2.6.25.7-64.fc9.x86_64 #1 SMP Mon Jun 16 22:54:03 EDT
2008 x86_64 x86_64 x86_64 GNU/Linux
[root@arrakis:/downloads]$
Comment 3 Fedora Update System 2008-07-02 02:33:22 EDT
iptables-1.4.1.1-1.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update iptables'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-5960
Comment 4 Fedora Update System 2008-07-09 17:48:18 EDT
iptables-1.4.1.1-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.