Bug 71201 - ifup eth0 I gives an iptables error
Summary: ifup eth0 I gives an iptables error
Alias: None
Product: Red Hat Public Beta
Classification: Retired
Component: initscripts (Show other bugs)
(Show other bugs)
Version: limbo
Hardware: i386 Linux
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact: Ben Levenson
Depends On:
Blocks: 67217
TreeView+ depends on / blocked
Reported: 2002-08-09 21:26 UTC by Pam Huntley
Modified: 2014-03-17 02:29 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2002-08-21 18:11:48 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Pam Huntley 2002-08-09 21:26:02 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020724

Description of problem:
When I do ifup eth0 (a dhcp ethernet card that doesn't activate at boot), I get
this error:

[root@t30 root]# ifup eth0

Determining IP information for eth0...iptables v1.2.5: Unknown arg `--sport'
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.5: Unknown arg `--sport'
Try `iptables -h' or 'iptables --help' for more information.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.I installed Limbo2 with the medium security firewall option (default options),
and I checked allow incoming ssh
2. finish installing, boot machine, go to X
3. ifup eth0, and you get that error

Actual Results:  eth0 does come up ok:
[root@t30 root]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:06:1B:10:0C:9C
          inet addr:  Bcast:  Mask:
          RX packets:6367 errors:0 dropped:0 overruns:0 frame:0
          TX packets:768 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:1543333 (1.4 Mb)  TX bytes:107703 (105.1 Kb)
          Interrupt:11 Base address:0xe000

However, I get that error.

Expected Results:  No error.

Additional info:

Here is my iptables script:

# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
#       firewall; such entries will *not* be listed here.
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68
-i eth0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68
-i eth1 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT

Comment 1 Tom "spot" Callaway 2002-08-09 21:32:55 UTC
--sport is not valid syntax for iptables, even though the man pages say it is.

We should be using --source-port instead.

Comment 2 Jeremy Katz 2002-08-10 20:45:45 UTC
If we don't fix iptables, then we need to fix everything that writes out
iptables configs and initscripts.  Fixing iptables is probably the better option

Comment 3 Harald Hoyer 2002-08-12 13:42:32 UTC
nothing wrong with iptables or lokkit... this is ifup
wrong line:
        [ -n "$FWHACK" ] && iptables -D RH-Lokkit-0-50-INPUT -s 0/0 --sport 53
-d 0/0 --dport 1025:65535 -p udp -m udp -j ACCEPT

    [ -n "$FWHACK" ] && iptables -D RH-Lokkit-0-50-INPUT -s 0/0 --sport 53 -d
0/0 --dport 1025:65535 -p udp -m udp -j ACCEPT

should be:
        [ -n "$FWHACK" ] && iptables -D RH-Lokkit-0-50-INPUT -m udp -s 0/0
--sport 53 -d 0/0 --dport 1025:65535 -p udp -j ACCEPT

    [ -n "$FWHACK" ] && iptables -D RH-Lokkit-0-50-INPUT -m udp -s 0/0 --sport
53 -d 0/0 --dport 1025:65535 -p udp -j ACCEPT

see, the -m udp module argument must be first, cause --sport is a argument for
that module...

Comment 4 Harald Hoyer 2002-08-12 13:45:12 UTC
this seems to be wrong throughout all initscripts... has it _ever_ been tested????

Comment 5 Bill Nottingham 2002-08-12 20:37:12 UTC
Not extensively, no. Fixed in CVS, will be in 6.89-1.

Comment 6 Harald Hoyer 2002-08-15 12:27:25 UTC
you should also use -I instead of -A, otherwise the rule would be behind the

Comment 7 Bill Nottingham 2002-08-15 18:20:36 UTC
fixed in cvs. will test when I get a chance to get to a spare box.

Comment 8 Jay Turner 2002-08-22 02:58:15 UTC
initscripts are confirmed fixed with initscripts-6.90-1.  We still have the
problem with gnome-lokkit writting out '-A' instead of '-I'

Comment 9 Bill Nottingham 2002-08-22 03:03:16 UTC
gnome-lokkit is right, AFAIK; it uses -A, but still adds the DNS before the
reject rules.

Comment 10 Harald Hoyer 2002-08-22 10:39:08 UTC
what is wrong with adding the DNS before the reject rules????

Comment 11 Bill Nottingham 2002-08-23 01:29:26 UTC
It does. I think we're in agreement here.

Note You need to log in before you can comment on or make changes to this bug.