71201 – ifup eth0 I gives an iptables error

Bug 71201 - ifup eth0 I gives an iptables error

Summary: ifup eth0 I gives an iptables error

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Red Hat Public Beta
Classification:	Retired
Component:	initscripts
Sub Component:
Version:	limbo
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Bill Nottingham
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	67217
TreeView+	depends on / blocked

Reported:	2002-08-09 21:26 UTC by Pam Huntley
Modified:	2014-03-17 02:29 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2002-08-21 18:11:48 UTC
Embargoed:

Attachments	(Terms of Use)

Description Pam Huntley 2002-08-09 21:26:02 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020724

Description of problem:
When I do ifup eth0 (a dhcp ethernet card that doesn't activate at boot), I get
this error:

[root@t30 root]# ifup eth0

Determining IP information for eth0...iptables v1.2.5: Unknown arg `--sport'
Try `iptables -h' or 'iptables --help' for more information.
 done.
iptables v1.2.5: Unknown arg `--sport'
Try `iptables -h' or 'iptables --help' for more information.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.I installed Limbo2 with the medium security firewall option (default options),
and I checked allow incoming ssh
2. finish installing, boot machine, go to X
3. ifup eth0, and you get that error
	

Actual Results:  eth0 does come up ok:
[root@t30 root]# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:06:1B:10:0C:9C
          inet addr:9.44.107.135  Bcast:9.44.107.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6367 errors:0 dropped:0 overruns:0 frame:0
          TX packets:768 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:1543333 (1.4 Mb)  TX bytes:107703 (105.1 Kb)
          Interrupt:11 Base address:0xe000

However, I get that error.

Expected Results:  No error.

Additional info:

Here is my iptables script:

# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
#       firewall; such entries will *not* be listed here.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68
-i eth0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68
-i eth1 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT
COMMIT

Comment 1 Tom "spot" Callaway 2002-08-09 21:32:55 UTC

--sport is not valid syntax for iptables, even though the man pages say it is.

We should be using --source-port instead.

Comment 2 Jeremy Katz 2002-08-10 20:45:45 UTC

If we don't fix iptables, then we need to fix everything that writes out
iptables configs and initscripts.  Fixing iptables is probably the better option

Comment 3 Harald Hoyer 2002-08-12 13:42:32 UTC

nothing wrong with iptables or lokkit... this is ifup
wrong line:
        [ -n "$FWHACK" ] && iptables -D RH-Lokkit-0-50-INPUT -s 0/0 --sport 53
-d 0/0 --dport 1025:65535 -p udp -m udp -j ACCEPT

    [ -n "$FWHACK" ] && iptables -D RH-Lokkit-0-50-INPUT -s 0/0 --sport 53 -d
0/0 --dport 1025:65535 -p udp -m udp -j ACCEPT

should be:
        [ -n "$FWHACK" ] && iptables -D RH-Lokkit-0-50-INPUT -m udp -s 0/0
--sport 53 -d 0/0 --dport 1025:65535 -p udp -j ACCEPT

    [ -n "$FWHACK" ] && iptables -D RH-Lokkit-0-50-INPUT -m udp -s 0/0 --sport
53 -d 0/0 --dport 1025:65535 -p udp -j ACCEPT


see, the -m udp module argument must be first, cause --sport is a argument for
that module...

Comment 4 Harald Hoyer 2002-08-12 13:45:12 UTC

this seems to be wrong throughout all initscripts... has it _ever_ been tested????

Comment 5 Bill Nottingham 2002-08-12 20:37:12 UTC

Not extensively, no. Fixed in CVS, will be in 6.89-1.

Comment 6 Harald Hoyer 2002-08-15 12:27:25 UTC

you should also use -I instead of -A, otherwise the rule would be behind the
REJECTs..

Comment 7 Bill Nottingham 2002-08-15 18:20:36 UTC

fixed in cvs. will test when I get a chance to get to a spare box.

Comment 8 Jay Turner 2002-08-22 02:58:15 UTC

initscripts are confirmed fixed with initscripts-6.90-1.  We still have the
problem with gnome-lokkit writting out '-A' instead of '-I'

Comment 9 Bill Nottingham 2002-08-22 03:03:16 UTC

gnome-lokkit is right, AFAIK; it uses -A, but still adds the DNS before the
reject rules.

Comment 10 Harald Hoyer 2002-08-22 10:39:08 UTC

what is wrong with adding the DNS before the reject rules????

Comment 11 Bill Nottingham 2002-08-23 01:29:26 UTC

It does. I think we're in agreement here.

Note You need to log in before you can comment on or make changes to this bug.