From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020724 Description of problem: When I do ifup eth0 (a dhcp ethernet card that doesn't activate at boot), I get this error: [root@t30 root]# ifup eth0 Determining IP information for eth0...iptables v1.2.5: Unknown arg `--sport' Try `iptables -h' or 'iptables --help' for more information. done. iptables v1.2.5: Unknown arg `--sport' Try `iptables -h' or 'iptables --help' for more information. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1.I installed Limbo2 with the medium security firewall option (default options), and I checked allow incoming ssh 2. finish installing, boot machine, go to X 3. ifup eth0, and you get that error Actual Results: eth0 does come up ok: [root@t30 root]# ifconfig eth0 Link encap:Ethernet HWaddr 00:06:1B:10:0C:9C inet addr:9.44.107.135 Bcast:9.44.107.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:6367 errors:0 dropped:0 overruns:0 frame:0 TX packets:768 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:1543333 (1.4 Mb) TX bytes:107703 (105.1 Kb) Interrupt:11 Base address:0xe000 However, I get that error. Expected Results: No error. Additional info: Here is my iptables script: # Firewall configuration written by lokkit # Manual customization of this file is not recommended. # Note: ifup-post will punch the current nameservers through the # firewall; such entries will *not* be listed here. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Lokkit-0-50-INPUT - [0:0] -A INPUT -j RH-Lokkit-0-50-INPUT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth0 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth1 -j ACCEPT -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT COMMIT
--sport is not valid syntax for iptables, even though the man pages say it is. We should be using --source-port instead.
If we don't fix iptables, then we need to fix everything that writes out iptables configs and initscripts. Fixing iptables is probably the better option
nothing wrong with iptables or lokkit... this is ifup wrong line: [ -n "$FWHACK" ] && iptables -D RH-Lokkit-0-50-INPUT -s 0/0 --sport 53 -d 0/0 --dport 1025:65535 -p udp -m udp -j ACCEPT [ -n "$FWHACK" ] && iptables -D RH-Lokkit-0-50-INPUT -s 0/0 --sport 53 -d 0/0 --dport 1025:65535 -p udp -m udp -j ACCEPT should be: [ -n "$FWHACK" ] && iptables -D RH-Lokkit-0-50-INPUT -m udp -s 0/0 --sport 53 -d 0/0 --dport 1025:65535 -p udp -j ACCEPT [ -n "$FWHACK" ] && iptables -D RH-Lokkit-0-50-INPUT -m udp -s 0/0 --sport 53 -d 0/0 --dport 1025:65535 -p udp -j ACCEPT see, the -m udp module argument must be first, cause --sport is a argument for that module...
this seems to be wrong throughout all initscripts... has it _ever_ been tested????
Not extensively, no. Fixed in CVS, will be in 6.89-1.
you should also use -I instead of -A, otherwise the rule would be behind the REJECTs..
fixed in cvs. will test when I get a chance to get to a spare box.
initscripts are confirmed fixed with initscripts-6.90-1. We still have the problem with gnome-lokkit writting out '-A' instead of '-I'
gnome-lokkit is right, AFAIK; it uses -A, but still adds the DNS before the reject rules.
what is wrong with adding the DNS before the reject rules????
It does. I think we're in agreement here.