Mailing List Archive: Syntax error running iptables?

Syntax error running iptables?

Jul 30, 2001, 4:40 PM

Post #1 of 3 (528 views)

Hello,

I am getting errors running iptables, the next line of which is an
example:

iptables v1.2.2: Couldn't load target `int-ext':/usr/local/lib/\
iptables/libipt_int-ext.so: cannot open shared object file: No \
such file or directory

Try `iptables -h' or 'iptables --help' for more information.

Note that it lists target "int-ext". this message exists for ALL
permutations of my target user-defined chains. I can't tell if this is
an error, or something else.

All modules are loading correctly that i can tell. could you guys take
a look at my configuration enclosed and tell me if there is some
fundamental flaw in my command lines? I do not wish you to evaluate my
firewall schema. That comes later. I just can't shake the feeling I
have some syntax wrong.

I have installed iptables, version 1.2.2 into the default locations
using plain old make, with no special goodies. I have compiled iptables
on a redhat 7.1 machine that has a pristine linux 2.4.7 build directory
in it.

Here is my initial iptables configuration:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A FORWARD -i eth0 -o eth1 -j int-ext
iptables -A FORWARD -i eth1 -o eth0 -j ext-int
iptables -A INPUT -i eth0 -j int-os
iptables -A INPUT -i eth1 -j ext-os
iptables -A OUTPUT -o eth0 -j os-int
iptables -A OUTPUT -o eth1 -j os-ext

# internal to external network
# default policy: allow all outgoing connections
iptables -N int-ext
iptables -A int-ext -j ACCEPT
iptables -A int-ext -j DROP

# internal to Local process
# default policy: allow all internal to local process
iptables -N int-os
iptables -A int-os -j ACCEPT
iptables -A int-os -j DROP

# external to internal network
# default: allow only related responses to outbound initiated
# packets
iptables -N ext-int
iptables -A ext-int -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -A ext-int -j DROP

# external to local process
# default:
# Allow inbound to sshd port
# allow only related responses to outbound initiated
# packets
iptables -N ext-os
iptables -A ext-os -p tcp --destination-port 22 -j ACCEPT
iptables -A ext-os -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -A ext-os -j DROP

# Local process to external hosts
# default: allow all
iptables -N os-ext
iptables -A os-ext -j ACCEPT
iptables -A os-ext -j DROP

# Local process to internal hosts
# default: allow all
iptables -N os-int
iptables -A os-int -j ACCEPT
iptables -A os-int -j DROP

--

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jason Brooks ~ (503) 641-3440 x1861
Direct ~ (503) 924-1861
System / Network Administrator
Wind River Systems
8905 SW Nimbus ~ Suite 255
Beaverton, Or 97008

Re: Syntax error running iptables? [ In reply to ]

kakadu at earthlink

Jul 30, 2001, 5:05 PM

Post #2 of 3 (490 views)

Permalink

Mr. Brooks,

You're trying to reference a chain which doesn't exist. Thus, iptables
thinks it's a target. Create your user-defined chains before you reference
them.

Brad

Jason Brooks wrote:

> Hello,
>
> I am getting errors running iptables, the next line of which is an
> example:
>
> iptables v1.2.2: Couldn't load target `int-ext':/usr/local/lib/\
> iptables/libipt_int-ext.so: cannot open shared object file: No \
> such file or directory
>
> Try `iptables -h' or 'iptables --help' for more information.
>
> Note that it lists target "int-ext". this message exists for ALL
> permutations of my target user-defined chains. I can't tell if this is
> an error, or something else.
>
> All modules are loading correctly that i can tell. could you guys take
> a look at my configuration enclosed and tell me if there is some
> fundamental flaw in my command lines? I do not wish you to evaluate my
> firewall schema. That comes later. I just can't shake the feeling I
> have some syntax wrong.
>
> I have installed iptables, version 1.2.2 into the default locations
> using plain old make, with no special goodies. I have compiled iptables
> on a redhat 7.1 machine that has a pristine linux 2.4.7 build directory
> in it.
>
>
> Here is my initial iptables configuration:
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
>
>
> iptables -A FORWARD -i eth0 -o eth1 -j int-ext
> iptables -A FORWARD -i eth1 -o eth0 -j ext-int
> iptables -A INPUT -i eth0 -j int-os
> iptables -A INPUT -i eth1 -j ext-os
> iptables -A OUTPUT -o eth0 -j os-int
> iptables -A OUTPUT -o eth1 -j os-ext
>
> # internal to external network
> # default policy: allow all outgoing connections
> iptables -N int-ext
> iptables -A int-ext -j ACCEPT
> iptables -A int-ext -j DROP
>
> # internal to Local process
> # default policy: allow all internal to local process
> iptables -N int-os
> iptables -A int-os -j ACCEPT
> iptables -A int-os -j DROP
>
> # external to internal network
> # default: allow only related responses to outbound initiated
> # packets
> iptables -N ext-int
> iptables -A ext-int -m state --state ESTABLISHED,RELATED -j
> ACCEPT
> iptables -A ext-int -j DROP
>
> # external to local process
> # default:
> # Allow inbound to sshd port
> # allow only related responses to outbound initiated
> # packets
> iptables -N ext-os
> iptables -A ext-os -p tcp --destination-port 22 -j ACCEPT
> iptables -A ext-os -m state --state ESTABLISHED,RELATED -j
> ACCEPT
> iptables -A ext-os -j DROP
>
>
> # Local process to external hosts
> # default: allow all
> iptables -N os-ext
> iptables -A os-ext -j ACCEPT
> iptables -A os-ext -j DROP
>
> # Local process to internal hosts
> # default: allow all
> iptables -N os-int
> iptables -A os-int -j ACCEPT
> iptables -A os-int -j DROP
>
>
>
>

Re: Syntax error running iptables? [ In reply to ]

jwd_ods at hotmail

Jul 30, 2001, 5:10 PM

Post #3 of 3 (485 views)

Permalink

Jason Brooks stated a problem with :

>iptables v1.2.2: Couldn't load target `int-ext':/usr/local/lib/\
>iptables/libipt_int-ext.so: cannot open shared object file: No \
>such file or directory

>Try `iptables -h' or 'iptables --help' for more information.

You need to create the targets before you use them

Try these changes (no critique on content, just making requested
corrections)

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -N int-ext
iptables -N int-os
iptables -N ext-int
iptables -N ext-os
iptables -N os-ext
iptables -N os-int

iptables -A FORWARD -i eth0 -o eth1 -j int-ext
iptables -A FORWARD -i eth1 -o eth0 -j ext-int
iptables -A INPUT -i eth0 -j int-os
iptables -A INPUT -i eth1 -j ext-os
iptables -A OUTPUT -o eth0 -j os-int
iptables -A OUTPUT -o eth1 -j os-ext

# internal to external network
# default policy: allow all outgoing connections
iptables -A int-ext -j ACCEPT
iptables -A int-ext -j DROP

# internal to Local process
# default policy: allow all internal to local process
iptables -A int-os -j ACCEPT
iptables -A int-os -j DROP

# external to internal network
# default: allow only related responses to outbound initiated
# packets
iptables -A ext-int -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -A ext-int -j DROP

# external to local process
# default:
# Allow inbound to sshd port
# allow only related responses to outbound initiated
# packets
iptables -A ext-os -p tcp --destination-port 22 -j ACCEPT
iptables -A ext-os -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -A ext-os -j DROP

# Local process to external hosts
# default: allow all
iptables -A os-ext -j ACCEPT
iptables -A os-ext -j DROP

# Local process to internal hosts
# default: allow all
iptables -A os-int -j ACCEPT
iptables -A os-int -j DROP

John Davidson