Need help with iptables: missing .so -- and I can't use DENY or ACCEPT
Hello, I have been trying for 2 days to get iptables to work. Something is really really wrong. Initially I was trying on a 7.3 install that had been upgraded from 7.2. I thought maybe the software was just messed up so I just finished a clean install of 8.0, yet I am getting exatly the same error messages: bismuth:~ # iptables -A INPUT -p tcp -i eth0 -s 192.168.0.110 -j DENY iptables v1.2.5: Couldn't load target `DENY':/usr/lib/iptables/libipt_DENY.so: cannot open shared object file: No such file or directory Try `iptables -h' or 'iptables --help' for more information. bismuth:~ # iptables -A INPUT -p tcp -i eth0 -s 192.168.0.110 -j deny iptables v1.2.5: Couldn't load target `deny':/usr/lib/iptables/libipt_deny.so: cannot open shared object file: No such file or directory Try `iptables -h' or 'iptables --help' for more information. bismuth:~ # iptables -A INPUT -s 65.166.138.61 -j DENY iptables v1.2.5: Couldn't load target `DENY':/usr/lib/iptables/libipt_DENY.so: cannot open shared object file: No such file or directory Try `iptables -h' or 'iptables --help' for more information. bismuth:~ # I've tried dozens ot test commands too, any of the that use DENY or ACCEPT fail. Even more interesting: According to the Linuxnewbie.org tutorial, both of the following commands should prevent 192.168.0.110 from being able to access the machine running iptables: iptables -A INPUT -s 192.168.0.110 -j DENY iptables -A INPUT -s 192.168.0.110 -j DROP Yet, the exact _opposite_ happens: the local machine ends up not being able to to anything to the remote host, yet the remote host is still able to log in via telnet just fine. Disgusting. Thinking that maybe I was just misunderstanding something, I tried -d in place of -s and that does nothing at all, both hosts are able to log into each other. Something is badly amiss. Please, can anyone explain this? I get similar errors when I try to use ACCEPT. All I'm trying to do is restrict port 5000 (I'm using 5001 as a test) so that only 1 IP can access it. Eventually that IP will be 65.166.138.61 but I'm using 192.168.0.110 as a test. Please, someone strighten me out. And before you say RTFM, I've been reading it for 2 days. I'm going precisly by the book, and it's not working. Something is just plain wrong. Also please don't ask me to use SuSE Firewall2, I've tired it quite a few times and I'm never able to get it to work. Thanks in advance. -- ---------------------------------------------------- Jonathan Wilson System Administrator Clickpatrol.com Cedar Creek Software http://www.cedarcreeksoftware.com
* JW (jw@centraltexasit.com) [020430 15:15]:
bismuth:~ # iptables -A INPUT -p tcp -i eth0 -s 192.168.0.110 -j DENY iptables v1.2.5: Couldn't load target `DENY':/usr/lib/iptables/libipt_DENY.so: cannot open shared object file: No such file or directory
DENY is an ipchains target, you want DROP...I've done the same thing. -- -ckm
CM >* JW (jw@centraltexasit.com) [020430 15:15]: CM >> bismuth:~ # iptables -A INPUT -p tcp -i eth0 -s 192.168.0.110 -j CM >> DENY iptables v1.2.5: Couldn't load target CM >> `DENY':/usr/lib/iptables/libipt_DENY.so: cannot open shared object CM >> file: No such file or directory CM > CM >DENY is an ipchains target, you want DROP...I've done the same CM >thing. Ok, that's fine, and that works. But I can't figure out how to drop everything on <port> _except_ a certain IP. From everything I've read this should be correct: iptables -A INPUT -p tcp --destination-port 5001 -j DROP ! -s 192.168.0.110 Meaning, drop every connection to 5001 except from 192.168.0.110 . But that doens't work. Any more ideas? Also, I thoughtmaybe I had to do 2 rules: iptables -A INPUT -p tcp --destination-port 5001 -j DROP iptables -A INPUT -s 192.168.0.110 -p tcp --destination-port 5001 -j ACCEPT But that fails with the "can't find *accept.so*" error. Over the years I have tried to learn ipchains/iptables about 6 times, and it always gets the best of me. For some reason the instructions I find just never work. At least not like I expect them to. Since I never see other people complaining about it, I'll assume it's me that's the problem, but.... what is it that I'm missing? Thanks. -- ---------------------------------------------------- Jonathan Wilson System Administrator Clickpatrol.com Cedar Creek Software http://www.cedarcreeksoftware.com
On Tue, Apr 30, 2002 at 11:26:28PM -0500, JW wrote:
iptables -A INPUT -p tcp --destination-port 5001 -j DROP ! -s 192.168.0.110
Meaning, drop every connection to 5001 except from 192.168.0.110 . But that doens't work.
-s ! 192.168.0.110 $ iptables --help ... Options: --source -s [!] address[/mask] source specification Peter
Spot on. Works perfect now :-) PW >On Tue, Apr 30, 2002 at 11:26:28PM -0500, JW wrote: PW >-s ! 192.168.0.110 I'm still curious about the missing .so issue...... -- ---------------------------------------------------- Jonathan Wilson System Administrator Clickpatrol.com Cedar Creek Software http://www.cedarcreeksoftware.com
On Thu, May 02, 2002 at 10:09:28PM -0500, JW wrote:
I'm still curious about the missing .so issue......
If you name an unknown target, iptables tries to "modprobe ipt_TARGET" or to load a library from /usr/lib/iptables. # iptables -I INPUT -s 10.0.0.1 -j ILLEGAL iptables v1.2.1a: Couldn't load target `ILLEGAL':/usr/lib/iptables/libipt_ILLEGAL.so: cannot open shared object file: No such file or directory man iptables tells us the 4 default target: ACCEPT, DROP, QUEUE, or RETURN and you may code your own... Perhaps your target is in lowercase where it has to be uppercase. Or have a close look at the end-of-line sequence. Try something like "grep ACCEPT /wherever/your/script/lies | od -x" to see if the unix-type with 0a or the MSDOS-type 0a0d occurs. Peter
I think you're going to need two rules. In the first explicitly ACCEPT the desired IP, in the second DROP everything else. JimW JW wrote:
CM >* JW (jw@centraltexasit.com) [020430 15:15]: CM >> bismuth:~ # iptables -A INPUT -p tcp -i eth0 -s 192.168.0.110 -j CM >> DENY iptables v1.2.5: Couldn't load target CM >> `DENY':/usr/lib/iptables/libipt_DENY.so: cannot open shared object CM >> file: No such file or directory CM > CM >DENY is an ipchains target, you want DROP...I've done the same CM >thing.
Ok, that's fine, and that works.
But I can't figure out how to drop everything on <port> _except_ a certain IP.
From everything I've read this should be correct:
iptables -A INPUT -p tcp --destination-port 5001 -j DROP ! -s 192.168.0.110
Meaning, drop every connection to 5001 except from 192.168.0.110 . But that doens't work.
Any more ideas?
Also, I thoughtmaybe I had to do 2 rules:
iptables -A INPUT -p tcp --destination-port 5001 -j DROP
iptables -A INPUT -s 192.168.0.110 -p tcp --destination-port 5001 -j ACCEPT
But that fails with the "can't find *accept.so*" error.
Over the years I have tried to learn ipchains/iptables about 6 times, and it always gets the best of me. For some reason the instructions I find just never work. At least not like I expect them to.
Since I never see other people complaining about it, I'll assume it's me that's the problem, but.... what is it that I'm missing?
Thanks.
--
---------------------------------------------------- Jonathan Wilson System Administrator Clickpatrol.com Cedar Creek Software http://www.cedarcreeksoftware.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
participants (4)
-
Christopher Mahmood -
Jim Westbrook -
JW -
Peter Wiersig