Package: firehol
Version: 1.256-4
Severity: normal
Tags: patch
'firehol panic' tries to add a DROP rule at the end of every built-in
nat chain, e.g.
iptables -t nat -A OUTPUT -j DROP
but recent versions of iptables don't allow DROP in nat chains.
Here's the result:
# firehol panic
FireHOL: Blocking all communications:iptables v1.4.4:
The "nat" table is not intended for filtering, the use of DROP is therefore
inhibited.
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.4:
The "nat" table is not intended for filtering, the use of DROP is therefore
inhibited.
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.4.4:
The "nat" table is not intended for filtering, the use of DROP is therefore
inhibited.
Try `iptables -h' or 'iptables --help' for more information.
OK
There's no need to put DROP rules in nat chains, since they don't do
any filtering. (That's why iptables doesn't support DROP there any
more.) The attached patch corrects the problem.
Thanks,
Andrew.
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (990, 'testing'), (300, 'unstable'), (200, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=UTF-8) (ignored: LC_ALL set to
en_US)
Shell: /bin/sh linked to /bin/bash
Versions of packages firehol depends on:
ii bash 3.2-5 The GNU Bourne Again SHell
ii iproute 20090324-1 networking and traffic control too
ii iptables 1.4.4-1 administration tools for packet fi
ii lsb-base 3.2-22 Linux Standard Base 3.2 init scrip
ii net-tools 1.60-23 The NET-3 networking toolkit
Versions of packages firehol recommends:
ii aggregate 1.6-5 ipv4 cidr prefix aggregator
ii curl 7.18.2-8.1 Get a file from an HTTP, HTTPS or
ii module-init-tools 3.7-pre9-1 tools for managing Linux kernel mo
ii wget 1.11.4-2 retrieves files from the web
firehol suggests no packages.
-- no debconf information
--- /sbin/firehol.orig 2008-07-18 17:10:16.000000000 -0400
+++ /sbin/firehol 2009-07-12 06:34:00.000000000 -0400
@@ -5500,7 +5500,9 @@
${IPTABLES_CMD} -t "${t}" -A "${c}" -p
tcp -s "${ssh_src}" --sport "${ssh_sport}" --dport "${ssh_dport}" -m state
--state ESTABLISHED -j ACCEPT
${IPTABLES_CMD} -t "${t}" -A "${c}" -p
tcp -d "${ssh_src}" --dport "${ssh_sport}" --sport "${ssh_dport}" -m state
--state ESTABLISHED -j ACCEPT
fi
- ${IPTABLES_CMD} -t "${t}" -A "${c}" -j DROP
+ if [ $t != nat ] ; then
+ ${IPTABLES_CMD} -t "${t}" -A "${c}" -j
DROP
+ fi
done
done
success $"FireHOL: Blocking all communications:"
