Hi All,

Can you please check if you are using arno's script whether you are also
getting errors like these on start up?
===========================================
# /etc/init.d/arno-iptables-firewall start
* Use of the opts variable is deprecated and will be
* removed in the future.
* Please use extra_commands, extra_started_commands or
extra_stopped_commands.
* Loading Firewall... ...
Arno's Iptables Firewall Script v1.9.2d
-------------------------------------------------------------------------------
NOTE: External interface ppp0 does NOT exist (yet?)
Sanity checks passed...OK
Checking/probing IPv4 Iptables modules:
Module check done...
Setting the kernel ring buffer to only log panic messages to the console
Setup kernel settings:
Setting the max. amount of simultaneous connections to 16384
Setting default conntrack timeouts
Enabling protection against source routed packets
DISABLING packet forwarding
Enabling reduction of the DoS'ing ability
Enabling anti-spoof with rp_filter
Enabling SYN-flood protection via SYN-cookies
Disabling the logging of martians
Disabling the acception of ICMP-redirect messages
Setting default TTL=64
Disabling ECN (Explicit Congestion Notification)
Enabling kernel support for dynamic IPs
Flushing route table
Kernel setup done...
Initializing firewall chains
Setting default INPUT/FORWARD policy to DROP
(Re)loading list of BLOCKED hosts from /etc/arno-iptables-firewall/blocked-
hosts...
0 line(s) read. 0 host(s) blocked.
Using loglevel "info" for syslogd

Setting up firewall rules:
-------------------------------------------------------------------------------
Enabling setting the maximum packet size via MSS
Logging of stealth scans (nmap probes etc.) enabled
(1) iptables: No chain/target/match by that name.
(1) iptables: No chain/target/match by that name.
(1) iptables: No chain/target/match by that name.
(1) iptables: No chain/target/match by that name.
(1) iptables: No chain/target/match by that name.
(1) iptables: No chain/target/match by that name.
(1) iptables: No chain/target/match by that name.
Logging of packets with bad TCP-flags enabled
(1) iptables: No chain/target/match by that name.
(1) iptables: No chain/target/match by that name.
... [snip ...]

Security is ENFORCED for external interface(s) in the FORWARD chain
(1) iptables: No chain/target/match by that name.

Aug 25 7:59:36 WARNING: Not all firewall rules are applied.
* WARNING: Failed to load Firewall [ !! ]
* ERROR: arno-iptables-firewall failed to start
===========================================

They repeat themselves a number of times, usually after "Logging of packets
..." statements. Despite the failed to start message above, iptables seem to
have loaded fine:
===========================================
# /sbin/iptables -L -v -n
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 BASE_INPUT_CHAIN all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 INPUT_CHAIN all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 HOST_BLOCK all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 SPOOF_CHK all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 VALID_CHK all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 EXT_INPUT_CHAIN !icmp -- eth0 * 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 EXT_INPUT_CHAIN icmp -- eth0 * 0.0.0.0/0
0.0.0.0/0 state NEW limit: avg 60/sec burst 100
0 0 EXT_ICMP_FLOOD_CHAIN icmp -- eth0 * 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 VALID_CHK all -- wlan0 * 0.0.0.0/0 0.0.0.0/0
0 0 EXT_INPUT_CHAIN !icmp -- wlan0 * 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 EXT_INPUT_CHAIN icmp -- wlan0 * 0.0.0.0/0
0.0.0.0/0 state NEW limit: avg 60/sec burst 100
0 0 EXT_ICMP_FLOOD_CHAIN icmp -- wlan0 * 0.0.0.0/0
0.0.0.0/0 state NEW
[snip ...]
===========================================


I diff'ed the previous kernel-3.3.8-gentoo and the new kernel-3.4.9-gentoo and
I can't see any changes that would cause these errors. I attach it for the
more eagle-eye amongst you.

Any ideas?
--
Regards,
Mick

On Saturday 25 Aug 2012 08:49:18 Mick wrote:

> I diff'ed the previous kernel-3.3.8-gentoo and the new kernel-3.4.9-gentoo
> and I can't see any changes that would cause these errors. I attach it
> for the more eagle-eye amongst you.
>
> Any ideas?

Aha! Found it!

The new option:

> # CONFIG_NETFILTER_XT_TARGET_LOG is not set

is necessary for the full iptables logging to happen. Once I enabled it there
were no more errors. :-)

Hope this helps someone.
--
Regards,
Mick

Mick <michaelkintzios <at> gmail.com> writes:


> Arno's Iptables Firewall Script v1.9.2d
> Any ideas?

Wow, I thought his work died out years ago?
NICE!!!!!!!!!!

Although I have deviated, it's nice to know, I
can use his site for ideas, scripts and syntax


thks!


James

On Monday 27 Aug 2012 16:30:51 James wrote:
> Mick <michaelkintzios <at> gmail.com> writes:
> > Arno's Iptables Firewall Script v1.9.2d
> > Any ideas?
>
> Wow, I thought his work died out years ago?
> NICE!!!!!!!!!!
>
> Although I have deviated, it's nice to know, I
> can use his site for ideas, scripts and syntax
>
>
> thks!

You're welcome. Arno keeps developing his handy script to include latest
modules, IPv6, etc. His latest version is 2.0.1b, but portage only has 1.9.2a
and 1.9.2d at the moment.
--
Regards,
Mick