We help IT Professionals succeed at work.

Non-syntax related Error Message when using iptables

mrgswift
mrgswift asked
on
Medium Priority
598 Views
Last Modified: 2013-11-16
Hello,

I am having problems with an iptables script that works on my Fedora Core 8 server but for some reason not my CentOS 5 server.   I have included the portion of the script that is causing the problems.  Is this a kernel module issue?  The thing I don't understand is, it works fine for the SSH and SMTP entries, but not for FTP or HTTP.  The commands are pretty much the same with the exception of port and chain name.    Here is what happens.

COMMAND:
iptables -A INPUT -i eth0 -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 25 --rttl --name FTPCONN -j DROP

ERROR MSG:
iptables: Unknown error 18446744073709551615

COMMAND:
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 900 --rttl --name HTTPCONN -j DROP

ERROR MSG:
iptables: Unknown error 18446744073709551615

These two commands will not work at all.  The first FTP command works, but the second won't.  It is the same for HTTP, the first one works and the second does not.  But both commands for SSH and SMTP work.  Does anyone know why?  I've commented out the non-working commands in the code below to denote which commands are not working.

I am running CentOS 5.2
/proc/version returns:
Linux version 2.6.27.9rootserver-20081216a (root@rpmbuildd-amd64) (gcc version 4.1.2 20071124 (Red Hat 4.1.2-42)) #1 SMP Tue Dec 16 02:29:13 EST 2008

My iptables version is 1.3.5-4.el5

Thanks!
#SSH
iptables -A INPUT -i eth0 -p tcp --dport 2211 -m state --state NEW -m recent --set --name SSHCONN
iptables -A INPUT -i eth0 -p tcp --dport 2211 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSHCONN -j DROP
 
#FTP
iptables -A INPUT -i eth0 -p tcp --dport 21 -m state --state NEW -m recent --set --name FTPCONN
#iptables -A INPUT -i eth0 -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 25 --rttl --name FTPCONN -j DROP
 
#SMTP
iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW -m recent --set --name SMTPCONN
iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 --rttl --name SMTPCONN -j DROP
 
#HTTP
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m recent --set --name HTTPCONN
#iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 900 --rttl --name HTTPCONN -j DROP

Open in new window

Comment
Watch Question

Commented:
What kernel version is fc8 running?

Commented:
You'll probably find that iptables on one machine is a different version to the other - and a parameter you've got in those commands probably wasn't included in in the CentOS iptables version.

Commented:
Though I just tried that command on my CentOS 5 box (iptables v1.3.5) and it worked...

Hmmm....
Commented:
Did some research...

It's a bug with x64 CentOS...

Do a:
# yum update iptables

and see if that helps...

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
kyleb84: If a parameter in the commands wasn't included in CentOS 5 then none of the commands I list in the code section would work.  As I stated before the SSH and SMTP ones work fine, the only difference between the HTTP/FTP and those is a port number change ,  hitcount,  and name change. Otherwise they are exactly the same

I tried yum update and it looks like I have the most current version for CentOS 5.2.  Thanks for looking into it.  Let me know if you find anything else.

Thanks,

Matthew

Author

Commented:
What website did you go to, to find out there was a bug? Thanks.
Commented:
Do a google search for "iptables: Unknown error" and take your pick...

"iptables: Unknown error xxxx" basically means that the netfilter teams hasn't specified an accurate description of the error occured and therefore makes it rather difficult to trace....

18446744073709551615 is a conversion error from a 64bit signed long to a unsigned long - it's supposed to say  iptables: Unknown error -1

Goto:
http://bugs.centos.org/my_view_page.php

And post your errors there, the CentOS team should fix it asap...

Author

Commented:
So I found that changing the hitcount and seconds value to a different number would allow it to work sometimes.  So I guess it is a bug.  Thanks for your help!
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.