• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 565
  • Last Modified:

Non-syntax related Error Message when using iptables

Hello,

I am having problems with an iptables script that works on my Fedora Core 8 server but for some reason not my CentOS 5 server.   I have included the portion of the script that is causing the problems.  Is this a kernel module issue?  The thing I don't understand is, it works fine for the SSH and SMTP entries, but not for FTP or HTTP.  The commands are pretty much the same with the exception of port and chain name.    Here is what happens.

COMMAND:
iptables -A INPUT -i eth0 -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 25 --rttl --name FTPCONN -j DROP

ERROR MSG:
iptables: Unknown error 18446744073709551615

COMMAND:
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 900 --rttl --name HTTPCONN -j DROP

ERROR MSG:
iptables: Unknown error 18446744073709551615

These two commands will not work at all.  The first FTP command works, but the second won't.  It is the same for HTTP, the first one works and the second does not.  But both commands for SSH and SMTP work.  Does anyone know why?  I've commented out the non-working commands in the code below to denote which commands are not working.

I am running CentOS 5.2
/proc/version returns:
Linux version 2.6.27.9rootserver-20081216a (root@rpmbuildd-amd64) (gcc version 4.1.2 20071124 (Red Hat 4.1.2-42)) #1 SMP Tue Dec 16 02:29:13 EST 2008

My iptables version is 1.3.5-4.el5

Thanks!
#SSH
iptables -A INPUT -i eth0 -p tcp --dport 2211 -m state --state NEW -m recent --set --name SSHCONN
iptables -A INPUT -i eth0 -p tcp --dport 2211 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSHCONN -j DROP
 
#FTP
iptables -A INPUT -i eth0 -p tcp --dport 21 -m state --state NEW -m recent --set --name FTPCONN
#iptables -A INPUT -i eth0 -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 25 --rttl --name FTPCONN -j DROP
 
#SMTP
iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW -m recent --set --name SMTPCONN
iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 20 --rttl --name SMTPCONN -j DROP
 
#HTTP
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m recent --set --name HTTPCONN
#iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 900 --rttl --name HTTPCONN -j DROP

Open in new window

0
mrgswift
Asked:
mrgswift
  • 5
  • 3
2 Solutions
 
kyleb84Commented:
What kernel version is fc8 running?
0
 
kyleb84Commented:
You'll probably find that iptables on one machine is a different version to the other - and a parameter you've got in those commands probably wasn't included in in the CentOS iptables version.
0
 
kyleb84Commented:
Though I just tried that command on my CentOS 5 box (iptables v1.3.5) and it worked...

Hmmm....
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 
kyleb84Commented:
Did some research...

It's a bug with x64 CentOS...

Do a:
# yum update iptables

and see if that helps...
0
 
mrgswiftAuthor Commented:
kyleb84: If a parameter in the commands wasn't included in CentOS 5 then none of the commands I list in the code section would work.  As I stated before the SSH and SMTP ones work fine, the only difference between the HTTP/FTP and those is a port number change ,  hitcount,  and name change. Otherwise they are exactly the same

I tried yum update and it looks like I have the most current version for CentOS 5.2.  Thanks for looking into it.  Let me know if you find anything else.

Thanks,

Matthew
0
 
mrgswiftAuthor Commented:
What website did you go to, to find out there was a bug? Thanks.
0
 
kyleb84Commented:
Do a google search for "iptables: Unknown error" and take your pick...

"iptables: Unknown error xxxx" basically means that the netfilter teams hasn't specified an accurate description of the error occured and therefore makes it rather difficult to trace....

18446744073709551615 is a conversion error from a 64bit signed long to a unsigned long - it's supposed to say  iptables: Unknown error -1

Goto:
http://bugs.centos.org/my_view_page.php

And post your errors there, the CentOS team should fix it asap...
0
 
mrgswiftAuthor Commented:
So I found that changing the hitcount and seconds value to a different number would allow it to work sometimes.  So I guess it is a bug.  Thanks for your help!
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now