I went to reload (iptables-restore) my iptables configuration and
obtained an error at the COMMIT statement. No further details were
provided even when I ran restore with the -v option.
I determined that none of my backed up configuration files going
back to October will load either. This is more than passing strange
because I altered and uploaded the iptables configuration on this
host several times in December alone. These alterations certainly
applied without error at the time.
Through painful trial and error (it is a fairly large configuration)
I discovered that I cannot add any rule using the __recent__ module.
Adding a single rule referencing that module inevitably results in
a load error reported at the following COMMIT statement. An example
of an actual rule that fails follows:
. . .
:BRUTE_FORCE - [0:0]
. . .
-A BRUTE_FORCE -p tcp -m tcp -m state -m recent --set -i eth0
--dport 22 --state NEW
-A BRUTE_FORCE -m comment -j RETURN --comment "Return to calling chain"
COMMIT
Perhaps I am missing something obvious but as far as I can determine
the rule using the recent module should simply add all traffic
coming in over i/f eth0 consigned to port 22 on any ip-addr to the
DEFAULT list. I do not expect it to give an error. If I remove
this statement then the iptables file loads without error.
An interesting thing happens if I simply add a trailing -j to the
end of recent module rule above. It fails with this specific error:
-c packet counter not numeric
Does anyone see what I am doing wrong?
Sincerely,
--
*** E-Mail is NOT a SECURE channel ***
James B. Byrne mailto:ByrneJB@xxxxxxxxxxxxx
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
