View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions Warning When Starting arno-iptalbes-firewall
Log in to Ask a Question

Warning When Starting arno-iptalbes-firewall

networking

Hi,

I'm using kernel 2.6.26-2-xen-686 with Debian Lenny.

I was following the tutorial at http://library.linode.com/networking/se … bian-lenny">http://library.linode.com/networking/security-guides/arno-iptables-firewall-debian-lenny except I get this warning on startup:

Warning: weird character in interface `eth0:0' (No aliases, :, ! or *).

My first thought was I made a typo using ethO:O instead of eth0:0 but that doesn't seem to be the case.

Additionally I don't think the firewall starts up. I don't see any arno-iptables-firewall using htop after running:

 sudo /etc/init.d/arno-iptables-firewall start

Here is the entire output:

$ sudo /etc/init.d/arno-iptables-firewall startArno's Iptables Firewall Script v1.8.8o
-------------------------------------------------------------------------------
Sanity checks passed...OK
Checking/probing Iptables modules:
 Module check done...
Setting the kernel ring buffer to only log panic messages to the console
Configuring /proc/.... settings:
 Enabling anti-spoof with rp_filter
 Enabling SYN-flood protection via SYN-cookies
 Disabling the logging of martians
 Disabling the acception of ICMP-redirect messages
 Setting the max. amount of simultaneous connections to 16384
 Setting default conntrack timeouts
 Enabling protection against source routed packets
 Enabling reduction of the DoS'ing ability
 Setting Default TTL=64
 Disabling ECN (Explicit Congestion Notification)
 Enabling support for dynamic IP's
 Flushing route table
 /proc/ setup done...
Setting up firewall chains
 Setting default INPUT/FORWARD policy to DROP
Using loglevel "info" for syslogd

Setting up firewall rules:
-------------------------------------------------------------------------------
Accepting packets from the local loopback device
Enabling setting the maximum packet size via MSS
Enabling mangling TOS
Warning: weird character in interface `eth0:0' (No aliases, :, ! or *).
Warning: weird character in interface `eth0:0' (No aliases, :, ! or *).
Logging of stealth scans (nmap probes etc.) enabled
Logging of packets with bad TCP-flags enabled
Logging of INVALID TCP packets disabled
Logging of INVALID UDP packets disabled
Logging of INVALID ICMP packets disabled
Logging of fragmented packets enabled
Logging of access from reserved addresses enabled
Setting up (antispoof) INTERNAL net(s): 192.168.139.0/24 Warning: weird character in interface `eth0:0' (No aliases, :, ! or *).

Reading custom rules from /etc/arno-iptables-firewall/custom-rules
Checking for (user) plugins in /usr/share/arno-iptables-firewall/plugins...
 UPnP plugin v0.12
 Loaded 1 plugin(s)...
Setting up INPUT policy for the external net (INET):
 Enabling support for DHCP-assigned-IP (DHCP client)
 Logging of explicitly blocked hosts enabled
 Logging of denied local output connections enabled
 Packets will NOT be checked for private source addresses
 Allowing the whole world to connect to TCP port(s): 22 25 80
 Denying the whole world to send ICMP-requests(ping)
 Logging of dropped ICMP-request(ping) packets enabled
 Logging of dropped other ICMP packets enabled
 Logging of possible stealth scans enabled
 Logging of (other) connection attempts to PRIVILEGED TCP ports enabled
 Logging of (other) connection attempts to PRIVILEGED UDP ports enabled
 Logging of (other) connection attempts to UNPRIVILEGED TCP ports enabled
 Logging of (other) connection attempts to UNPRIVILEGED UDP ports enabled
 Logging of other IP protocols (non TCP/UDP/ICMP) connection attempts enabled
 Logging of ICMP flooding enabled
Setting up OUTPUT policy for the external net (INET):
 Allowing all (other) ports/protocols
Applying INET policy to external interface: eth0 (without an external subnet specified)
Setting up INPUT policy for internal (LAN) interface(s): eth0:0
 Allowing ICMP-requests(ping)
 Allowing all (other) ports/protocols
Warning: weird character in interface `eth0:0' (No aliases, :, ! or *).
Setting up FORWARD policy for internal (LAN) interface(s): eth0:0
 Logging of denied LAN->INET FORWARD connections enabled
 Setting up LAN->INET policy:
  Allowing ICMP-requests(ping)
  Allowing all (other) ports/protocols
Warning: weird character in interface `eth0:0' (No aliases, :, ! or *).
Warning: weird character in interface `eth0:0' (No aliases, :, ! or *).
Warning: weird character in interface `eth0:0' (No aliases, :, ! or *).
Security is ENFORCED for external interface(s) in the FORWARD chain

Jul 11  0:00:21 All firewall rules applied.

Here is the htop output. (I don't see arno-iptables-firewall, should I?)

1049 root      16  -4 10248   684   492 S  0.0  0.1  0:00.00 /sbin/auditd
 1062 root      12  -8 11024   724   584 S  0.0  0.1  0:00.00 /sbin/audispd
 1050 root      12  -8 11024   724   584 S  0.0  0.1  0:00.00 /sbin/audispd
 1048 root      16  -4 10248   684   492 S  0.0  0.1  0:00.00 /sbin/auditd
 1537 root      20   0  2064   416   296 S  0.0  0.1  0:00.00 dhclient3 -pf /var/run/dhclient.eth0.pid -lf /var/lib/dhcp3/dhclient.eth0.leases eth0
 1645 root      20   0 27076  1288   896 S  0.0  0.2  0:00.04 /usr/sbin/rsyslogd -c3
 1646 root      20   0 27076  1288   896 S  0.0  0.2  0:00.00 /usr/sbin/rsyslogd -c3
 1647 root      20   0 27076  1288   896 S  0.0  0.2  0:00.02 /usr/sbin/rsyslogd -c3
 1644 root      20   0 27076  1288   896 S  0.0  0.2  0:00.07 /usr/sbin/rsyslogd -c3
 3546 flicea    20   0  3340  1900  1268 S  0.0  0.4  0:00.04 bash
 3545 flicea    20   0  2388  1092   888 S  0.0  0.2  0:00.00 su flicea
 2076 root      20   0  2828  1612  1240 S  0.0  0.3  0:00.06 bash
 2075 root      20   0  2388  1060   860 S  0.0  0.2  0:00.00 su root
 2070 flicea    20   0  3316  1820  1216 S  0.0  0.3  0:00.00 -bash
 2069 flicea    20   0  8340  1872  1112 S  0.0  0.4  0:00.38 sshd: flicea@pts/0
 2067 root      20   0  8024  2640  2180 S  0.0  0.5  0:00.02 sshd: flicea [priv]
 1658 root      20   0  5280   996   640 S  0.0  0.2  0:00.00 /usr/sbin/sshd
 2000 root      20   0  3100  1684   228 S  0.0  0.3  0:00.00 /usr/sbin/restorecond
 2031 root      20   0  2044   828   668 S  0.0  0.2  0:00.00 /usr/sbin/cron
 2047 root      20   0 23896  4624  1892 S  0.0  0.9  0:00.36 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock
 2048 root      20   0 23896  4624  1892 S  0.0  0.9  0:00.24 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock
 2046 root      20   0 23896  4624  1892 S  0.0  0.9  0:00.69 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock
 2064 root      20   0  1652   516   448 S  0.0  0.1  0:00.00 /sbin/getty 38400 tty1
    1 root      20   0  1988   692   592 S  0.0  0.1  0:00.09 init [2]
 4226 flicea    20   0  2504  1308   928 R  0.0  0.2  0:00.36 htop

3 Replies

You can verify that the firewall is up with /etc/init.d/arno-iptables-firewall status or iptables -L

I'm having a similar issue trying to divide my internal and external networks. Given that Linode internal IPs use an aliased interface, has anyone had any luck with arno/iptables in splitting their networks?

I'm pretty new to iptables, but I'll post more if I get a nice arno configuration figured out. Here's the issue (from arno's FAQ):

Q: How can I use aliased network interfaces with your firewall (like eth0:0) in rules?

A: The current Linux implementation doesn't allow distinction between eth0 or eth0:0 in eg. iptables/netfilter rules. You can only specify eth0 which automatically includes eth0:0 (and other aliased interfaces). You can however use the IP address of the aliased interface for rules like OPEN_TCP="aliased-ip~22"

Not that I know the firewall in question, but I'm surprised to see eth0:0 in the configuration for an interface. eth0:0 isn't an interface, it's a label to an ip address added to the eth0 interface.

try replacing eth0:0 with eth0

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct