E: unknown error applying new iptables ruleset
iptables-restore < /etc/iptables.firewall.rules
Zero luck at all. It gives the error I used in this topic title: <quote>> E: unknown error applying new iptables ruleset</quote>
For clarification (and so you don't have to go the the tut page for the code) here is what I entered into my iptables.firewall.rules :
*filter
Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT
Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL).
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
Allow SSH connections
#
The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
Allow ping
-A INPUT -p icmp -j ACCEPT
Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP
COMMIT
````
When it didn't work, I logged in as root to try and activate it, but had no luck. It was calling the error on line 33…which is the 'COMMIT' command. I obviously cannot remove that, so I'm a bit stumped.
I even went so far as to scp in and copy and paste the rules from the tut into the file directly and got the same error as when I created the file in ssh. Finally, I deleted the file and tried to start from scratch (which I did twice) and still cannot seem to activate the new iptables file. I get the error every time.
Any thoughts would be extremely helpful. Thank you in advance.
2 Replies
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -d 127.0.0.0/8 -j REJECT
# and so on for each of your rules
iptables-save > /etc/iptables.firewall.rules
You'll want to verify that you have no existing rules (with iptables -L -nv) prior to doing this, or stuff may get whacky. iptables-save will always generate a file that can be read back in with iptables-restore, so you don't have to worry about getting this issue again.
P.S. Is there a way to mark a thread as 'solved'? If so, please let me know how to do so, I couldn't see a way to do so on my own. Thanks again.
@dwfreed:
My suggestion would be to apply each of these rules manually using iptables as root or with sudo, and then use iptables-save to save the resulting ruleset in your iptables.firewall.rules. For example:
iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -d 127.0.0.0/8 -j REJECT # and so on for each of your rules iptables-save > /etc/iptables.firewall.rulesYou'll want to verify that you have no existing rules (with iptables -L -nv) prior to doing this, or stuff may get whacky. iptables-save will always generate a file that can be read back in with iptables-restore, so you don't have to worry about getting this issue again.