firewall.local

General questions.
Post Reply
networkpro
Posts: 1
Joined: July 6th, 2015, 7:10 pm

firewall.local

Post by networkpro » July 6th, 2015, 7:26 pm

First, I am SO glad I found IPFire - I am a refugee from IPCop and consider myself lucky that I found IPFire! Thank you to the development community!

I have two questions:

1st - I have added two rules to my firewall.local that force redirection of ALL TCP/UDP DNS traffic requests to OpenDNS FamilyShield DNS Servers (this was at the request of the client). It is working perfectly well. Even if the user has a static DNS setup in their NIC IP configuration, all DNS traffic is forced to resolve via one of the OpenDNS servers. Here are the entries:

iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to 208.67.222.123
iptables -t nat -A PREROUTING -p tcp --dport 53 -j DNAT --to 208.67.222.123

I have verified that these entries ARE working. However (and here is question #1) when I start or restart the firewall I get a message that I can't figure out:

iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.

I get the message twice, but no indication what it is referring to. The DNAT entries show up:

113 8223 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 to:208.67.222.123
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 to:208.67.222.123

And if a user attempts to reach a porn site is is blocked with the OpenDNS message:

This domain is blocked due to content filtering.

So, what is causing the iptables: No chain/target/match by that name error message?

2nd Question: I would like to log all DNS requests but when I try to add a rule causing the condition to jump to a logging rule, the rule dies and I lose ALL DNS.

Is there a way to accomplish what I am trying to do using the Web UI, so that I can bypass using firewall.local and take advantage of the logging capabilities of IPFire?

Also, I am well aware of the ability to use blacklists through URL Filter, but the client (after having too many false positives) requested that I come up with another solution and OpenDNS seems to be doing the job quite well.

Thank you!

ummeegge
Community Developer
Community Developer
Posts: 4763
Joined: October 9th, 2010, 10:00 am

Re: firewall.local

Post by ummeegge » July 7th, 2015, 2:56 pm

Hi networkpro,
also for the first, welcome to IPFire.
networkpro wrote:iptables -t nat -A PREROUTING -p tcp --dport 53 -j DNAT --to 208.67.222.123

I have verified that these entries ARE working. However (and here is question #1) when I start or restart the firewall I get a message that I can't figure out:

iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name

in firewall.local it might always be a good idea to use the appropriate chains there which named 'CUSTOM*' , so in your case the firewall.local chain name should be 'CUSTOMPREROUTING' so it is easier to overview them. It is also a good idea to delete or flush the used firewall.local rules in the stop) section so your rules won´t be set multiple time while a FW restart. In your case you can flush it e.g. with this one

Code: Select all

/sbin/iptables -t nat -F CUSTOMPREROUTING

You can use a trick to figure out which rules are concerned if you debug the firewall.local with a

Code: Select all

set -x 

in the beginning of the script and restart it with a

Code: Select all

/etc/sysconfig/firewall.local reload

this could looks like e.g. this one:

Code: Select all

+ /sbin/iptables -t nat -A CUSTOMPROROUTING -p udp --dport 53 -j DNAT --to 208.67.222.123
iptables: No chain/target/match by that name.
[Tue Jul 07 15:56:46] [root@ipfire-server] /etc/sysconfig

after fixing the syntax, it looks like this

Code: Select all

+ /sbin/iptables -t nat -A CUSTOMPREROUTING -p udp --dport 53 -j DNAT --to 208.67.222.123
[Tue Jul 07 15:56:46] [root@ipfire-server] /etc/sysconfig


networkpro wrote:2nd Question: I would like to log all DNS requests but when I try to add a rule causing the condition to jump to a logging rule, the rule dies and I lose ALL DNS.

May you mean something like e.g. this

Code: Select all

   /sbin/iptables -t nat -I CUSTOMPREROUTING 1 -m limit --limit 5/m -j LOG --log-prefix="iptables: dropped packets" --log-level 4
   /sbin/iptables -t nat -A CUSTOMPREROUTING -p udp --dport 53 -j DNAT --to 208.67.222.123

possible output in syslog could be:

Code: Select all

Jul  7 16:47:56 ipfire-server kernel: iptables: dropped packetsIN=green0 OUT= MAC=00:30:16:aa:50:54:00:1b:62:94:9d:5e:08:00 SRC=192.168.7.2 DST=192.168.7.18 LEN=62 TOS=0x00 PREC=0x00 TTL=255 ID=37274 PROTO=UDP SPT=58463 DPT=53 LEN=42 

nevertheless the kernel throws also some FORWARD chain ouput for OpenDNS cause the FORWARD policy is here blocked.

Code: Select all

Jul  7 16:47:47 ipfire-server kernel: DROP_FORWARD IN=green0 OUT=red0 MAC=00:30:16:aa:50:54:00:1b:62:94:9d:5e:08:00 SRC=192.168.7.2 DST=208.67.222.123 LEN=62 TOS=0x00 PREC=0x00 TTL=254 ID=34557 PROTO=UDP SPT=58463 DPT=53 LEN=42


May this brings you a step further.

Greetings,

UE
Image
Image

kpratte
Posts: 11
Joined: March 24th, 2015, 6:19 pm

Re: firewall.local

Post by kpratte » July 15th, 2015, 1:00 am

I made that mistake at first too.. Like ummeegge suggested, use CUSTOMxxxx chains. More information is here: http://wiki.ipfire.org/en/configuration ... wall.local

- Ken
Image

User avatar
Deepcuts
Posts: 459
Joined: March 1st, 2016, 3:18 pm
Location: Romania

Re: firewall.local

Post by Deepcuts » January 6th, 2019, 3:45 pm

I know this is a an old post, but better not to create a new post imho for the same problem.
I get the same error message iptables: No chain/target/match by that name , but only while booting. If I reload with ./firewall.local reload or stop then start, I do not get the error.
Somehow I think the script is not called when it should? Meaning it is ran too early in the boot process.

My rules are:

Code: Select all

iptables -t nat -A CUSTOMPREROUTING '!' -o green0 -p udp --destination-port 53 -j REDIRECT --to-ports 53
iptables -t nat -A CUSTOMPREROUTING '!' -o green0 -p tcp --destination-port 53 -j REDIRECT --to-ports 53
The rules are working but just for my own knowledge, I would like to know why this is happening and how can I fix it.
Any hints?
Image
Image

User avatar
Deepcuts
Posts: 459
Joined: March 1st, 2016, 3:18 pm
Location: Romania

Re: firewall.local

Post by Deepcuts » January 9th, 2019, 1:02 am

Found a fix.

Code: Select all

cd /etc/init.d/networking/red.up
touch 21-custom-iptables
The content should be

Code: Select all

#!/bin/bash
exec /path-to-your-custom-rules-files start

Code: Select all

cd /etc/init.d/networking/red.down
touch 21-custom-iptables
The content should be

Code: Select all

#!/bin/bash
exec /path-to-your-custom-rules-files stop

The file with your custom rules should look like (example for DNS intercept):

Code: Select all

#!/bin/sh
# intercept all local queries and redirect to local DNS
case "$1" in
  start)
	/sbin/iptables -t nat -A CUSTOMPREROUTING ! -o green0 -p udp --destination-port 53 -j REDIRECT --to-ports 53
	/sbin/iptables -t nat -A CUSTOMPREROUTING ! -o green0 -p tcp --destination-port 53 -j REDIRECT --to-ports 53
	/sbin/iptables -t nat -A CUSTOMPREROUTING ! -o blue0 -p udp --destination-port 53 -j REDIRECT --to-ports 53
	/sbin/iptables -t nat -A CUSTOMPREROUTING ! -o blue0 -p tcp --destination-port 53 -j REDIRECT --to-ports 53
        ;;
  stop)
	/sbin/iptables -t nat -D CUSTOMPREROUTING ! -o green0 -p udp --destination-port 53 -j REDIRECT --to-ports 53
	/sbin/iptables -t nat -D CUSTOMPREROUTING ! -o green0 -p tcp --destination-port 53 -j REDIRECT --to-ports 53
	/sbin/iptables -t nat -D CUSTOMPREROUTING ! -o blue0 -p udp --destination-port 53 -j REDIRECT --to-ports 53
	/sbin/iptables -t nat -D CUSTOMPREROUTING ! -o blue0 -p tcp --destination-port 53 -j REDIRECT --to-ports 53
        ;;
  reload)
        $0 stop
        $0 start
        ;;
  *)
        echo "Usage: $0 {start|stop|reload}"
        ;;
esac

Works for me and no more errors like iptables: No chain/target/match by that name.
Image
Image

Post Reply