# iptables-restore: line 16 failed

## thoughtform

here is my /var/lib/iptables/rules-save

```

#!/bin/sh

#

#  This is automatically generated file. DO NOT MODIFY !

#

#  Firewall Builder  fwb_ipt v2.0.12-1

#

#  Generated Mon Aug  7 04:19:03 2006 EDT by scorpaen

#

# files: * rules-save

#

#

#

#

#

#

set -x

PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

export PATH

#

# Prolog script

#

#

# End of prolog script

#

log() {

  echo "$1"

  test -x "$LOGGER" && $LOGGER -p info "$1"

}

va_num=1

add_addr() {

  addr=$1

  nm=$2

  dev=$3

  type=""

  aadd=""

  L=`$IP -4 link ls $dev | head -n1`

  if test -n "$L"; then

    OIFS=$IFS

    IFS=" /:,<"

    set $L

    type=$4

    IFS=$OIFS

    L=`$IP -4 addr ls $dev to $addr | grep inet | grep -v :`

    if test -n "$L"; then

      OIFS=$IFS

      IFS=" /"

      set $L

      aadd=$2

      IFS=$OIFS

    fi

  fi

  if test -z "$aadd"; then

    if test "$type" = "POINTOPOINT"; then

      $IP -4 addr add $addr dev $dev scope global label $dev:FWB${va_num}

      va_num=`expr $va_num + 1`

    fi

    if test "$type" = "BROADCAST"; then

      $IP -4 addr add $addr/$nm dev $dev brd + scope global label $dev:FWB${va_num}

      va_num=`expr $va_num + 1`

    fi

  fi

}

getInterfaceVarName() {

  echo $1 | sed 's/\./_/'

}

getaddr() {

  dev=$1

  name=$2

  L=`$IP -4 addr show dev $dev | grep inet | grep -v :`

  test -z "$L" && {

    eval "$name=''"

    return

  }

  OIFS=$IFS

  IFS=" /"

  set $L

  eval "$name=$2"

  IFS=$OIFS

}

getinterfaces() {

  NAME=$1

  $IP link show | grep ": $NAME" | while read L; do

    OIFS=$IFS

    IFS=" :"

    set $L

    IFS=$OIFS

    echo $2

  done

}

LSMOD="lsmod"

MODPROBE="modprobe"

IPTABLES="iptables"

IPTABLES_RESTORE="iptables-restore"

IP="ip"

LOGGER="logger"

if $IP link ls >/dev/null 2>&1; then

  echo;

else

  echo "iproute not found"

  exit 1

fi

INTERFACES="eth0 lo tun0 "

for i in $INTERFACES ; do

  $IP link show "$i" > /dev/null 2>&1 || {

    log "Interface $i does not exist"

    exit 1

  }

done

echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

$IP -4 neigh flush dev eth0 >/dev/null 2>&1

$IP -4 addr flush dev eth0 secondary label "eth0:FWB*" >/dev/null 2>&1

$IP -4 neigh flush dev tun0 >/dev/null 2>&1

$IP -4 addr flush dev tun0 secondary label "tun0:FWB*" >/dev/null 2>&1

add_addr 192.168.1.111 24 eth0

$IP link set eth0 up

add_addr 127.0.0.1 8 lo

$IP link set lo up

add_addr 10.74.0.1 32 tun0

$IP link set tun0 up

MODULE_DIR="/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/"

MODULES=`(cd $MODULE_DIR; ls *_conntrack* | sed -n -e 's/\.ko$//p' -e 's/\.o$//p' -e 's/\.ko\.gz$//p' -e 's/\.o\.gz$//p')`

for module in $MODULES; do

  if $LSMOD | grep ${module} >/dev/null; then continue; fi

  $MODPROBE ${module} ||  exit 1

done

log 'Activating firewall script generated Mon Aug  7 04:19:03 2006  by scorpaen'

cat << EOF | $IPTABLES_RESTORE

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT DROP [0:0]

-A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT

-A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT

-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# backup ssh access

#

-A INPUT  -p tcp -m tcp  -s 192.168.1.113  --dport 22  -m state --state NEW,ESTABLISHED -j ACCEPT

-A OUTPUT  -p tcp -m tcp  -d 192.168.1.113  --sport 22  -m state --state ESTABLISHED,RELATED -j ACCEPT

#

# Rule 0 (global)

#

# LAN traffic

#

-A INPUT  -s 255.255.255.255  -d 255.255.255.255  -m state --state NEW  -j ACCEPT

-A OUTPUT  -s 255.255.255.255  -d 255.255.255.255  -m state --state NEW  -j ACCEPT

-A INPUT  -s 255.255.255.255  -d 192.168.1.111  -m state --state NEW  -j ACCEPT

-A OUTPUT  -s 255.255.255.255  -d 192.168.1.111  -m state --state NEW  -j ACCEPT

-A OUTPUT  -s 255.255.255.255  -d 192.168.1.0/24  -m state --state NEW  -j ACCEPT

-A INPUT  -s 192.168.1.111  -d 255.255.255.255  -m state --state NEW  -j ACCEPT

-A OUTPUT  -s 192.168.1.111  -d 255.255.255.255  -m state --state NEW  -j ACCEPT

-A INPUT  -s 192.168.1.111  -d 192.168.1.111  -m state --state NEW  -j ACCEPT

-A OUTPUT  -s 192.168.1.111  -d 192.168.1.111  -m state --state NEW  -j ACCEPT

-A OUTPUT  -s 192.168.1.111  -d 192.168.1.0/24  -m state --state NEW  -j ACCEPT

-A INPUT  -s 192.168.1.0/24  -d 255.255.255.255  -m state --state NEW  -j ACCEPT

-A INPUT  -s 192.168.1.0/24  -d 192.168.1.111  -m state --state NEW  -j ACCEPT

-A OUTPUT  -s 192.168.1.0/24  -d 192.168.1.0/24  -m state --state NEW  -j ACCEPT

-A INPUT  -s 192.168.1.0/24  -d 192.168.1.0/24  -m state --state NEW  -j ACCEPT

-A FORWARD  -s 192.168.1.0/24  -d 192.168.1.0/24  -m state --state NEW  -j ACCEPT

#

# Rule 1 (global)

#

#

#

-A INPUT  -s 127.0.0.1  -d 127.0.0.1  -m state --state NEW  -j ACCEPT

-A OUTPUT  -s 127.0.0.1  -d 127.0.0.1  -m state --state NEW  -j ACCEPT

#

# Rule 2 (global)

#

#

#

-A INPUT  -s 192.168.1.111  -m state --state NEW  -j ACCEPT

-A OUTPUT  -s 192.168.1.111  -m state --state NEW  -j ACCEPT

#

# Rule 3 (global)

#

# internet services

#

:Cid44B13257.0 - [0:0]

-A OUTPUT  -d 192.168.1.111  -m state --state NEW  -j Cid44B13257.0

-A Cid44B13257.0 -p tcp -m tcp  -m multiport  --dports 113,80,443,25,22,10000,8080  -j ACCEPT

-A Cid44B13257.0 -p udp -m udp  --dport 1194  -j ACCEPT

:Cid44B13257.1 - [0:0]

-A INPUT  -d 192.168.1.111  -m state --state NEW  -j Cid44B13257.1

-A Cid44B13257.1 -p tcp -m tcp  -m multiport  --dports 113,80,443,25,22,10000,8080  -j ACCEPT

-A Cid44B13257.1 -p udp -m udp  --dport 1194  -j ACCEPT

#

# Rule 4 (global)

#

# reject and log all other traffic

#

:RULE_4 - [0:0]

-A OUTPUT  -j RULE_4

-A INPUT  -j RULE_4

-A FORWARD  -j RULE_4

-A RULE_4  -j LOG  --log-level alert --log-prefix "RULE 4 -- DENY "

-A RULE_4  -j DROP

#

COMMIT

#

EOF

#

#

echo 1 > /proc/sys/net/ipv4/ip_forward

#

# Epilog script

#

# End of epilog script

#

```

----------

## MetalWarrior

My /var/lib/iptables/rule-save file contains only the iptables' rules, i.e.:

```

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT DROP [0:0]

-A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT

-A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT

-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# backup ssh access

#

-A INPUT  -p tcp -m tcp  -s 192.168.1.113  --dport 22  -m state --state NEW,ESTABLISHED -j ACCEPT

-A OUTPUT  -p tcp -m tcp  -d 192.168.1.113  --sport 22  -m state --state ESTABLISHED,RELATED -j ACCEPT

#

# Rule 0 (global)

#

# LAN traffic

#

-A INPUT  -s 255.255.255.255  -d 255.255.255.255  -m state --state NEW  -j ACCEPT

-A OUTPUT  -s 255.255.255.255  -d 255.255.255.255  -m state --state NEW  -j ACCEPT

-A INPUT  -s 255.255.255.255  -d 192.168.1.111  -m state --state NEW  -j ACCEPT

-A OUTPUT  -s 255.255.255.255  -d 192.168.1.111  -m state --state NEW  -j ACCEPT

-A OUTPUT  -s 255.255.255.255  -d 192.168.1.0/24  -m state --state NEW  -j ACCEPT

-A INPUT  -s 192.168.1.111  -d 255.255.255.255  -m state --state NEW  -j ACCEPT

-A OUTPUT  -s 192.168.1.111  -d 255.255.255.255  -m state --state NEW  -j ACCEPT

-A INPUT  -s 192.168.1.111  -d 192.168.1.111  -m state --state NEW  -j ACCEPT

-A OUTPUT  -s 192.168.1.111  -d 192.168.1.111  -m state --state NEW  -j ACCEPT

-A OUTPUT  -s 192.168.1.111  -d 192.168.1.0/24  -m state --state NEW  -j ACCEPT

-A INPUT  -s 192.168.1.0/24  -d 255.255.255.255  -m state --state NEW  -j ACCEPT

-A INPUT  -s 192.168.1.0/24  -d 192.168.1.111  -m state --state NEW  -j ACCEPT

-A OUTPUT  -s 192.168.1.0/24  -d 192.168.1.0/24  -m state --state NEW  -j ACCEPT

-A INPUT  -s 192.168.1.0/24  -d 192.168.1.0/24  -m state --state NEW  -j ACCEPT

-A FORWARD  -s 192.168.1.0/24  -d 192.168.1.0/24  -m state --state NEW  -j ACCEPT

#

# Rule 1 (global)

#

#

#

-A INPUT  -s 127.0.0.1  -d 127.0.0.1  -m state --state NEW  -j ACCEPT

-A OUTPUT  -s 127.0.0.1  -d 127.0.0.1  -m state --state NEW  -j ACCEPT

#

# Rule 2 (global)

#

#

#

-A INPUT  -s 192.168.1.111  -m state --state NEW  -j ACCEPT

-A OUTPUT  -s 192.168.1.111  -m state --state NEW  -j ACCEPT

#

# Rule 3 (global)

#

# internet services

#

:Cid44B13257.0 - [0:0]

-A OUTPUT  -d 192.168.1.111  -m state --state NEW  -j Cid44B13257.0

-A Cid44B13257.0 -p tcp -m tcp  -m multiport  --dports 113,80,443,25,22,10000,8080  -j ACCEPT

-A Cid44B13257.0 -p udp -m udp  --dport 1194  -j ACCEPT

:Cid44B13257.1 - [0:0]

-A INPUT  -d 192.168.1.111  -m state --state NEW  -j Cid44B13257.1

-A Cid44B13257.1 -p tcp -m tcp  -m multiport  --dports 113,80,443,25,22,10000,8080  -j ACCEPT

-A Cid44B13257.1 -p udp -m udp  --dport 1194  -j ACCEPT

#

# Rule 4 (global)

#

# reject and log all other traffic

#

:RULE_4 - [0:0]

-A OUTPUT  -j RULE_4

-A INPUT  -j RULE_4

-A FORWARD  -j RULE_4

-A RULE_4  -j LOG  --log-level alert --log-prefix "RULE 4 -- DENY "

-A RULE_4  -j DROP

#

COMMIT

```

You're problem is at line 16, the first after the comments, and I think it is due to the fact that iptables-restore can understand only the lines that I quoted above. I suggest you to configure your firewall as you want and then regenerate the rules-save file with "/etc/init.d/iptables save". Then, if you want to set other parameters as "/proc/sys/net/ipv4/ip_forward" edit /etc/sysctl.conf. 

Bye

----------

## thoughtform

i was using this firewall fine before i upgraded to kernel 2.6.17

i use fwbuilder to make and install my firewall scripts.

i think it must be some setting in fwbuilder that's causing this to break.

does anyone know how to get this working with fwbuilder?

i don't know how to manually setup iptable rules (yet)

thanks

----------

