did you check 'whereis iptables' ? is it really in /usr/sbin? Why not try ./rc.firewall-2.4 > /tmp/output.txt 2>&1 and insert the results of /tmp/output.txt in the next email so we can see what happened? Craig On Tue, 2002-09-10 at 08:50, Clayton Stapleton wrote: > On Monday 09 September 2002 12:31 pm, Matt Alexander wrote: > > Can you post the contents of the script? Do you need to pass anything to > > it like "start"? > > Hi Matt > I did not type in anything other that "#!/bin/bash/etc/rc.d/rc.firewall-2.4". > The same as when using the simpler firewall "#/etc/rc.d/rc.firewall-2.4". > They both start with "#!/bin/sh". So why one says "bad interpretor" and > the others works fine I do not know. > > Thanks > Clayton > > The following is the stronger firewall that is giving problems: > > #!/bin/sh > # > > # rc.firewall-2.4-stronger > FWVER=0.73s > > # An example of a stronger IPTABLES firewall with IP Masquerade > # support for 2.4.x kernels. > # > # Log: > # 0.73s - Added comments in the output section that DHCPd is optional > # and changed the default settings to disabled > # 0.72s - Changed the filter from the INTNET to the INTIP to be > # stateful; moved the command VARs to the top and made the > # rest of the script to use them > # 0.70s - Added a disabled examples for allowing internal DHCP > # and external WWW access to the server > # 0.63s - Added support for the IRC module > # 0.62s - Initial version based upon the basic 2.4.x rc.firewall > > > echo -e "\nLoading STRONGER rc.firewall - version $FWVER..\n" > > > # The location of various iptables and other shell programs > # > # If your Linux distribution came with a copy of iptables, most > # likely it is located in /sbin. If you manually compiled > # iptables, the default location is in /usr/local/sbin > # > # ** Please use the "whereis iptables" command to figure out > # ** where your copy is and change the path below to reflect > # ** your setup > # > #IPTABLES=/sbin/iptables > IPTABLES=/usr/sbin/iptables > # > LSMOD=/sbin/lsmod > DEPMOD=/sbin/depmod > INSMOD=/sbin/insmod > GREP=/bin/grep > AWK=/bin/awk > SED=/bin/sed > IFCONFIG=/sbin/ifconfig > > echo -e "\nStronger rc.firewall-2.4 $FWVER done.\n" > #Setting the EXTERNAL and INTERNAL interfaces for the network > # > # Each IP Masquerade network needs to have at least one > # external and one internal network. The external network > # is where the natting will occur and the internal network > # should preferably be addressed with a RFC1918 private address > # scheme. > # > # For this example, "eth0" is external and "eth1" is internal" > # > # NOTE: If this doesnt EXACTLY fit your configuration, you must > # change the EXTIF or INTIF variables above. For example: > # > # EXTIF="ppp0" > # > # if you are a modem user. > # > EXTIF="ppp0" > INTIF="eth0" > echo " External Interface: $EXTIF" > echo " Internal Interface: $INTIF" > echo " ---" > > # Specify your Static IP address here or let the script take care of it > # for you. > # > # If you prefer to use STATIC addresses in your firewalls, un-# out the > # static example below and # out the dynamic line. If you don't care, > # just leave this section alone. > # > # If you have a DYNAMIC IP address, the ruleset already takes care of > # this for you. Please note that the different single and double quote > # characters and the script MATTER. > # > # > # DHCP users: > # ----------- > # If you get your TCP/IP address via DHCP, **you will need ** to enable the > # #ed out command below underneath the PPP section AND replace the word > # "eth0" with the name of your EXTERNAL Internet connection (ppp0, ippp0, > # etc) on the lines for "ppp-ip" and "extip". You should also note that the > # DHCP server can and will change IP addresses on you. To deal with this, > # users should configure their DHCP client to re-run the rc.firewall ruleset > # everytime the DHCP lease is renewed. > # > # NOTE #1: Some DHCP clients like the original "pump" (the newer > # versions have been fixed) did NOT have the ability to run > # scripts after a lease-renew. Because of this, you need to > # replace it with something like "dhcpcd" or "dhclient". > # > # NOTE #2: The syntax for "dhcpcd" has changed in recent versions. > # > # Older versions used syntax like: > # dhcpcd -c /etc/rc.d/rc.firewall eth0 > # > # Newer versions execute a file calledecho -e "\nStronger > rc.firewall-2.4 $FWVER done.\n" /etc/dhcpc/dhcpcd-eth0.exe > # > # NOTE #3: For Pump users, put the following line in /etc/pump.conf: > # > # script /etc/rc.d/rc.firewall > # > # PPP users: > # ---------- > # If you aren't already aware, the /etc/ppp/ip-up script is always run when > # a PPP connection comes up. Because of this, we can make the ruleset go > and > # get the new PPP IP address and update the strong firewall ruleset. > # > # If the /etc/ppp/ip-up file already exists, you should edit it and add a > line > # containing "/etc/rc.d/rc.firewall" near the end of the file. > # > # If you don't already have a /etc/ppp/ip-up sccript, you need to create the > # following link to run the /etc/rc.d/rc.firewall script. > # > # ln -s /etc/rc.d/rc.firewall /etc/ppp/ip-up > # > # * You then want to enable the #ed out shell command below * > # > # > # Determine the external IP automatically: > # ---------------------------------------- > # > EXTIP="`$IFCONFIG $EXTIF | $GREP 'inet addr' | $AWK '{print $2}' | \ > $SED -e 's/.*://'`" > > # For users who wish to use STATIC IP addresses: > # > # # out the EXTIP line above and un-# out the EXTIP line below > # > #EXTIP="your.static.PPP.address" > echo " External IP: $EXTIP" > echo " ---" > > > # Assign the internal TCP/IP network and IP address > INTNET="192.168.0.0/24" > INTIP="192.168.0.1/24" > echo " Internal Network: $INTNET" > echo " Internal IP: $INTIP" > echo " ---" > > > > # Setting a few other local variables > # > UNIVERSE="0.0.0.0/0" > > #====================================================================== > #== No editing beyond this line is required for initial MASQ testing == > > # Need to verify that all modules have all required dependencies > # > echo " - Verifying that all kernel modules are ok" > $DEPMOD -a > > echo -en " Loading kernel modules: " > > # With the new IPTABLES code, the core MASQ functionality is now either > # modular or compiled into the kernel. This HOWTO shows ALL IPTABLES > # options as MODULES. If your kernel is compiled correctly, there is > # NO need to load the kernel modules manually. > # > # NOTE: The following items are listed ONLY for informational reasons. > # There is no reason to manual load these modules unless your > # kernel is either mis-configured or you intentionally disabled > # the kernel module autoloader. > # > > # Upon the commands of starting up IP Masq on the server, the > # following kernel modules will be automatically loaded: > # > # NOTE: Only load the IP MASQ modules you need. All current IP MASQ > # modules are shown below but are commented out from loading. > # =============================================================== > > #Load the main body of the IPTABLES module - "ip_tables" > # - Loaded automatically when the "iptables" command is invoked > # > # - Loaded manually to clean up kernel auto-loading timing issues > # > echo -en "ip_tables, " > # > #Verify the module isn't loaded. If it is, skip it > # > if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then > $INSMOD ip_tables > fi > > > #Load the IPTABLES filtering module - "iptable_filter" > # > # - Loaded automatically when filter policies are activated > > > #Load the stateful connection tracking framework - "ip_conntrack" > # > # The conntrack module in itself does nothing without other specific > # conntrack modules being loaded afterwards such as the "ip_conntrack_ftp" > # module > # > # - This module is loaded automatically when MASQ functionality is > # enabled > # > # - Loaded manually to clean up kernel auto-loading timing issues > # > echo -en "ip_conntrack, " > # > #Verify the module isn't loaded. If it is, skip it > # > if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then > $INSMOD ip_conntrack > fi > > > #Load the FTP tracking mechanism for full FTP tracking > # > # Enabled by default -- insert a "#" on the next line to deactivate > # > echo -e "ip_conntrack_ftp, " > # > #Verify the module isn't loaded. If it is, skip it > # > if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then > $INSMOD ip_conntrack_ftp > fi > > > #Load the IRC tracking mechanism for full IRC tracking > # > # > # Enabled by default -- insert a "#" on the next line to deactivate > # > echo -en " ip_conntrack_irc, " > # > #Verify the module isn't loaded. If it is, skip it > # > if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then > $INSMOD ip_conntrack_irc > fi > > > #Load the general IPTABLES NAT code - "iptable_nat" > # - Loaded automatically when MASQ functionality is turned on > # > # - Loaded manually to clean up kernel auto-loading timing issues > # > echo -en "iptable_nat, " > # > #Verify the module isn't loaded. If it is, skip it > # > if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then > $INSMOD iptable_nat > fi > > > #Loads the FTP NAT functionality into the core IPTABLES code > # Required to support non-PASV FTP. > #echo -e "\nStronger rc.firewall-2.4 $FWVER done.\n" > # Enabled by default -- insert a "#" on the next line to deactivate > # > echo -e "ip_nat_ftp" > # > #Verify the module isn't loaded. If it is, skip it > # > if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then > $INSMOD ip_nat_ftp > fi > > echo " ---" > > # Just to be complete, here is a list of the remaining kernel modules > # and their function. Please note that several modules should be only > # loaded by the correct master kernel module for proper operation. > # -------------------------------------------------------------------- > # > # ipt_mark - this target marks a given packet for future action. > # This automatically loads the ipt_MARK module > # > # ipt_tcpmss - this target allows to manipulate the TCP MSS > # option for braindead remote firewalls. > # This automatically loads the ipt_TCPMSS module > # > # ipt_limit - this target allows for packets to be limited to > # to many hits per sec/min/hr > # > # ipt_multiport - this match allows for targets within a range > # of port numbers vs. listing each port individually > # > # ipt_state - this match allows to catch packets with various > # > # ipt_state - this match allows to catch packets with various > # IP and TCP flags set/unset > # > # ipt_unclean - this match allows to catch packets that have invalid > # IP/TCP flags set > # > # iptable_filter - this module allows for packets to be DROPped, > # REJECTed, or LOGged. This module automatically > # loads the following modules: > # > # ipt_LOG - this target allows for packets to be > # logged > # > # ipt_REJECT - this target DROPs the packet and returns > # a configurable ICMP packet back to the > # sender. > # > # iptable_mangle - this target allows for packets to be manipulated > # for things like the TCPMSS option, etc. > > > #CRITICAL: Enable IP forwarding since it is disabled by default since > # > # Redhat Users: you may try changing the options in > # /etc/sysconfig/network from: > # > # FORWARD_IPV4=false > # to > # FORWARD_IPV4=true > # > # > echo " Enabling forwarding.." > echo "1" > /proc/sys/net/ipv4/ip_forward > > > # Dynamic IP users:echo -e "\nStronger rc.firewall-2.4 $FWVER done.\n" > # > # If you get your IP address dynamically from SLIP, PPP, or DHCP, > # enable the following option. This enables dynamic-address hacking > # which makes the life with Diald and similar programs much easier. > # > echo " Enabling DynamicAddr.." > echo "1" > /proc/sys/net/ipv4/ip_dynaddr > > echo " ---" > > ############################################################################# > # > # Enable Stronger IP forwarding and Masquerading > # > # NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT. > # > # NOTE #2: The following is an example for an internal LAN address in the > # 192.168.1.x network with a 255.255.255.0 or a "24" bit subnet > # mask connecting to the Internet on external interface "eth0". > # This example will MASQ internal traffic out to the Internet > # but not allow non-initiated traffic into your internal network. > # > # > # ** Please change the above network numbers, subnet mask, and your > # *** Internet connection interface name to match your setup > # > > #Clearing any previous configuration > # > # Unless specified, the defaults for INPUT, OUTPUT, and FORWARD to DROP. > # > # You CANNOT change this to REJECT as it isn't a vaild setting for a > # policy. If you want REJECT, you must explictly REJECT at the end > # of a giving INPUT, OUTPUT, or FORWARD chain > # > echo " Clearing any existing rules and setting default policy to DROP.." > $IPTABLES -P INPUT DROP > $IPTABLES -F INPUT > $IPTABLES -P OUTPUT DROP > $IPTABLES -F OUTPUT > $IPTABLES -P FORWARD DROP > $IPTABLES -F FORWARD > $IPTABLES -F -t nat > > #Not needed and it will only load the unneeded kernel module > #$IPTABLES -F -t mangle > # > # Flush the user chain.. if it exists > if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then > $IPTABLES -F drop-and-log-it > fi > # > # Delete all User-specified chains > # > # Delete all User-specified chains > $IPTABLES -X > # > # Reset all IPTABLES counters > $IPTABLES -Z > > > #Configuring specific CHAINS for later use in the ruleset > # > # NOTE: Some users prefer to have their firewall silently > # "DROP" packets while others prefer to use "REJECT" > # to send ICMP error messages back to the remote > # machine. The default is "REJECT" but feel free to > # change this below. > # > # NOTE: Without the --log-level set to "info", every single > # firewall hit will goto ALL vtys. This is a very big > # pain. > # > echo " Creating a DROP chain.." > $IPTABLES -N drop-and-log-it > $IPTABLES -A drop-and-log-it -j LOG --log-level info > $IPTABLES -A drop-and-log-it -j DROP > > echo -e "\n - Loading INPUT rulesets" > > > ####################################################################### > # INPUT: Incoming traffic from various interfaces. All rulesets are > # already flushed and set to a default policy of DROP. > # > > # loopback interfaces are valid. > # > $IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT > > > # local interface, local machines, going anywhere is valid > # > $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT > > > # remote interface, claiming to be local machines, IP spoofing, get lost > # > $IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it > > > # external interface, from any source, for ICMP traffic is valid > # > # If you would like your machine to "ping" from the Internet, > # enable this next line > # > #$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT > > > # remote interface, any source, going to permanent PPP address is valid > # > #$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT > > > # Allow any related traffic coming back to the MASQ server in > # > $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \ > ESTABLISHED,RELATED -j ACCEPT > > > # ----- Begin OPTIONAL Section ----- > # > > # DHCPd - Enable the following lines if you run an INTERNAL DHCPd server > # > #$IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT > #$IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT > > # HTTPd - Enable the following lines if you run an EXTERNAL WWW server > # > #echo -e " - Allowing EXTERNAL access to the WWW server" > #$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \ > #-p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT > > # > # ----- End OPTIONAL Section ----- > > > > # Catch all rule, all other incoming is denied and logged. > # > $IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it > > > echo -e " - Loading OUTPUT rulesets" > > ####################################################################### > # OUTPUT: Outgoing traffic from various interfaces. All rulesets are > # already flushed and set to a default policy of DROP. > # > > # loopback interface is valid. > # > $IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT > > > # local interfaces, any source going to local net is valid > # > $IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT > > > # local interface, any source going to local net is valid > # > $IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT > > > # outgoing to local net on remote interface, stuffed routing, deny > # > $IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it > > > # anything else outgoing on remote interface is valid > # > $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT > > > # ----- Begin OPTIONAL Section ----- > # > > # DHCPd - Enable the following lines if you run an INTERNAL DHCPd server > # > #$IPTABLES -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 \ > -d 255.255.255.255 --dport 68 -j ACCEPT > #$IPTABLES -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 \ > -d 255.255.255.255 --dport 68 -j ACCEPT > > #echo -e "\nStronger rc.firewall-2.4 $FWVER done.\n" > # ----- End OPTIONAL Section ----- > > # Catch all rule, all other outgoing is denied and logged. > # > $IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it > > > echo -e " - Loading FORWARD rulesets" > > ####################################################################### > # FORWARD: Enable Forwarding and thus IPMASQ > # > # > > echo " - FWD: Allow all connections OUT and only existing/related IN" > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED > \ > -j ACCEPT > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT > > # Catch all rule, all other forwarding is denied and logged. > # > $IPTABLES -A FORWARD -j drop-and-log-it > > > echo " - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF" > # > #More liberal form > #$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE > # > #Stricter form > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP > > > ####################################################################### > echo -e "\nStronger rc.firewall-2.4 $FWVER done.\n" > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change you mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss