> Clayton,
>
> Make sure that the line # rc.firewall-2.4-stronger FWVER=0.73s is on
> one line. not 2.
>
> There are an additional line or two where there are uncommented out
> beginnings, make sure that all lines that are commented out are on 1
> line and if not place the # in front of the continuation.
>
> You may want to try /sbin/iptables since all the following commands
> are also /sbin/
>
> BTW I installed the very same script and it runs pretty good, though I
> need to figure out how to run it when I reboot, I still need to run it
> manually.
>
> Good Luck.
>
> FrankM
>
>
>
> On Tue, 2002-09-10 at 15:50, Clayton Stapleton wrote:
> > On Monday 09 September 2002 12:31 pm, Matt Alexander wrote:
> > > Can you post the contents of the script? Do you need to pass anything to
> > > it like "start"?
> >
> > Hi Matt
> > I did not type in anything other that "#!/bin/bash/etc/rc.d/rc.firewall-2.4".
> > The same as when using the simpler firewall "#/etc/rc.d/rc.firewall-2.4".
> > They both start with "#!/bin/sh". So why one says "bad interpretor" and
> > the others works fine I do not know.
> >
> > Thanks
> > Clayton
> >
> > The following is the stronger firewall that is giving problems:
> >
> > #!/bin/sh
> > #
> >
> > # rc.firewall-2.4-stronger
> > FWVER=0.73s
> >
> > # An example of a stronger IPTABLES firewall with IP Masquerade
> > # support for 2.4.x kernels.
> > #
> > # Log:
> > # 0.73s - Added comments in the output section that DHCPd is optional
> > # and changed the default settings to disabled
> > # 0.72s - Changed the filter from the INTNET to the INTIP to be
> > # stateful; moved the command VARs to the top and made the
> > # rest of the script to use them
> > # 0.70s - Added a disabled examples for allowing internal DHCP
> > # and external WWW access to the server
> > # 0.63s - Added support for the IRC module
> > # 0.62s - Initial version based upon the basic 2.4.x rc.firewall
> >
> >
> > echo -e "\nLoading STRONGER rc.firewall - version $FWVER..\n"
> >
> >
> > # The location of various iptables and other shell programs
> > #
> > # If your Linux distribution came with a copy of iptables, most
> > # likely it is located in /sbin. If you manually compiled
> > # iptables, the default location is in /usr/local/sbin
> > #
> > # ** Please use the "whereis iptables" command to figure out
> > # ** where your copy is and change the path below to reflect
> > # ** your setup
> > #
> > #IPTABLES=/sbin/iptables
> > IPTABLES=/usr/sbin/iptables
> > #
> > LSMOD=/sbin/lsmod
> > DEPMOD=/sbin/depmod
> > INSMOD=/sbin/insmod
> > GREP=/bin/grep
> > AWK=/bin/awk
> > SED=/bin/sed
> > IFCONFIG=/sbin/ifconfig
> >
> > echo -e "\nStronger rc.firewall-2.4 $FWVER done.\n"
> > #Setting the EXTERNAL and INTERNAL interfaces for the network
> > #
> > # Each IP Masquerade network needs to have at least one
> > # external and one internal network. The external network
> > # is where the natting will occur and the internal network
> > # should preferably be addressed with a RFC1918 private address
> > # scheme.
> > #
> > # For this example, "eth0" is external and "eth1" is internal"
> > #
> > # NOTE: If this doesnt EXACTLY fit your configuration, you must
> > # change the EXTIF or INTIF variables above. For example:
> > #
> > # EXTIF="ppp0"
> > #
> > # if you are a modem user.
> > #
> > EXTIF="ppp0"
> > INTIF="eth0"
> > echo " External Interface: $EXTIF"
> > echo " Internal Interface: $INTIF"
> > echo " ---"
> >
> > # Specify your Static IP address here or let the script take care of it
> > # for you.
> > #
> > # If you prefer to use STATIC addresses in your firewalls, un-# out the
> > # static example below and # out the dynamic line. If you don't care,
> > # just leave this section alone.
> > #
> > # If you have a DYNAMIC IP address, the ruleset already takes care of
> > # this for you. Please note that the different single and double quote
> > # characters and the script MATTER.
> > #
> > #
> > # DHCP users:
> > # -----------
> > # If you get your TCP/IP address via DHCP, **you will need ** to enable the
> > # #ed out command below underneath the PPP section AND replace the word
> > # "eth0" with the name of your EXTERNAL Internet connection (ppp0, ippp0,
> > # etc) on the lines for "ppp-ip" and "extip". You should also note that the
> > # DHCP server can and will change IP addresses on you. To deal with this,
> > # users should configure their DHCP client to re-run the rc.firewall ruleset
> > # everytime the DHCP lease is renewed.
> > #
> > # NOTE #1: Some DHCP clients like the original "pump" (the newer
> > # versions have been fixed) did NOT have the ability to run
> > # scripts after a lease-renew. Because of this, you need to
> > # replace it with something like "dhcpcd" or "dhclient".
> > #
> > # NOTE #2: The syntax for "dhcpcd" has changed in recent versions.
> > #
> > # Older versions used syntax like:
> > # dhcpcd -c /etc/rc.d/rc.firewall eth0
> > #
> > # Newer versions execute a file calledecho -e "\nStronger
> > rc.firewall-2.4 $FWVER done.\n" /etc/dhcpc/dhcpcd-eth0.exe
> > #
> > # NOTE #3: For Pump users, put the following line in /etc/pump.conf:
> > #
> > # script /etc/rc.d/rc.firewall
> > #
> > # PPP users:
> > # ----------
> > # If you aren't already aware, the /etc/ppp/ip-up script is always run when
> > # a PPP connection comes up. Because of this, we can make the ruleset go
> > and
> > # get the new PPP IP address and update the strong firewall ruleset.
> > #
> > # If the /etc/ppp/ip-up file already exists, you should edit it and add a
> > line
> > # containing "/etc/rc.d/rc.firewall" near the end of the file.
> > #
> > # If you don't already have a /etc/ppp/ip-up sccript, you need to create the
> > # following link to run the /etc/rc.d/rc.firewall script.
> > #
> > # ln -s /etc/rc.d/rc.firewall /etc/ppp/ip-up
> > #
> > # * You then want to enable the #ed out shell command below *
> > #
> > #
> > # Determine the external IP automatically:
> > # ----------------------------------------
> > #
> > EXTIP="`$IFCONFIG $EXTIF | $GREP 'inet addr' | $AWK '{print $2}' | \
> > $SED -e 's/.*://'`"
> >
> > # For users who wish to use STATIC IP addresses:
> > #
> > # # out the EXTIP line above and un-# out the EXTIP line below
> > #
> > #EXTIP="your.static.PPP.address"
> > echo " External IP: $EXTIP"
> > echo " ---"
> >
> >
> > # Assign the internal TCP/IP network and IP address
> > INTNET="192.168.0.0/24"
> > INTIP="192.168.0.1/24"
> > echo " Internal Network: $INTNET"
> > echo " Internal IP: $INTIP"
> > echo " ---"
> >
> >
> >
> > # Setting a few other local variables
> > #
> > UNIVERSE="0.0.0.0/0"
> >
> > #======================================================================
> > #== No editing beyond this line is required for initial MASQ testing ==
> >
> > # Need to verify that all modules have all required dependencies
> > #
> > echo " - Verifying that all kernel modules are ok"
> > $DEPMOD -a
> >
> > echo -en " Loading kernel modules: "
> >
> > # With the new IPTABLES code, the core MASQ functionality is now either
> > # modular or compiled into the kernel. This HOWTO shows ALL IPTABLES
> > # options as MODULES. If your kernel is compiled correctly, there is
> > # NO need to load the kernel modules manually.
> > #
> > # NOTE: The following items are listed ONLY for informational reasons.
> > # There is no reason to manual load these modules unless your
> > # kernel is either mis-configured or you intentionally disabled
> > # the kernel module autoloader.
> > #
> >
> > # Upon the commands of starting up IP Masq on the server, the
> > # following kernel modules will be automatically loaded:
> > #
> > # NOTE: Only load the IP MASQ modules you need. All current IP MASQ
> > # modules are shown below but are commented out from loading.
> > # ===============================================================
> >
> > #Load the main body of the IPTABLES module - "ip_tables"
> > # - Loaded automatically when the "iptables" command is invoked
> > #
> > # - Loaded manually to clean up kernel auto-loading timing issues
> > #
> > echo -en "ip_tables, "
> > #
> > #Verify the module isn't loaded. If it is, skip it
> > #
> > if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
> > $INSMOD ip_tables
> > fi
> >
> >
> > #Load the IPTABLES filtering module - "iptable_filter"
> > #
> > # - Loaded automatically when filter policies are activated
> >
> >
> > #Load the stateful connection tracking framework - "ip_conntrack"
> > #
> > # The conntrack module in itself does nothing without other specific
> > # conntrack modules being loaded afterwards such as the "ip_conntrack_ftp"
> > # module
> > #
> > # - This module is loaded automatically when MASQ functionality is
> > # enabled
> > #
> > # - Loaded manually to clean up kernel auto-loading timing issues
> > #
> > echo -en "ip_conntrack, "
> > #
> > #Verify the module isn't loaded. If it is, skip it
> > #
> > if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then
> > $INSMOD ip_conntrack
> > fi
> >
> >
> > #Load the FTP tracking mechanism for full FTP tracking
> > #
> > # Enabled by default -- insert a "#" on the next line to deactivate
> > #
> > echo -e "ip_conntrack_ftp, "
> > #
> > #Verify the module isn't loaded. If it is, skip it
> > #
> > if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then
> > $INSMOD ip_conntrack_ftp
> > fi
> >
> >
> > #Load the IRC tracking mechanism for full IRC tracking
> > #
> > #
> > # Enabled by default -- insert a "#" on the next line to deactivate
> > #
> > echo -en " ip_conntrack_irc, "
> > #
> > #Verify the module isn't loaded. If it is, skip it
> > #
> > if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then
> > $INSMOD ip_conntrack_irc
> > fi
> >
> >
> > #Load the general IPTABLES NAT code - "iptable_nat"
> > # - Loaded automatically when MASQ functionality is turned on
> > #
> > # - Loaded manually to clean up kernel auto-loading timing issues
> > #
> > echo -en "iptable_nat, "
> > #
> > #Verify the module isn't loaded. If it is, skip it
> > #
> > if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then
> > $INSMOD iptable_nat
> > fi
> >
> >
> > #Loads the FTP NAT functionality into the core IPTABLES code
> > # Required to support non-PASV FTP.
> > #echo -e "\nStronger rc.firewall-2.4 $FWVER done.\n"
> > # Enabled by default -- insert a "#" on the next line to deactivate
> > #
> > echo -e "ip_nat_ftp"
> > #
> > #Verify the module isn't loaded. If it is, skip it
> > #
> > if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then
> > $INSMOD ip_nat_ftp
> > fi
> >
> > echo " ---"
> >
> > # Just to be complete, here is a list of the remaining kernel modules
> > # and their function. Please note that several modules should be only
> > # loaded by the correct master kernel module for proper operation.
> > # --------------------------------------------------------------------
> > #
> > # ipt_mark - this target marks a given packet for future action.
> > # This automatically loads the ipt_MARK module
> > #
> > # ipt_tcpmss - this target allows to manipulate the TCP MSS
> > # option for braindead remote firewalls.
> > # This automatically loads the ipt_TCPMSS module
> > #
> > # ipt_limit - this target allows for packets to be limited to
> > # to many hits per sec/min/hr
> > #
> > # ipt_multiport - this match allows for targets within a range
> > # of port numbers vs. listing each port individually
> > #
> > # ipt_state - this match allows to catch packets with various
> > #
> > # ipt_state - this match allows to catch packets with various
> > # IP and TCP flags set/unset
> > #
> > # ipt_unclean - this match allows to catch packets that have invalid
> > # IP/TCP flags set
> > #
> > # iptable_filter - this module allows for packets to be DROPped,
> > # REJECTed, or LOGged. This module automatically
> > # loads the following modules:
> > #
> > # ipt_LOG - this target allows for packets to be
> > # logged
> > #
> > # ipt_REJECT - this target DROPs the packet and returns
> > # a configurable ICMP packet back to the
> > # sender.
> > #
> > # iptable_mangle - this target allows for packets to be manipulated
> > # for things like the TCPMSS option, etc.
> >
> >
> > #CRITICAL: Enable IP forwarding since it is disabled by default since
> > #
> > # Redhat Users: you may try changing the options in
> > # /etc/sysconfig/network from:
> > #
> > # FORWARD_IPV4=false
> > # to
> > # FORWARD_IPV4=true
> > #
> > #
> > echo " Enabling forwarding.."
> > echo "1" > /proc/sys/net/ipv4/ip_forward
> >
> >
> > # Dynamic IP users:echo -e "\nStronger rc.firewall-2.4 $FWVER done.\n"
> > #
> > # If you get your IP address dynamically from SLIP, PPP, or DHCP,
> > # enable the following option. This enables dynamic-address hacking
> > # which makes the life with Diald and similar programs much easier.
> > #
> > echo " Enabling DynamicAddr.."
> > echo "1" > /proc/sys/net/ipv4/ip_dynaddr
> >
> > echo " ---"
> >
> > #############################################################################
> > #
> > # Enable Stronger IP forwarding and Masquerading
> > #
> > # NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT.
> > #
> > # NOTE #2: The following is an example for an internal LAN address in the
> > # 192.168.1.x network with a 255.255.255.0 or a "24" bit subnet
> > # mask connecting to the Internet on external interface "eth0".
> > # This example will MASQ internal traffic out to the Internet
> > # but not allow non-initiated traffic into your internal network.
> > #
> > #
> > # ** Please change the above network numbers, subnet mask, and your
> > # *** Internet connection interface name to match your setup
> > #
> >
> > #Clearing any previous configuration
> > #
> > # Unless specified, the defaults for INPUT, OUTPUT, and FORWARD to DROP.
> > #
> > # You CANNOT change this to REJECT as it isn't a vaild setting for a
> > # policy. If you want REJECT, you must explictly REJECT at the end
> > # of a giving INPUT, OUTPUT, or FORWARD chain
> > #
> > echo " Clearing any existing rules and setting default policy to DROP.."
> > $IPTABLES -P INPUT DROP
> > $IPTABLES -F INPUT
> > $IPTABLES -P OUTPUT DROP
> > $IPTABLES -F OUTPUT
> > $IPTABLES -P FORWARD DROP
> > $IPTABLES -F FORWARD
> > $IPTABLES -F -t nat
> >
> > #Not needed and it will only load the unneeded kernel module
> > #$IPTABLES -F -t mangle
> > #
> > # Flush the user chain.. if it exists
> > if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
> > $IPTABLES -F drop-and-log-it
> > fi
> > #
> > # Delete all User-specified chains
> > #
> > # Delete all User-specified chains
> > $IPTABLES -X
> > #
> > # Reset all IPTABLES counters
> > $IPTABLES -Z
> >
> >
> > #Configuring specific CHAINS for later use in the ruleset
> > #
> > # NOTE: Some users prefer to have their firewall silently
> > # "DROP" packets while others prefer to use "REJECT"
> > # to send ICMP error messages back to the remote
> > # machine. The default is "REJECT" but feel free to
> > # change this below.
> > #
> > # NOTE: Without the --log-level set to "info", every single
> > # firewall hit will goto ALL vtys. This is a very big
> > # pain.
> > #
> > echo " Creating a DROP chain.."
> > $IPTABLES -N drop-and-log-it
> > $IPTABLES -A drop-and-log-it -j LOG --log-level info
> > $IPTABLES -A drop-and-log-it -j DROP
> >
> > echo -e "\n - Loading INPUT rulesets"
> >
> >
> > #######################################################################
> > # INPUT: Incoming traffic from various interfaces. All rulesets are
> > # already flushed and set to a default policy of DROP.
> > #
> >
> > # loopback interfaces are valid.
> > #
> > $IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
> >
> >
> > # local interface, local machines, going anywhere is valid
> > #
> > $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
> >
> >
> > # remote interface, claiming to be local machines, IP spoofing, get lost
> > #
> > $IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
> >
> >
> > # external interface, from any source, for ICMP traffic is valid
> > #
> > # If you would like your machine to "ping" from the Internet,
> > # enable this next line
> > #
> > #$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT
> >
> >
> > # remote interface, any source, going to permanent PPP address is valid
> > #
> > #$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT
> >
> >
> > # Allow any related traffic coming back to the MASQ server in
> > #
> > $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
> > ESTABLISHED,RELATED -j ACCEPT
> >
> >
> > # ----- Begin OPTIONAL Section -----
> > #
> >
> > # DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
> > #
> > #$IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT
> > #$IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT
> >
> > # HTTPd - Enable the following lines if you run an EXTERNAL WWW server
> > #
> > #echo -e " - Allowing EXTERNAL access to the WWW server"
> > #$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
> > #-p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
> >
> > #
> > # ----- End OPTIONAL Section -----
> >
> >
> >
> > # Catch all rule, all other incoming is denied and logged.
> > #
> > $IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
> >
> >
> > echo -e " - Loading OUTPUT rulesets"
> >
> > #######################################################################
> > # OUTPUT: Outgoing traffic from various interfaces. All rulesets are
> > # already flushed and set to a default policy of DROP.
> > #
> >
> > # loopback interface is valid.
> > #
> > $IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
> >
> >
> > # local interfaces, any source going to local net is valid
> > #
> > $IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
> >
> >
> > # local interface, any source going to local net is valid
> > #
> > $IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
> >
> >
> > # outgoing to local net on remote interface, stuffed routing, deny
> > #
> > $IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
> >
> >
> > # anything else outgoing on remote interface is valid
> > #
> > $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
> >
> >
> > # ----- Begin OPTIONAL Section -----
> > #
> >
> > # DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
> > #
> > #$IPTABLES -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 \
> > -d 255.255.255.255 --dport 68 -j ACCEPT
> > #$IPTABLES -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 \
> > -d 255.255.255.255 --dport 68 -j ACCEPT
> >
> > #echo -e "\nStronger rc.firewall-2.4 $FWVER done.\n"
> > # ----- End OPTIONAL Section -----
> >
> > # Catch all rule, all other outgoing is denied and logged.
> > #
> > $IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
> >
> >
> > echo -e " - Loading FORWARD rulesets"
> >
> > #######################################################################
> > # FORWARD: Enable Forwarding and thus IPMASQ
> > #
> > #
> >
> > echo " - FWD: Allow all connections OUT and only existing/related IN"
> > $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED
> > \
> > -j ACCEPT
> > $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
> >
> > # Catch all rule, all other forwarding is denied and logged.
> > #
> > $IPTABLES -A FORWARD -j drop-and-log-it
> >
> >
> > echo " - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF"
> > #
> > #More liberal form
> > #$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
> > #
> > #Stricter form
> > $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
> >
> >
> > #######################################################################
> > echo -e "\nStronger rc.firewall-2.4 $FWVER done.\n"
> > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> > To subscribe, unsubscribe, or to change you mail settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >
> >
>
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)