* can't load the script
@ 2003-01-09 4:22 Gary Lee
2003-01-09 5:17 ` Dharmendra.T
2003-01-09 13:56 ` Arnt Karlsen
0 siblings, 2 replies; 4+ messages in thread
From: Gary Lee @ 2003-01-09 4:22 UTC (permalink / raw)
To: Netfilter
[-- Attachment #1: Type: text/plain, Size: 11250 bytes --]
Hi all,
I got the problem with my script.......every time I try to run my script,
the system will say command not found.....what's wrong?....How can I check
that I have all components installed for netfilter??....Here is my script:
#!/bin/sh
#
# rc.firewall-2.4-stronger
#
echo -e "\nLoading STRONGER rc.firewall - version $FWVER..\n"
#IPTABLES=/sbin/iptables
#IPTABLES=/usr/local/sbin/iptables
#
LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
INSMOD=/sbin/insmod
GREP=/bin/grep
AWK=/bin/awk
SED=/bin/sed
IFCONFIG=/sbin/ifconfig
#
EXTIF="eth0"
INTIF="eth1"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"
echo " ---"
#
#EXTIP="`$IFCONFIG $EXTIF | $AWK \
#/$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
# STATIC IP addresses:
#
# # out the EXTIP line above and un-# out the EXTIP line below
#
EXTIP="218.x.x.x"
echo " External IP: $EXTIP"
echo " ---"
# Assign the internal TCP/IP network and IP address
INTNET="10.126.0.0/24"
INTIP="10.126.0.63/24"
echo " Internal Network: $INTNET"
echo " Internal IP: $INTIP"
echo " ---"
# Setting a few other local variables
#
UNIVERSE="0.0.0.0/0"
# Some Servers
MAIL="203.x.x.x"
DNS1="210.x.x.x"
DNS2="210.x.x.x"
DNS3="218.x.x.x"
SERVER1="203.x.x.x"
# ports
UPORTS="1024:65535"
#======================================================================
echo " - Verifying that all kernel modules are ok"
$DEPMOD -a
echo -en " Loading kernel modules: "
# With the new IPTABLES code, the core MASQ functionality is now either
# modular or compiled into the kernel. This HOWTO shows ALL IPTABLES
# options as MODULES. If your kernel is compiled correctly, there is
# NO need to load the kernel modules manually.
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_tables, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
$INSMOD ip_tables
fi
#Load the IPTABLES filtering module - "iptable_filter"
#
# - Loaded automatically when filter policies are activated
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_conntrack, "
#
#
#
if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then
$INSMOD ip_conntrack
fi
#Load the FTP tracking mechanism for full FTP tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -e "ip_conntrack_ftp, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then
$INSMOD ip_conntrack_ftp
fi
#Load the IRC tracking mechanism for full IRC tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en " ip_conntrack_irc, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then
$INSMOD ip_conntrack_irc
fi
#Load the general IPTABLES NAT code - "iptable_nat"
# - Loaded automatically when MASQ functionality is turned on
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "iptable_nat, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then
$INSMOD iptable_nat
fi
#Loads the FTP NAT functionality into the core IPTABLES code
# Required to support non-PASV FTP.
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -e "ip_nat_ftp"
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then
$INSMOD ip_nat_ftp
fi
echo " ---"
# Enable IP forwarding
#
#
echo " Enabling forwarding.."
echo 1 > /proc/sys/net/ipv4/ip_forward
############################################################################
#
#
# Enable Stronger IP forwarding and Masquerading
#
#Clearing any previous configuration
#
echo " Clearing any existing rules and setting default policy to DROP.."
iptables -P INPUT DROP
iptables -F INPUT
iptables -P OUTPUT DROP
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -F -t nat
#Not needed and it will only load the unneeded kernel module
#iptables -F -t mangle
#
# Flush the user chain.. if it exists
if [ -n "`iptables -L | $GREP drop-and-log-it`" ]; then
iptables -F drop-and-log-it
fi
#
# Delete all User-specified chains
iptables -X
#
# Reset all IPTABLES counters
iptables -Z
#Configuring specific CHAINS for later use in the ruleset
#
echo " Creating a DROP chain.."
iptables -N drop-and-log-it
iptables -A drop-and-log-it -j LOG --log-level info
iptables -A drop-and-log-it -j DROP
echo -e "\n - Loading INPUT rulesets"
#######################################################################
# INPUT: Incoming traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#
# loopback interfaces are valid.
#
iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# local interface, local machines, going anywhere is valid
#
iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
# remote interface, claiming to be local machines, IP spoofing, get lost
#
iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
# external interface, from any source, for ICMP traffic is valid
#
# If you would like your machine to "ping" from the Internet,
# enable this next line
#
#iptables -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT
# remote interface, any source, going to permanent PPP address is valid
#
#iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT
# Allow any related traffic coming back to the MASQ server in
#
iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
ESTABLISHED,RELATED -j ACCEPT
# HTTPd - Enable the following lines if you run an EXTERNAL WWW server
#
#echo -e " - Allowing EXTERNAL access to the WWW server"
iptables -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
# SSH - Enable the SSH connection
iptables -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $UNIVERSE -d $EXTIP --dport 22 -j ACCEPT
# VNC connection
iptables -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $UNIVERSE -d $EXTIP --dport 5900 -j ACCEPT
# DNS
iptables -A INPUT -i $EXTIF -m state --state NEW -p udp -s $DNS1 --sport 53
\
-d $EXTIP --dport 53 -j ACCEPT
iptables -A INPUT -i $EXTIF -m state --state NEW -p tcp ! --syn -s DNS1 \
--sport 53 -d $EXTIP --dport 53 -j ACCEPT
iptables -A INPUT -i $EXTIF -m state --state NEW -p udp -s $DNS2 --sport 53
\
-d $EXTIP --dport 53 -j ACCEPT
iptables -A INPUT -i $EXTIF -m state --state NEW -p tcp ! --syn -s DNS2 \
--sport 53 -d $EXTIP --dport 53 -j ACCEPT
iptables -A INPUT -i $EXTIF -m state --state NEW -p udp -s $DNS3 --sport 53
\
-d $EXTIP --dport 53 -j ACCEPT
iptables -A INPUT -i $EXTIF -m state --state NEW -p tcp ! --syn -s DNS3 \
--sport 53 -d $EXTIP --dport 53 -j ACCEPT
# SUNRPC
iptables -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $SERVER1 -d $EXTIP --dport 111 -j ACCEPT
iptables -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p udp -s $SERVER1 -d $EXTIP --dport 111 -j ACCEPT
#
# ----- End OPTIONAL Section -----
# Catch all rule, all other incoming is denied and logged.
#
iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e " - Loading OUTPUT rulesets"
#######################################################################
# OUTPUT: Outgoing traffic from various interfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#
# loopback interface is valid.
#
iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# local interfaces, any source going to local net is valid
#
iptables -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
# local interface, any source going to local net is valid
#
iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
# outgoing to local net on remote interface, stuffed routing, deny
#
iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
# anything else outgoing on remote interface is valid
#
iptables -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
# ----- Begin OPTIONAL Section -----
#
# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
# - Remove BOTH #s all the #s if you need this functionality.
#
#iptables -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 \
# -d 255.255.255.255 --dport 68 -j ACCEPT
#iptables -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 \
# -d 255.255.255.255 --dport 68 -j ACCEPT
# HTTP
iptables -A OUTPUT -o $EXTIF -m state --state NEW -p tcp -s $EXTIP \
--sport $UPORTS --dport 80 -j ACCEPT
# DNS
iptables -A OUTPUT -o $EXTIF -p udp -s $EXTIP --sport $UPORTS -d $DNS1 \
--dport 53 -j ACCEPT
iptables -A OUTPUT -o $EXTIF -p udp -s $EXTIP --sport $UPORTS -d $DNS2 \
--dport 53 -j ACCEPT
iptables -A OUTPUT -o $EXTIF -p tcp -s $EXTIP --sport $UPORTS -d $DNS1 \
--dport 53 -j ACCEPT
iptables -A OUTPUT -o $EXTIF -p tcp -s $EXTIP --sport $UPORTS -d $DNS2 \
--dport 53 -j ACCEPT
iptables -A OUTPUT -o $EXTIF -p udp -s $EXTIP --sport $UPORTS -d $DNS3 \
--dport 53 -j ACCEPT
iptables -A OUTPUT -o $EXTIF -p tcp -s $EXTIP --sport $UPORTS -d $DNS3 \
--dport 53 -j ACCEPT
# VNC
iptables -A OUTPUT -o $EXTIF -m state --state NEW -p tcp -s $EXTIP \
--sport $UPORTS --dport 5900 -j ACCEPT
# SUNRPC
iptables -A OUTPUT -o $EXTIF -p tcp -s $EXTIP -d $UNIVERSE --dport 111 -j
ACCEPT
iptables -A OUTPUT -o $EXTIF -p udp -s $EXTIP -d $UNIVERSE --dport 111 -j
ACCEPT
#
# ----- End OPTIONAL Section -----
# Catch all rule, all other outgoing is denied and logged.
#
iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e " - Loading FORWARD rulesets"
#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
#
echo " - FWD: Allow all connections OUT and only existing/related IN"
iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED
\
-j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
# Catch all rule, all other forwarding is denied and logged.
#
iptables -A FORWARD -j drop-and-log-it
echo " - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF"
#
#More liberal form
#iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#
#Stricter form
iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
#######################################################################
echo -e "\nDone.\n"
Best regards,
Gary Lee
[-- Attachment #2: Type: text/html, Size: 15739 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: can't load the script
2003-01-09 4:22 can't load the script Gary Lee
@ 2003-01-09 5:17 ` Dharmendra.T
2003-01-09 13:56 ` Arnt Karlsen
1 sibling, 0 replies; 4+ messages in thread
From: Dharmendra.T @ 2003-01-09 5:17 UTC (permalink / raw)
To: Gary Lee; +Cc: Netfilter
Check
#which iptables
if not found
#find / -name iptables
It should say where is your iptables executable.If you found the
executable change the path of the script to which you have found. Else
install the iptables.
>
>
--
Dharmendra.T
Linux Enthu
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: can't load the script
2003-01-09 4:22 can't load the script Gary Lee
2003-01-09 5:17 ` Dharmendra.T
@ 2003-01-09 13:56 ` Arnt Karlsen
1 sibling, 0 replies; 4+ messages in thread
From: Arnt Karlsen @ 2003-01-09 13:56 UTC (permalink / raw)
To: netfilter
On Thu, 9 Jan 2003 12:22:17 +0800,
"Gary Lee" <gary@leahander.com> wrote in message
<003401c2b796$b27ae0d0$4900a8c0@knitting.leahander.com>:
> I got the problem with my script.......every time I try to run my
> script, the system will say command not found.....what's wrong?....How
> can I check that I have all components installed for
> netfilter??....Here is my script
..you of course start it like:' ./$script.name' or
'/full/path/to/script.name' ? "." and "/" _rules_. ;-)
--
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
Scenarios always come in sets of three:
best case, worst case, and just in case.
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: can't load the script
@ 2003-01-09 6:39 Amit Kumar Gupta
0 siblings, 0 replies; 4+ messages in thread
From: Amit Kumar Gupta @ 2003-01-09 6:39 UTC (permalink / raw)
To: Amit Kumar Gupta; +Cc: Netfilter
[-- Attachment #1: Type: text/plain, Size: 359 bytes --]
Hi All,
I am getting some problem in Connection tracking.
As soon as I execute a program (Having iptables rules),
It keeps printing the following messages on the screen :-
Ip_contrack: maximum limit of 1016 entries exceeded.
Any the speed becomes damn slow.
Can anybody suggest what is happening?
Thanks & Regards,
Amit Kumar Gupta.
[-- Attachment #2: Wipro_Disclaimer.txt --]
[-- Type: text/plain, Size: 522 bytes --]
**************************Disclaimer**************************************************
Information contained in this E-MAIL being proprietary to Wipro Limited is 'privileged'
and 'confidential' and intended for use only by the individual or entity to which it is
addressed. You are notified that any use, copying or dissemination of the information
contained in the E-MAIL in any manner whatsoever is strictly prohibited.
****************************************************************************************
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2003-01-09 13:56 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-01-09 4:22 can't load the script Gary Lee
2003-01-09 5:17 ` Dharmendra.T
2003-01-09 13:56 ` Arnt Karlsen
2003-01-09 6:39 Amit Kumar Gupta
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.