IPTABLES :bash wrong interpreter : No such file or filename

[BIS]

Hallo,

Having installed iptables on RH7.3 (2.4.x kernel) I decided to give it a try. The default sample script I can start by doing a
/etc/rc.d/init.d/iptables start

and I can see that it calls another script in /etc/sysconfig/iptables

I copied a sample script from the internet just to try it out. I replaced the old /etc/rc.d/init.d/iptables with the new one, but when I try to
/etc/rc.d/init.d/iptables start
I get the error message: Bash: wrong interpreter : no such file or filename. (they do both have the #!/bin/sh line..)

I then tried to use the original /etc/rc.d/init.d/iptables script, and replace the /etc/sysconfig/iptables script with the new one. When I do this the script will not accept variables. Can anybody point me in the right direction here?

 

[BIS]

Never mind. cat -v showed the mistakes, and ":set ff=unix" in vi solved it. I do have problems with the iptable script though, keep getting "Bad argument : ACCEPT" and stuff like that. Would anybody (with a good knowledge of iptables) mind taking a look - I can post it here?

 

[John Lewis]

Post it and we will look. If you have any public ip's listed in your script, block the last three numbers out, ie 130.xxx.xxx.xxx . . . we don't want to tell anyone where your machine is. You obviously don't have a good firewall running yet. Be patient for a response.

 

[BIS]

OK, many thanks.

Sorry for the long post. The following is the iptable script. When I try to do a
/etc/rc.d/init.d/iptables start
I get a whole list of error referring to "Bad argument `110`" or "Bad argument `DROP`" etc...

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

#!/bin/sh

#
# Invoked from /etc/rc.d/init.d/iptables.
# chkconfig: - 60 95
# description: Starts and stops the IPTABLES packet filter # used to provide firewall network services.
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
if [ ${NETWORKING} = "no" ]
then
exit 0
fi
if [ ! -x /sbin/iptables ]; then
exit 0
fi
# See how we were called.
case "$1" in
start)
echo -n "Starting Firewalling: "
# ----------------------------------------------------------------------------
# Some definitions for easy maintenance.
IPADDR=`ifconfig eth0 | fgrep -i inet | cut -d : -f 2 | cut -d \ -f 1`
EXTERNAL_INTERFACE="eth0" # Internet connected interface
LOOPBACK_INTERFACE="lo" # Your local naming convention
PRIMARY_NAMESERVER="x.x.x.x" (I replaced this)# Your Primary Name Server
SECONDARY_NAMESERVER="***.**.**.*" # Your Secondary Name Server
#SYSLOG_CLIENT="***.**.**.*" # Your Syslog Clients IP ranges
LOOPBACK="127.0.0.0/8" # Reserved loopback addr range
CLASS_A="10.0.0.0/8" # Class A private networks
CLASS_B="172.16.0.0/12" # Class B private networks
CLASS_C="192.168.0.0/16" # Class C private networks
CLASS_D_MULTICAST="224.0.0.0/4" # Class D multicast addr
CLASS_E_RESERVED_NET="240.0.0.0/5" # Class E reserved addr
BROADCAST_SRC="0.0.0.0" # Broadcast source addr
BROADCAST_DEST="255.255.255.255" # Broadcast destination addr
PRIVPORTS="0:1023" # Privileged port range
UNPRIVPORTS="1024:" # Unprivileged port range
# ----------------------------------------------------------------------------
# The SSH client starts at 1023 and works down to 513 for each
# additional simultaneous connection originating from a privileged port.
# Clients can optionally be configured to use only unprivileged ports.
SSH_LOCAL_PORTS="1022:65535" # Port range for local clients
SSH_REMOTE_PORTS="513:65535" # Port range for remote clients
# traceroute usually uses -S 32769:65535 -D 33434:33523
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
# ----------------------------------------------------------------------------
# Default policy is DENY
# Explicitly accept desired INCOMING & OUTGOING connections
# Remove all existing rules belonging to this filter
iptables -F
# Remove any existing user-defined chains.
iptables -X
# Set the default policy of the filter to deny.
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# ----------------------------------------------------------------------------
# LOOPBACK
# --------
# Unlimited traffic on the loopback interface.
iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
# ----------------------------------------------------------------------------
# Network Ghouls
# Deny access to jerks
# --------------------
# /etc/rc.d/rc.firewall.blocked contains a list of
# iptables -A INPUT -i $EXTERNAL_INTERFACE -s address -j DROP
# rules to block from any access.
# Refuse any connection from problem sites
if [ -f /etc/rc.d/rc.firewall.blocked ]; then
deny_file="/etc/rc.d/rc.firewall.blocked"
temp_file="/tmp/temp.ip.addresses"
cat $deny_file | sed -n -e "s/^[ ]*\([0-9.]*\).*$/\1/p" | awk ' $1 ' > $temp_file
while read ip_addy
do
case $ip_addy in
*) iptables -A INPUT -i $EXTERNAL_INTERFACE -s $ip_addy -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -d $ip_addy -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $ip_addy -j REJECT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $ip_addy -j REJECT
;;
esac
done < $temp_file
rm -f $temp_file > /dev/null 2>&1
unset temp_file
unset deny_file
fi
# ----------------------------------------------------------------------------
# SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.
# Refuse incoming packets pretending to be from the external address.
iptables -A INPUT -s $IPADDR -j DROP
# Refuse incoming packets claiming to be from a Class A, B or C private
network
iptables -A INPUT -s $CLASS_A -j DROP
iptables -A INPUT -s $CLASS_B -j DROP
iptables -A INPUT -s $CLASS_C -j DROP
# Refuse broadcast address SOURCE packets
iptables -A INPUT -s $BROADCAST_DEST -j DROP
iptables -A INPUT -d $BROADCAST_SRC -j DROP
# Refuse Class D multicast addresses
# Multicast is illegal as a source address.
# Multicast uses UDP.
iptables -A INPUT -s $CLASS_D_MULTICAST -j DROP
# Refuse Class E reserved IP addresses
iptables -A INPUT -s $CLASS_E_RESERVED_NET -j DROP
# Refuse special addresses defined as reserved by the IANA.
# Note: The remaining reserved addresses are not included
# filtering them causes problems as reserved blocks are
# being allocated more often now. The following are based on
# reservations as listed by IANA as of 2001/01/04. Please regularly
# check at

http://www.iana.org/

for the latest status.
# Note: this list includes the loopback, multicast, & reserved addresses.
# 0.*.*.* - Can't be blocked for DHCP users.
# 127.*.*.* - LoopBack
# 169.254.*.* - Link Local Networks
# 192.0.2.* - TEST-NET
# 224-255.*.*.* - Classes D & E, plus unallocated.
iptables -A INPUT -s 0.0.0.0/8 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -s 169.254.0.0/16 -j DROP
iptables -A INPUT -s 192.0.2.0/24 -j DROP
iptables -A INPUT -s 224.0.0.0/3 -j DROP
# ----------------------------------------------------------------------------
# UDP TRACEROUTE
# --------------
# traceroute usually uses -S 32769:65535 -D 33434:33523
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp --source-port $TRACEROUTE_SRC_PORTS -d $IPADDR --destination-port $TRACEROUTE_DEST_PORTS -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp -s $IPADDR --source-port $TRACEROUTE_SRC_PORTS --destination-port $TRACEROUTE_DEST_PORTS -j ACCEPT
# ----------------------------------------------------------------------------
# DNS forward-only nameserver
# ---------------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp -s $PRIMARY_NAMESERVER --source-port 53 -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp -s $IPADDR --source-port $UNPRIVPORTS -d $PRIMARY_NAMESERVER --destination-port 53 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn -s $PRIMARY_NAMESERVER --source-port 53 -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR --source-port $UNPRIVPORTS -d $PRIMARY_NAMESERVER --destination-port 53 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp -s $SECONDARY_NAMESERVER --source-port 53 -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p udp -s $IPADDR --source-port $UNPRIVPORTS -d $SECONDARY_NAMESERVER --destination-port 53 -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn -s $SECONDARY_NAMESERVER --source-port 53 -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR --source-port $UNPRIVPORTS -d $SECONDARY_NAMESERVER --destination-port 53 -j ACCEPT
# ------------------------------------------------------------------
# POP server (110)
# ----------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --source-port $UNPRIVPORTS -d $IPADDR --destination-port 110 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn -s $IPADDR --source-port 110 --destination-port $UNPRIVPORTS -j ACCEPT
# POP client (110)
# ----------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn --source-port 110 -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR --source-port $UNPRIVPORTS --destination-port 110 -j ACCEPT
# ------------------------------------------------------------------
# IMAP server (143)
# -----------------
# iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp # --source-port $UNPRIVPORTS # -d $IPADDR --destination-port 143 -j ACCEPT
# iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn # -s $IPADDR --source-port 143 # --destination-port $UNPRIVPORTS -j ACCEPT
# IMAP client (143)
# -----------------
# iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn # --source-port 143 # -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
# iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp # -s $IPADDR --source-port $UNPRIVPORTS # --destination-port 143 -j ACCEPT
# IMAP server over SSL (993)
# --------------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --source-port $UNPRIVPORTS -d $IPADDR --destination-port 993 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn -s $IPADDR --source-port 993 --destination-port $UNPRIVPORTS -j ACCEPT
# IMAP client over SSL (993)
# --------------------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn --source-port 993 -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR --source-port $UNPRIVPORTS --destination-port 993 -j ACCEPT
# ------------------------------------------------------------------
# SMTP server (25)
# ----------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --source-port $UNPRIVPORTS -d $IPADDR --destination-port 25 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn -s $IPADDR --source-port 25 --destination-port $UNPRIVPORTS -j ACCEPT
# ------------------------------------------------------------------
# SMTP client (25)
# ----------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn --source-port 25 -d $IPADDR --destination-port $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp -s $IPADDR --source-port $UNPRIVPORTS --destination-port 25 -j ACCEPT
# ------------------------------------------------------------------
# SSH server (22)
# ---------------
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp --source-port $SSH_REMOTE_PORTS -d $IPADDR --destination-port 22 -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp ! --syn -s $IPADDR --source-port 22 --destination-port $SSH_REMOTE_PORTS -j ACCEPT
# ------------------------------------------------------------------
# SYSLOG server (514)
# -------------------
# Provides full remote logging. Using this feature you're able to
# control all syslog messages on one host.
# iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp # -s $SYSLOG_CLIENT --source-port $UNPRIVPORTS # -d $IPADDR --destination-port 514 -j ACCEPT
# ----------------------------------------------------------------------------
# ICMP
# ----
# To prevent denial of service attacks based on ICMP bombs, filter
# incoming Redirect (5) and outgoing Destination Unreachable (3).
# Note, however, disabling Destination Unreachable (3) is not
# advisable, as it is used to negotiate packet fragment size.
# For bi-directional ping.
# Message Types: Echo_Reply (0), Echo_Request (8)
# To prevent attacks, limit the src addresses to your ISP range.
#
# For outgoing traceroute.
# Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11)
# default UDP base: 33434 to base+nhops-1
#
# For incoming traceroute.
# Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11)
# To block this, deny OUTGOING 3 and 11
# 0: echo-reply (pong)
# 3: destination-unreachable, port-unreachable, fragmentation-needed, etc.
# 4: source-quench
# 5: redirect
# 8: echo-request (ping)
# 11: time-exceeded
# 12: parameter-problem
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp --icmp-type echo-reply -d $IPADDR -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp --icmp-type destination-unreachable -d $IPADDR -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp --icmp-type source-quench -d $IPADDR -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp --icmp-type time-exceeded -d $IPADDR -j ACCEPT
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp --icmp-type parameter-problem -d $IPADDR -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp -s $IPADDR --icmp-type fragmentation-needed -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp -s $IPADDR --icmp-type source-quench -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp -s $IPADDR --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -p icmp -s $IPADDR --icmp-type parameter-problem -j ACCEPT
# ----------------------------------------------------------------------------
# Enable logging for selected denied packets
iptables -A INPUT -i $EXTERNAL_INTERFACE -p tcp -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp --destination-port $PRIVPORTS -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p udp --destination-port $UNPRIVPORTS -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp --icmp-type 5 -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -p icmp --icmp-type 13/255 -j DROP
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -j REJECT
# ----------------------------------------------------------------------------
;;
stop)
echo -n &quot;Shutting Firewalling: &quot;
# Remove all existing rules belonging to this filter
iptables -F
# Delete all user-defined chain to this filter
iptables -X
# Reset the default policy of the filter to accept.
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
;;
status)
status iptables
;;
restart|reload)
$0 stop
$0 start
;;
*)
echo &quot;Usage: iptables {start|stop|status|restart|reload}&quot;
exit 1
esac
echo &quot;done&quot;
exit 0

 

[lvennard]

Im betting the path isnt set up when the script runs..
put the path in there.

/sbin/iptables ..........

It runs fine as root, cause your enviroment is set.

 

[John Lewis]

Nope . . . don't think that's it. iptables is firing, the message is bad argument, not 'not found'. And I would hope permissions wouldn't let it run by anyone but root.

Having said that, I've been through the thing several times and don't see anything. Need to comment some stuff out and then turn it back on slowly. While we're at it, I would assign the path to iptables to a variable. Insert a line after '# Some definitions for easy maintenance.' like this

IPTABLES=/usr/bin/iptables

assuming your iptables is in /usr/bin/

then go through the file and change iptables to $IPTABLES

Eventually you will want to move iptables out of your mapped path. When you do so, this change will let you change it one time in your script. If someone does get into your system, you want to make it as hard as possible for them to change your rules. More on that some other time.

Anyway, to troubleshoot this, I would comment out everything between '# LOOPBACK' and the last '# --------------~~'

In case you don't know, the # indicates comments. I would use ## in front of each line that doesn't have one in that range. Makes it easier to see where you are taking them out when you get ready.

After you have all the lines commented out, run the script again. Make sure you run it from the console (or a serial terminal), as your network will die. If you still get the error, the problem is in one of the lines that isn't commented, which I doubt.

Next step would be to take the comments back out, one section at a time. After you take the comments out of a section, run the script again. When you see the error, you have found where the problem is. Post back if you still can't figure it out.

As you are doing this, look at what each section does, they are labeled fairly well. Enable only what you really need. You will have a better firewall, and the error might be in a section you don't need anyway.

On another note, if you want to read up on iptables, see

http://www.netfilter.org/documentation/tutorials/blueflux/iptables-tutorial.html

Best free explaination I've seen. Hope this helps.

 

[BIS]

mhkwood,
Good advice, thank you. I will let you know how I proceed.

 

[BIS]

OK, I have narrowed it down a bit. I think I will start a new thread as this one has a confusing name...