running commands in scripts

[Zelandakh]

If I try to run ipchains logged on as me

[username@linux username]$

I get an error that I don't have permission.

If I run it as root

[root@linux username]#

I get the command not found error (path problem?)


When I am on as root I can type each line from the script manually and everything works fine, but in a script it fails when I type

. scriptname

with loads of errors.

What is my obvious mistake and how do I cure it?

 

[GoldenEternity]

Heh, get me a plane ticket and a hotel room and I'm there!

 

[Zelandakh]

Having manually typed in my old script line by line so my users get access to email and the Net, things are seemingly working. I can now get to the new script but first I want to be sure I am not compromised. Here is my ps a l x w list:

FLAGS UID PID PPID PRI NI SIZE RSS WCHAN STA TTY TIME COMMAND
100 0 1 0 0 0 1096 472 do_select S ? 0:04 init [5]
40 0 2 1 0 0 0 0 bdflush SW ? 0:00 (kflushd)
840 0 3 1 0 0 0 0 kpiod SW ? 0:00 (kpiod)
840 0 4 1 0 0 0 0 kswapd SW ? 0:00 (kswapd)
40 0 5 1 -20 -20 0 0 md_thread SW< ? 0:00 (mdrecove
ryd)
140 1 316 1 0 0 1088 436 do_select S ? 0:00 portmap
40 0 339 1 0 0 1272 620 do_select S ? 0:00 syslogd -
m 0
140 0 350 1 0 0 1380 748 do_syslog S ? 0:00 klogd
40 0 378 1 0 0 1284 588 nanosleep S ? 0:00 crond
140 0 406 1 0 0 1788 1064 do_select S ? 0:00 /usr/sbin
/snmpd
40 0 420 1 4 0 2524 1256 do_select S ? 0:05 named
140 0 434 1 0 0 1252 584 do_select S ? 0:00 routed
140 0 448 1 0 0 1284 556 do_select S ? 0:00 lpd
140 0 476 1 0 0 1124 468 do_select S ? 0:00 gpm -t ps
/2
140 0 490 1 15 0 2384 1252 do_select S ? 0:00 httpd
140 0 514 1 0 0 2208 852 do_select S ? 0:00 smbd -D
140 0 525 1 0 0 1856 904 do_select S ? 0:01 nmbd -D
100 0 544 1 0 0 1060 380 read_chan S 2 0:00 /sbin/min
getty tty2
100 0 545 1 0 0 1060 380 read_chan S 3 0:00 /sbin/min
getty tty3
100 0 546 1 0 0 1060 380 read_chan S 4 0:00 /sbin/min
getty tty4
100 0 547 1 0 0 1060 380 read_chan S 5 0:00 /sbin/min
getty tty5
100 0 548 1 0 0 1060 380 read_chan S 6 0:00 /sbin/min
getty tty6
100 0 549 1 0 0 5356 2240 do_select S ? 0:00 /etc/X11/
prefdm -nodaemon
140 0 551 1 0 0 1052 276 nanosleep S ? 0:01 update (b
dflush)
100 0 1937 1 0 0 1060 380 read_chan S 1 0:00 /sbin/min
getty tty1
140 99 9123 490 16 0 2720 1620 posix_lock_ S ? 0:00 httpd
140 99 9144 490 16 0 2724 1612 posix_lock_ S ? 0:00 httpd
140 99 9150 490 12 0 2716 1604 do_select S ? 0:00 httpd
140 99 9216 490 16 0 2700 1596 posix_lock_ S ? 0:00 httpd
140 99 9529 490 12 0 2696 1592 do_select S ? 0:00 httpd
140 99 9540 490 16 0 2696 1592 do_select S ? 0:00 httpd
140 99 9541 490 12 0 2704 1600 tcp_recvmsg S ? 0:00 httpd
140 99 9546 490 16 0 2696 1592 do_select S ? 0:00 httpd
140 99 9548 490 13 0 2704 1600 posix_lock_ S ? 0:00 httpd
140 99 9549 490 12 0 2708 1600 do_select S ? 0:00 httpd
140 99 10127 490 12 0 2684 1580 wait_for_co S ? 0:00 httpd
140 99 10634 490 0 0 2604 1464 tcp_recvmsg S ? 0:00 httpd
140 99 10781 490 16 0 2684 1580 posix_lock_ S ? 0:00 httpd
140 99 10802 490 17 0 2684 1580 do_select S ? 0:00 httpd
140 99 10803 490 16 0 2684 1580 posix_lock_ S ? 0:00 httpd
140 99 11073 490 8 0 2680 1552 posix_lock_ S ? 0:00 httpd
140 99 11111 490 8 0 2568 1364 posix_lock_ S ? 0:00 httpd
100 0 11041 11038 4 0 2224 1132 wait4 S ? 0:00 login --
Zelandakh
100 503 11060 11041 9 0 1712 948 wait4 S ? 0:00 -bash
0 503 11120 11060 10 0 1112 420 R ? 0:00 ps a l x w


Are any of these suspect? I don't recognise prefdm - how can I check what it is?

 

[marsd]

typos:
no -J accept for masq rule(duh)
reverse the proxy rule if necessary-

You are running a lot of services...
That makes things harder to keep straight..

 

[Zelandakh]

The only things I want to do with this server are:

Proxy / web cache server. Accessible internally from port 8080. Allow DNS queries through to cacheing server (same address as Exchange server). Allow http requests on port 80 into Exchange server (IIS).

Allow all internal people out to Net.

I think that is it.

Need to create a log of the httpd and ftp that to my ftp server (you guessed it, it is my overworked Exchange server).

I still have to type the stuff manually as the script doesn't want to know - looks like a path problem or similar even after explicitly typing the path, bash says file does not exist, but ls says it does... doh!

 

[Zelandakh]

This prefdm is in etc/X11 and is an alias to kdm. I don't think I use that.

All helpful stuff to zel@zelandakh.co.uk including fully configures scripts or things to check out.

 

[Zelandakh]

I just retyped the whole script (the old one) and everything worked fine. For 10 minutes. Now email seems to still work, but you can only get onto cached sites (including TT ) not new ones.

Think it is time to retire from IT and join a commune.

 

[marsd]

locate ipchains-restore
locate ipchains-save

these are your friends.
ipchains-save > /etc/firewall
ipchains-restore < /etc/firewall
no more typing.

with your old rules you should be able to do anything anyway...make sure that your proxy
is able to resolve names.

You should be able to configure your logging rules through your computer management and event viewer..Your exchange and proxy should
have their own logging facilities anyway..

 

[mbr]

Hello again,

from your list of processes there are several you probably won't use on your firewall-server:

portmap - needed for rpc-based services like NFS and NIS
snmpd - to gather information for some Network Management Systems
using the Simple Network Management Protocol
lpd - Line Printer Daemon
gpm - for Mouse-support on the console
smbd+nmbd - part of Samba, file- and printer-sharing services for
m$-clients

They all will be started by some of the runlevel-scripts in &quot;/etc/rc.d/init.d&quot;. If you'r not sure about which script to stop, &quot;grep&quot; through them and then stop the corresponding script, e.g. &quot;/etc/rc.d/init.d/samba stop&quot;.
You still have to remove the links from the corresponding rcX.d-Directory to prevent a restart at next boot-time or a change of the runlevel.

Be aware that if your system has been hacked, you cannot trust your &quot;ps&quot;-command (and others like login, ifconfig, su, netstat, who, lsmod,...) any more.
As mentioned in another post, i think the best guide in setting up a secure (RedHat)-Server is at

http://www.openna.com,

get the (old 6.2) PDF and you get the ideas that match most part of other distributions as well. And you can download complete fw-scripts and config-files described in the book as well.

ciao,
mbr

 

[Zelandakh]

I don't have a proxy server - except for this server. I run an internal DNS as a cacheing server.

The server now seems stable in terms of everything now sort of working but I want someone to come in asap to do a proper job of it. I have found quite a few web sites to help me do it myself but lack of time and a lack of effective knowledge of Linux means I would rather have this firewall configured by someone who really knows their stuff.

I found someone yesterday who is a SuSE and ipchains expert who is based a mile from me. When I told him I wanted SMTP through, access out for my users, a web cache / proxy and so on he told me he could not do it.

Hmm.