DennIsDn
23.05.04, 09:35
Hallo Leute,
ich bin am Verzweifeln. Versuche gerade ein Shell-Script, generiert mit FW-Builder ins Runlevel 3 unter SuSE 9.0 einzubinden. mit ln hab ich ganz gewöhnlich das Script gelinkt und ziemlich ans Ende gestellt (so dass alle Schnittstellen usw. schon aktiviert sind).
Bootlog gibt nur aus, dass das Script status 1 zurückgegeben hat. Wenn ich die Runlevel mit Yast konfigurieren möchte und das Firewall-Skript aktiviere, kommt die Fehlermeldung:
/etc/init.d/FW start gab 126 (Fehler nicht spezifiziert) zurück:
sh: line 3: /etc/init.d/FW: Keine Berechtigung
owner und group der Datei sin root und root, außerdem isr die Datei mit chmod 777 auf volle Rechte gesetzt.
Hier das Script:
#!/bin/sh
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v1.1.2-1
#
# Generated Sat May 15 21:03:32 2004 CEST by root
#
#
#
#
#
#
log() {
test -x "$LOGGER" && $LOGGER -p info "$1"
}
va_num=1
add_addr() {
addr=$1
nm=$2
dev=$3
type=""
aadd=""
L=`$IP -4 link ls $dev | grep "$dev:"`
if test -n "$L"; then
OIFS=$IFS
IFS=" /:,<"
set $L
type=$4
IFS=$OIFS
L=`$IP -4 addr ls $dev to $addr | grep " inet "`
if test -n "$L"; then
OIFS=$IFS
IFS=" /"
set $L
aadd=$2
IFS=$OIFS
fi
fi
if test -z "$aadd"; then
if test "$type" = "POINTOPOINT"; then
$IP -4 addr add $addr dev $dev scope global label $dev:FWB${va_num}
va_num=`expr $va_num + 1`
fi
if test "$type" = "BROADCAST"; then
$IP -4 addr add $addr/$nm dev $dev brd + scope global label $dev:FWB${va_num}
va_num=`expr $va_num + 1`
fi
fi
}
getaddr() {
dev=$1
name=$2
L=`$IP -4 addr show dev $dev | grep inet`
test -z "$L" && {
eval "$name=''"
return
}
OIFS=$IFS
IFS=" /"
set $L
eval "$name=$2"
IFS=$OIFS
}
getinterfaces() {
NAME=$1
$IP link show | grep -E "$NAME[^ ]*: "| while read L; do
OIFS=$IFS
IFS=" :"
set $L
IFS=$OIFS
echo $2
done
}
LSMOD="/sbin/lsmod"
MODPROBE="/sbin/modprobe"
IPTABLES="/usr/sbin/iptables"
IP="/sbin/ip"
LOGGER="/bin/logger"
INTERFACES="ppp0 eth1 lo "
for i in $INTERFACES ; do
$IP link show "$i" > /dev/null 2>&1 || {
echo Interface $i does not exist
exit 1
}
done
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl
$IP -4 neigh flush dev eth1 >/dev/null 2>&1
$IP -4 addr flush dev eth1 label "eth1:FWB*" >/dev/null 2>&1
add_addr 192.168.0.254 24 eth1
$IP link set eth1 up
add_addr 127.0.0.1 8 lo
$IP link set lo up
getaddr ppp0 interface_ppp0
$IPTABLES -P OUTPUT DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
cat /proc/net/ip_tables_names | while read table; do
$IPTABLES -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
$IPTABLES -t $table -F $chain
fi
done
$IPTABLES -t $table -X
done
MODULE_DIR="/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/"
MODULES=`(cd $MODULE_DIR; ls *_conntrack_* *_nat_* | sed 's/\.o.*$//; s/\.ko$//')`
for module in $(echo $MODULES); do
if $LSMOD | grep ${module} >/dev/null; then continue; fi
$MODPROBE ${module} || exit 1
done
log "Activating firewall script generated Sat May 15 21:03:32 2004 CEST by root"
#
# Rule 0(NAT)
#
#
$IPTABLES -t nat -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -j MASQUERADE
#
#
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Rule 0(ppp0)
#
#
#
$IPTABLES -N ppp0_Out_RULE_0
test -n "$interface_ppp0" && $IPTABLES -A OUTPUT -o ppp0 -p tcp -m multiport -s $interface_ppp0 --destination-port 53,80,443,110,995,25,465 -m state --state NEW -j ppp0_Out_RULE_0
$IPTABLES -A OUTPUT -o ppp0 -p tcp -m multiport -s 192.168.0.254 --destination-port 53,80,443,110,995,25,465 -m state --state NEW -j ppp0_Out_RULE_0
test -n "$interface_ppp0" && $IPTABLES -A OUTPUT -o ppp0 -p udp -s $interface_ppp0 --destination-port 53 -m state --state NEW -j ppp0_Out_RULE_0
$IPTABLES -A OUTPUT -o ppp0 -p udp -s 192.168.0.254 --destination-port 53 -m state --state NEW -j ppp0_Out_RULE_0
$IPTABLES -A ppp0_Out_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- ACCEPT "
$IPTABLES -A ppp0_Out_RULE_0 -j ACCEPT
#
# Rule 0(eth1)
#
#
#
$IPTABLES -N eth1_In_RULE_0
test -n "$interface_ppp0" && $IPTABLES -A INPUT -i eth1 -p icmp -s 192.168.0.0/24 -d $interface_ppp0 -m state --state NEW -j eth1_In_RULE_0
$IPTABLES -A INPUT -i eth1 -p icmp -s 192.168.0.0/24 -d 192.168.0.254 -m state --state NEW -j eth1_In_RULE_0
$IPTABLES -N Cid409F6301.0
test -n "$interface_ppp0" && $IPTABLES -A INPUT -i eth1 -d $interface_ppp0 -m state --state NEW -j Cid409F6301.0
$IPTABLES -A INPUT -i eth1 -d 192.168.0.254 -m state --state NEW -j Cid409F6301.0
$IPTABLES -A Cid409F6301.0 -i eth1 -p tcp -m multiport -s 192.168.0.0/24 --destination-port 53,22,25,110,3128,1812 -m state --state NEW -j eth1_In_RULE_0
test -n "$interface_ppp0" && $IPTABLES -A INPUT -i eth1 -p udp -s 192.168.0.0/24 -d $interface_ppp0 --destination-port 53 -m state --state NEW -j eth1_In_RULE_0
$IPTABLES -A INPUT -i eth1 -p udp -s 192.168.0.0/24 -d 192.168.0.254 --destination-port 53 -m state --state NEW -j eth1_In_RULE_0
$IPTABLES -A eth1_In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- ACCEPT "
$IPTABLES -A eth1_In_RULE_0 -j ACCEPT
#
# Rule 1(eth1)
#
#
#
$IPTABLES -N Cid409F78F6.0
test -n "$interface_ppp0" && $IPTABLES -A INPUT -i eth1 -d $interface_ppp0 -m state --state NEW -j Cid409F78F6.0
$IPTABLES -A INPUT -i eth1 -d 192.168.0.254 -m state --state NEW -j Cid409F78F6.0
$IPTABLES -N eth1_In_RULE_1
$IPTABLES -A Cid409F78F6.0 -i eth1 -p udp -m multiport -s 192.168.0.0/24 --destination-port 68,67 -m state --state NEW -j eth1_In_RULE_1
$IPTABLES -A eth1_In_RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- ACCEPT "
$IPTABLES -A eth1_In_RULE_1 -j ACCEPT
$IPTABLES -N Cid409F78F6.1
test -n "$interface_ppp0" && $IPTABLES -A OUTPUT -o eth1 -d $interface_ppp0 -m state --state NEW -j Cid409F78F6.1
$IPTABLES -A OUTPUT -o eth1 -d 192.168.0.254 -m state --state NEW -j Cid409F78F6.1
$IPTABLES -N eth1_Out_RULE_1
$IPTABLES -A Cid409F78F6.1 -o eth1 -p udp -m multiport -s 192.168.0.0/24 --destination-port 68,67 -m state --state NEW -j eth1_Out_RULE_1
$IPTABLES -N Cid409F78F6.2
test -n "$interface_ppp0" && $IPTABLES -A FORWARD -o eth1 -d $interface_ppp0 -m state --state NEW -j Cid409F78F6.2
$IPTABLES -A FORWARD -o eth1 -d 192.168.0.254 -m state --state NEW -j Cid409F78F6.2
$IPTABLES -A Cid409F78F6.2 -o eth1 -p udp -m multiport -s 192.168.0.0/24 --destination-port 68,67 -m state --state NEW -j eth1_Out_RULE_1
$IPTABLES -A eth1_Out_RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- ACCEPT "
$IPTABLES -A eth1_Out_RULE_1 -j ACCEPT
#
# Rule 0(lo)
#
#
#
$IPTABLES -N lo_In_RULE_0
$IPTABLES -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -m state --state NEW -j lo_In_RULE_0
$IPTABLES -A lo_In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- ACCEPT "
$IPTABLES -A lo_In_RULE_0 -j ACCEPT
$IPTABLES -N lo_Out_RULE_0
$IPTABLES -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -m state --state NEW -j lo_Out_RULE_0
$IPTABLES -A lo_Out_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- ACCEPT "
$IPTABLES -A lo_Out_RULE_0 -j ACCEPT
#
# Rule 0(global)
#
#
#
$IPTABLES -N RULE_0
$IPTABLES -A INPUT -p tcp -s 192.168.0.0/24 --source-port 20 --destination-port 1024:65535 -m state --state NEW -j RULE_0
$IPTABLES -A INPUT -p tcp -m multiport -s 192.168.0.0/24 --destination-port 25,110,995,21,20,4662 -m state --state NEW -j RULE_0
$IPTABLES -A INPUT -p udp -m multiport -s 192.168.0.0/24 --destination-port 53,4558 -m state --state NEW -j RULE_0
$IPTABLES -A OUTPUT -p tcp -s 192.168.0.0/24 --source-port 20 --destination-port 1024:65535 -m state --state NEW -j RULE_0
$IPTABLES -A OUTPUT -p tcp -m multiport -s 192.168.0.0/24 --destination-port 25,110,995,21,20,4662 -m state --state NEW -j RULE_0
$IPTABLES -A OUTPUT -p udp -m multiport -s 192.168.0.0/24 --destination-port 53,4558 -m state --state NEW -j RULE_0
$IPTABLES -A FORWARD -p tcp -s 192.168.0.0/24 --source-port 20 --destination-port 1024:65535 -m state --state NEW -j RULE_0
$IPTABLES -A FORWARD -p tcp -m multiport -s 192.168.0.0/24 --destination-port 25,110,995,21,20,4662 -m state --state NEW -j RULE_0
$IPTABLES -A FORWARD -p udp -m multiport -s 192.168.0.0/24 --destination-port 53,4558 -m state --state NEW -j RULE_0
$IPTABLES -A RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- ACCEPT "
$IPTABLES -A RULE_0 -j ACCEPT
#
#
echo 1 > /proc/sys/net/ipv4/ip_forward
Danke
MfG,
Dennis
ich bin am Verzweifeln. Versuche gerade ein Shell-Script, generiert mit FW-Builder ins Runlevel 3 unter SuSE 9.0 einzubinden. mit ln hab ich ganz gewöhnlich das Script gelinkt und ziemlich ans Ende gestellt (so dass alle Schnittstellen usw. schon aktiviert sind).
Bootlog gibt nur aus, dass das Script status 1 zurückgegeben hat. Wenn ich die Runlevel mit Yast konfigurieren möchte und das Firewall-Skript aktiviere, kommt die Fehlermeldung:
/etc/init.d/FW start gab 126 (Fehler nicht spezifiziert) zurück:
sh: line 3: /etc/init.d/FW: Keine Berechtigung
owner und group der Datei sin root und root, außerdem isr die Datei mit chmod 777 auf volle Rechte gesetzt.
Hier das Script:
#!/bin/sh
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v1.1.2-1
#
# Generated Sat May 15 21:03:32 2004 CEST by root
#
#
#
#
#
#
log() {
test -x "$LOGGER" && $LOGGER -p info "$1"
}
va_num=1
add_addr() {
addr=$1
nm=$2
dev=$3
type=""
aadd=""
L=`$IP -4 link ls $dev | grep "$dev:"`
if test -n "$L"; then
OIFS=$IFS
IFS=" /:,<"
set $L
type=$4
IFS=$OIFS
L=`$IP -4 addr ls $dev to $addr | grep " inet "`
if test -n "$L"; then
OIFS=$IFS
IFS=" /"
set $L
aadd=$2
IFS=$OIFS
fi
fi
if test -z "$aadd"; then
if test "$type" = "POINTOPOINT"; then
$IP -4 addr add $addr dev $dev scope global label $dev:FWB${va_num}
va_num=`expr $va_num + 1`
fi
if test "$type" = "BROADCAST"; then
$IP -4 addr add $addr/$nm dev $dev brd + scope global label $dev:FWB${va_num}
va_num=`expr $va_num + 1`
fi
fi
}
getaddr() {
dev=$1
name=$2
L=`$IP -4 addr show dev $dev | grep inet`
test -z "$L" && {
eval "$name=''"
return
}
OIFS=$IFS
IFS=" /"
set $L
eval "$name=$2"
IFS=$OIFS
}
getinterfaces() {
NAME=$1
$IP link show | grep -E "$NAME[^ ]*: "| while read L; do
OIFS=$IFS
IFS=" :"
set $L
IFS=$OIFS
echo $2
done
}
LSMOD="/sbin/lsmod"
MODPROBE="/sbin/modprobe"
IPTABLES="/usr/sbin/iptables"
IP="/sbin/ip"
LOGGER="/bin/logger"
INTERFACES="ppp0 eth1 lo "
for i in $INTERFACES ; do
$IP link show "$i" > /dev/null 2>&1 || {
echo Interface $i does not exist
exit 1
}
done
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl
$IP -4 neigh flush dev eth1 >/dev/null 2>&1
$IP -4 addr flush dev eth1 label "eth1:FWB*" >/dev/null 2>&1
add_addr 192.168.0.254 24 eth1
$IP link set eth1 up
add_addr 127.0.0.1 8 lo
$IP link set lo up
getaddr ppp0 interface_ppp0
$IPTABLES -P OUTPUT DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
cat /proc/net/ip_tables_names | while read table; do
$IPTABLES -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
$IPTABLES -t $table -F $chain
fi
done
$IPTABLES -t $table -X
done
MODULE_DIR="/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/"
MODULES=`(cd $MODULE_DIR; ls *_conntrack_* *_nat_* | sed 's/\.o.*$//; s/\.ko$//')`
for module in $(echo $MODULES); do
if $LSMOD | grep ${module} >/dev/null; then continue; fi
$MODPROBE ${module} || exit 1
done
log "Activating firewall script generated Sat May 15 21:03:32 2004 CEST by root"
#
# Rule 0(NAT)
#
#
$IPTABLES -t nat -A POSTROUTING -o ppp0 -s 192.168.0.0/24 -j MASQUERADE
#
#
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Rule 0(ppp0)
#
#
#
$IPTABLES -N ppp0_Out_RULE_0
test -n "$interface_ppp0" && $IPTABLES -A OUTPUT -o ppp0 -p tcp -m multiport -s $interface_ppp0 --destination-port 53,80,443,110,995,25,465 -m state --state NEW -j ppp0_Out_RULE_0
$IPTABLES -A OUTPUT -o ppp0 -p tcp -m multiport -s 192.168.0.254 --destination-port 53,80,443,110,995,25,465 -m state --state NEW -j ppp0_Out_RULE_0
test -n "$interface_ppp0" && $IPTABLES -A OUTPUT -o ppp0 -p udp -s $interface_ppp0 --destination-port 53 -m state --state NEW -j ppp0_Out_RULE_0
$IPTABLES -A OUTPUT -o ppp0 -p udp -s 192.168.0.254 --destination-port 53 -m state --state NEW -j ppp0_Out_RULE_0
$IPTABLES -A ppp0_Out_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- ACCEPT "
$IPTABLES -A ppp0_Out_RULE_0 -j ACCEPT
#
# Rule 0(eth1)
#
#
#
$IPTABLES -N eth1_In_RULE_0
test -n "$interface_ppp0" && $IPTABLES -A INPUT -i eth1 -p icmp -s 192.168.0.0/24 -d $interface_ppp0 -m state --state NEW -j eth1_In_RULE_0
$IPTABLES -A INPUT -i eth1 -p icmp -s 192.168.0.0/24 -d 192.168.0.254 -m state --state NEW -j eth1_In_RULE_0
$IPTABLES -N Cid409F6301.0
test -n "$interface_ppp0" && $IPTABLES -A INPUT -i eth1 -d $interface_ppp0 -m state --state NEW -j Cid409F6301.0
$IPTABLES -A INPUT -i eth1 -d 192.168.0.254 -m state --state NEW -j Cid409F6301.0
$IPTABLES -A Cid409F6301.0 -i eth1 -p tcp -m multiport -s 192.168.0.0/24 --destination-port 53,22,25,110,3128,1812 -m state --state NEW -j eth1_In_RULE_0
test -n "$interface_ppp0" && $IPTABLES -A INPUT -i eth1 -p udp -s 192.168.0.0/24 -d $interface_ppp0 --destination-port 53 -m state --state NEW -j eth1_In_RULE_0
$IPTABLES -A INPUT -i eth1 -p udp -s 192.168.0.0/24 -d 192.168.0.254 --destination-port 53 -m state --state NEW -j eth1_In_RULE_0
$IPTABLES -A eth1_In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- ACCEPT "
$IPTABLES -A eth1_In_RULE_0 -j ACCEPT
#
# Rule 1(eth1)
#
#
#
$IPTABLES -N Cid409F78F6.0
test -n "$interface_ppp0" && $IPTABLES -A INPUT -i eth1 -d $interface_ppp0 -m state --state NEW -j Cid409F78F6.0
$IPTABLES -A INPUT -i eth1 -d 192.168.0.254 -m state --state NEW -j Cid409F78F6.0
$IPTABLES -N eth1_In_RULE_1
$IPTABLES -A Cid409F78F6.0 -i eth1 -p udp -m multiport -s 192.168.0.0/24 --destination-port 68,67 -m state --state NEW -j eth1_In_RULE_1
$IPTABLES -A eth1_In_RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- ACCEPT "
$IPTABLES -A eth1_In_RULE_1 -j ACCEPT
$IPTABLES -N Cid409F78F6.1
test -n "$interface_ppp0" && $IPTABLES -A OUTPUT -o eth1 -d $interface_ppp0 -m state --state NEW -j Cid409F78F6.1
$IPTABLES -A OUTPUT -o eth1 -d 192.168.0.254 -m state --state NEW -j Cid409F78F6.1
$IPTABLES -N eth1_Out_RULE_1
$IPTABLES -A Cid409F78F6.1 -o eth1 -p udp -m multiport -s 192.168.0.0/24 --destination-port 68,67 -m state --state NEW -j eth1_Out_RULE_1
$IPTABLES -N Cid409F78F6.2
test -n "$interface_ppp0" && $IPTABLES -A FORWARD -o eth1 -d $interface_ppp0 -m state --state NEW -j Cid409F78F6.2
$IPTABLES -A FORWARD -o eth1 -d 192.168.0.254 -m state --state NEW -j Cid409F78F6.2
$IPTABLES -A Cid409F78F6.2 -o eth1 -p udp -m multiport -s 192.168.0.0/24 --destination-port 68,67 -m state --state NEW -j eth1_Out_RULE_1
$IPTABLES -A eth1_Out_RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- ACCEPT "
$IPTABLES -A eth1_Out_RULE_1 -j ACCEPT
#
# Rule 0(lo)
#
#
#
$IPTABLES -N lo_In_RULE_0
$IPTABLES -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -m state --state NEW -j lo_In_RULE_0
$IPTABLES -A lo_In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- ACCEPT "
$IPTABLES -A lo_In_RULE_0 -j ACCEPT
$IPTABLES -N lo_Out_RULE_0
$IPTABLES -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -m state --state NEW -j lo_Out_RULE_0
$IPTABLES -A lo_Out_RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- ACCEPT "
$IPTABLES -A lo_Out_RULE_0 -j ACCEPT
#
# Rule 0(global)
#
#
#
$IPTABLES -N RULE_0
$IPTABLES -A INPUT -p tcp -s 192.168.0.0/24 --source-port 20 --destination-port 1024:65535 -m state --state NEW -j RULE_0
$IPTABLES -A INPUT -p tcp -m multiport -s 192.168.0.0/24 --destination-port 25,110,995,21,20,4662 -m state --state NEW -j RULE_0
$IPTABLES -A INPUT -p udp -m multiport -s 192.168.0.0/24 --destination-port 53,4558 -m state --state NEW -j RULE_0
$IPTABLES -A OUTPUT -p tcp -s 192.168.0.0/24 --source-port 20 --destination-port 1024:65535 -m state --state NEW -j RULE_0
$IPTABLES -A OUTPUT -p tcp -m multiport -s 192.168.0.0/24 --destination-port 25,110,995,21,20,4662 -m state --state NEW -j RULE_0
$IPTABLES -A OUTPUT -p udp -m multiport -s 192.168.0.0/24 --destination-port 53,4558 -m state --state NEW -j RULE_0
$IPTABLES -A FORWARD -p tcp -s 192.168.0.0/24 --source-port 20 --destination-port 1024:65535 -m state --state NEW -j RULE_0
$IPTABLES -A FORWARD -p tcp -m multiport -s 192.168.0.0/24 --destination-port 25,110,995,21,20,4662 -m state --state NEW -j RULE_0
$IPTABLES -A FORWARD -p udp -m multiport -s 192.168.0.0/24 --destination-port 53,4558 -m state --state NEW -j RULE_0
$IPTABLES -A RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- ACCEPT "
$IPTABLES -A RULE_0 -j ACCEPT
#
#
echo 1 > /proc/sys/net/ipv4/ip_forward
Danke
MfG,
Dennis