Jesaja
26.04.05, 14:08
Ich hab mir n komplett neues Firewallscript gemacht, aber nun das Problem, das es nicht startet. Ich hab das ganze Script schon durchgesehen aber keinen Fehler gefunden.
Linux gibt immer
: command not found
: command not found
: command not found
: command not found
: command not found
: No such file or directoryin/iptables
: No such file or directoryin/iptables
: No such file or directoryin/iptables
: No such file or directoryin/iptables
: No such file or directoryin/iptables
: No such file or directoryin/iptables
: command not found
: command not found
: command not found
'irewall2: line 270: syntax error near unexpected token `in
'irewall2: line 270: `case "$1" in
zurück.
Hier mal das komplette Script:
#! /bin/sh
#####***
###
###Homefirewall mit QOS by Michael Hueging 25.04.2005
###
#####***
###*
###FIREWALL
###*
#Module laden
#modprobe ip_contrack
#modprobe ip_contrack_ftp
#modprobe ip_nat_ftp
#Devices
int=eth1
isp=dsl0
ipt=/usr/sbin/iptables
tc=/usr/sbin/tc
#Tabellen leeren
$ipt -X
$ipt -F
$ipt -t nat-X
$ipt -t nat-F
$ipt -t mangle -X
$ipt -t mangle -F
#
#
#
####
#### START FIREWALL
####
function stopFirewall() {
function startFirewall() {
#Policies setzen
$ipt -P INPUT DROP
$ipt -P FORWARD ACCEPT
$ipt -P OUTPUT ACCEPT
#Tabellen erstellen
$ipt -N weg
#Routing aktivieren
echo "1" > /proc/sys/net/ipv4/ip_forward
$ipt -t nat -A POSTROUTING -o $isp -j MASQUERADE
#MTU anpassen
$ipt -A FORWARD -p TCP --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
#Sicherheitseinstellungen
$ipt -A INPUT -i $isp -m state --state ESTABLISHED,RELATED -j ACCEPT
#Spoofing-Schutz
$ipt -A INPUT -i $int -s ! 192.168.1.0/24 -j DROP
$ipt -A INPUT -i ! lo -s 127.0.0.1 -j DROP
$ipt -A INPUT -i ! $int -s 192.168.1.0/24 -j DROP
#Lokale Interfaces erlauben
$ipt -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
$ipt -A INPUT -i $int -s 192.168.1.0/24 -j ACCEPT
#Anfragen rejecten
$ipt -A weg -p tcp -j REJECT --reject-with tcp-reset
$ipt -A weg -p udp -j REJECT --reject-with icmp-port-unreachable
#Korrupte Pakete zurueckweisen
$ipt -A INPUT -m state --state INVALID -j DROP
$ipt -A OUTPUT -m state --state INVALID -j DROP
$ipt -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$ipt -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$ipt -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$ipt -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
$ipt -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
$ipt -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
#ICMP zulassen
$ipt -A INPUT -p icmp -j ACCEPT
#Netbios blocken
$ipt -A FORWARD -m multiport --dport 135,137,138,139,445 -j REJECT
#Zwangsproxy
$ipt -t nat -A PREROUTING -i $int -p tcp --dport 80 -d ! 192.168.1.1 -j REDIRECT --to-port 8080
}
####
#### STOP FIREWALL
####
function stopFirewall() {
$ipt -X
$ipt -F
$ipt -t nat-X
$ipt -t nat-F
$ipt -t mangle -X
$ipt -t mangle -F
$ipt -P INPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -P OUTPUT ACCEPT
}
####
#### BLOCK TRAFFIC
####
function blockFirewall() {
$ipt -X
$ipt -F
$ipt -t nat-X
$ipt -t nat-F
$ipt -t mangle -X
$ipt -t mangle -F
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT DROP
$ipt -A INPUT -i $int --dport 22 -s 192.168.1.0/24 -j ACCEPT
$ipt -A OUTPUT -o $int -d 192.168.1.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
}
################################################
###*
###QOS
###*
function qos() {
#Root-Handle
$tc qdics add dev $isp root handle 1:0 htb default 3
$tc qdics add dev $isp root handle 2:0 htb default 2
#Hauptklasse - Download
$tc class add dev $isp parent 1:0 classid 1:1 htb rate 1024kbit ceil 1024kbit
#Hauptklasse - Upload
$tc class add dev $isp parent 2:0 classid 2:1 htb rate 125kbit ceil 125kbit
### DOWNLOAD
#ACK
$tc class add dev $isp parent 1:1 classid 1:11 htb rate 100kbit ceil 200kbit prio 0
#Games
$tc class add dev $isp parent 1:1 classid 1:12 htb rate 200kbit ceil 1000kbit prio 1
#VoIP
$tc class add dev $isp parent 1:1 classid 1:13 htb rate 200kbit ceil 1000kbit prio 1
#ICMP
$tc class add dev $isp parent 1:1 classid 1:14 htb rate 80kbit ceil 512kbit prio 1
#DNS
$tc class add dev $isp parent 1:1 classid 1:15 htb rate 120kbit ceil 512kbit prio 2
#HTTP
$tc class add dev $isp parent 1:1 classid 1:16 htb rate 120kbit ceil 1000kbit prio 2
#FTP
$tc class add dev $isp parent 1:1 classid 1:17 htb rate 108kbit ceil 1000kbit prio 3
#Mail
$tc class add dev $isp parent 1:1 classid 1:18 htb rate 64kbit ceil 768kbit prio 4
#Dienste
$tc class add dev $isp parent 1:1 classid 1:19 htb rate 32kbit ceil 768kbit prio 4
###UPLOAD
#ACK
$tc class add dev $isp parent 2:1 classid 2:11 htb rate 24kbit ceil 125kbit prio 0
#Games
$tc class add dev $isp parent 2:1 classid 2:12 htb rate 60kbit ceil 125kbit prio 1
#VoIP
$tc class add dev $isp parent 2:1 classid 2:13 htb rate 32kbit ceil 125kbit prio 1
#ICMP
$tc class add dev $isp parent 2:1 classid 2:14 htb rate 8kbit ceil 125kbit prio 1
#Mail
$tc class add dev $isp parent 2:1 classid 2:15 htb rate 1kbit ceil 125kbit prio 3
#Dienste
$tc class add dev $isp parent 2:1 classid 2:16 htb rate 1kbit ceil 125kbit prio 3
##Filter
$tc filter add dev $isp parent 1:1 prio 0 protocol ip handle 11 fw flowid 1:11
$tc filter add dev $isp parent 1:1 prio 0 protocol ip handle 12 fw flowid 1:12
$tc filter add dev $isp parent 1:1 prio 0 protocol ip handle 13 fw flowid 1:13
$tc filter add dev $isp parent 1:1 prio 0 protocol ip handle 14 fw flowid 1:14
$tc filter add dev $isp parent 1:1 prio 0 protocol ip handle 15 fw flowid 1:15
$tc filter add dev $isp parent 1:1 prio 0 protocol ip handle 16 fw flowid 1:16
$tc filter add dev $isp parent 1:1 prio 0 protocol ip handle 17 fw flowid 1:17
$tc filter add dev $isp parent 1:1 prio 0 protocol ip handle 18 fw flowid 1:18
$tc filter add dev $isp parent 1:1 prio 0 protocol ip handle 19 fw flowid 1:19
$tc filter add dev $isp parent 2:1 prio 0 protocol ip handle 21 fw flowid 2:11
$tc filter add dev $isp parent 2:1 prio 0 protocol ip handle 22 fw flowid 2:12
$tc filter add dev $isp parent 2:1 prio 0 protocol ip handle 23 fw flowid 2:13
$tc filter add dev $isp parent 2:1 prio 0 protocol ip handle 24 fw flowid 2:14
$tc filter add dev $isp parent 2:1 prio 0 protocol ip handle 25 fw flowid 2:15
$tc filter add dev $isp parent 2:1 prio 0 protocol ip handle 26 fw flowid 2:16
##Makierungen
#Download
iptables -A PREROUTING -t mangle -i $isp -p udp --sport 8767 -j MARK --set-mark 13 #TS2(manche)
iptables -A PREROUTING -t mangle -i $isp -p udp --dport 27005 -j MARK --set-mark 13 #CS - testweise
iptables -A PREROUTING -t mangle -i $isp -p icmp -j MARK --set-mark 14
iptables -A PREROUTING -t mangle -i $isp -p udp --sport 53 -j MARK --set-mark 15
iptables -A PREROUTING -t mangle -i $isp -p tcp --sport 80 -j MARK --set-mark 16
iptables -A PREROUTING -t mangle -i $isp -p tcp --sport 21 -j MARK --set-mark 17
iptables -A PREROUTING -t mangle -i $isp -p tcp -m multiport --sport 25, -j MARK --set-mark 18
#Upload
iptables -A POSTROUTING -t mangle -o $isp -p udp --sport 27005 -j MARK --set-mark 22 #CS - testweise
iptables -A POSTROUTING -t mangle -o $isp -p udp --dport 14567 -j MARK --set-mark 22 #BF(manche)
iptables -A POSTROUTING -t mangle -o $isp -p udp --dport 8767 -j MARK --set-mark 23 #TS2(manche)
iptables -A POSTROUTING -t mangle -o $isp -p icmp -j MARK --set-mark 24
iptables -A POSTROUTING -t mangle -o $isp -p tcp --dport 25 -j MARK --set-mark 25
#iptables -A OUTPUT -t mangle -o $isp -p tcp --sport 80 -o $isp -j MARK --set-mark 26
}
###
###No QOS
###
function noqos() {
tc qdisc del dev eth0 root
}
################################################
####
#### Start/Stop-Script
####
case "$1" in
start)
echo -n "Starting firewall..."
startFirewall
qos
echo "...done"
;;
stop)
echo -n "Stopping firewall..."
stopFirewall
noqos
echo "...done"
;;
restart)
$0 stop
$0 start
;;
block)
echo -n "Blocking all Traffic..."
blockFirewall
noqos
echo "...done"
;;
qos)
echo -n "Enabling Qos..."
qos
echo "...done"
;;
noqos)
echo -n "Disabling Qos..."
noqos
echo "...done"
;;
*)
echo "Usage: firewall {start|stop|block|qos|noqos|restart}"
exit 1
;;
esac
Weis einer von euch, was der Fehler sein könnte?
Linux gibt immer
: command not found
: command not found
: command not found
: command not found
: command not found
: No such file or directoryin/iptables
: No such file or directoryin/iptables
: No such file or directoryin/iptables
: No such file or directoryin/iptables
: No such file or directoryin/iptables
: No such file or directoryin/iptables
: command not found
: command not found
: command not found
'irewall2: line 270: syntax error near unexpected token `in
'irewall2: line 270: `case "$1" in
zurück.
Hier mal das komplette Script:
#! /bin/sh
#####***
###
###Homefirewall mit QOS by Michael Hueging 25.04.2005
###
#####***
###*
###FIREWALL
###*
#Module laden
#modprobe ip_contrack
#modprobe ip_contrack_ftp
#modprobe ip_nat_ftp
#Devices
int=eth1
isp=dsl0
ipt=/usr/sbin/iptables
tc=/usr/sbin/tc
#Tabellen leeren
$ipt -X
$ipt -F
$ipt -t nat-X
$ipt -t nat-F
$ipt -t mangle -X
$ipt -t mangle -F
#
#
#
####
#### START FIREWALL
####
function stopFirewall() {
function startFirewall() {
#Policies setzen
$ipt -P INPUT DROP
$ipt -P FORWARD ACCEPT
$ipt -P OUTPUT ACCEPT
#Tabellen erstellen
$ipt -N weg
#Routing aktivieren
echo "1" > /proc/sys/net/ipv4/ip_forward
$ipt -t nat -A POSTROUTING -o $isp -j MASQUERADE
#MTU anpassen
$ipt -A FORWARD -p TCP --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
#Sicherheitseinstellungen
$ipt -A INPUT -i $isp -m state --state ESTABLISHED,RELATED -j ACCEPT
#Spoofing-Schutz
$ipt -A INPUT -i $int -s ! 192.168.1.0/24 -j DROP
$ipt -A INPUT -i ! lo -s 127.0.0.1 -j DROP
$ipt -A INPUT -i ! $int -s 192.168.1.0/24 -j DROP
#Lokale Interfaces erlauben
$ipt -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
$ipt -A INPUT -i $int -s 192.168.1.0/24 -j ACCEPT
#Anfragen rejecten
$ipt -A weg -p tcp -j REJECT --reject-with tcp-reset
$ipt -A weg -p udp -j REJECT --reject-with icmp-port-unreachable
#Korrupte Pakete zurueckweisen
$ipt -A INPUT -m state --state INVALID -j DROP
$ipt -A OUTPUT -m state --state INVALID -j DROP
$ipt -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$ipt -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$ipt -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$ipt -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
$ipt -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
$ipt -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
#ICMP zulassen
$ipt -A INPUT -p icmp -j ACCEPT
#Netbios blocken
$ipt -A FORWARD -m multiport --dport 135,137,138,139,445 -j REJECT
#Zwangsproxy
$ipt -t nat -A PREROUTING -i $int -p tcp --dport 80 -d ! 192.168.1.1 -j REDIRECT --to-port 8080
}
####
#### STOP FIREWALL
####
function stopFirewall() {
$ipt -X
$ipt -F
$ipt -t nat-X
$ipt -t nat-F
$ipt -t mangle -X
$ipt -t mangle -F
$ipt -P INPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -P OUTPUT ACCEPT
}
####
#### BLOCK TRAFFIC
####
function blockFirewall() {
$ipt -X
$ipt -F
$ipt -t nat-X
$ipt -t nat-F
$ipt -t mangle -X
$ipt -t mangle -F
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT DROP
$ipt -A INPUT -i $int --dport 22 -s 192.168.1.0/24 -j ACCEPT
$ipt -A OUTPUT -o $int -d 192.168.1.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
}
################################################
###*
###QOS
###*
function qos() {
#Root-Handle
$tc qdics add dev $isp root handle 1:0 htb default 3
$tc qdics add dev $isp root handle 2:0 htb default 2
#Hauptklasse - Download
$tc class add dev $isp parent 1:0 classid 1:1 htb rate 1024kbit ceil 1024kbit
#Hauptklasse - Upload
$tc class add dev $isp parent 2:0 classid 2:1 htb rate 125kbit ceil 125kbit
### DOWNLOAD
#ACK
$tc class add dev $isp parent 1:1 classid 1:11 htb rate 100kbit ceil 200kbit prio 0
#Games
$tc class add dev $isp parent 1:1 classid 1:12 htb rate 200kbit ceil 1000kbit prio 1
#VoIP
$tc class add dev $isp parent 1:1 classid 1:13 htb rate 200kbit ceil 1000kbit prio 1
#ICMP
$tc class add dev $isp parent 1:1 classid 1:14 htb rate 80kbit ceil 512kbit prio 1
#DNS
$tc class add dev $isp parent 1:1 classid 1:15 htb rate 120kbit ceil 512kbit prio 2
#HTTP
$tc class add dev $isp parent 1:1 classid 1:16 htb rate 120kbit ceil 1000kbit prio 2
#FTP
$tc class add dev $isp parent 1:1 classid 1:17 htb rate 108kbit ceil 1000kbit prio 3
$tc class add dev $isp parent 1:1 classid 1:18 htb rate 64kbit ceil 768kbit prio 4
#Dienste
$tc class add dev $isp parent 1:1 classid 1:19 htb rate 32kbit ceil 768kbit prio 4
###UPLOAD
#ACK
$tc class add dev $isp parent 2:1 classid 2:11 htb rate 24kbit ceil 125kbit prio 0
#Games
$tc class add dev $isp parent 2:1 classid 2:12 htb rate 60kbit ceil 125kbit prio 1
#VoIP
$tc class add dev $isp parent 2:1 classid 2:13 htb rate 32kbit ceil 125kbit prio 1
#ICMP
$tc class add dev $isp parent 2:1 classid 2:14 htb rate 8kbit ceil 125kbit prio 1
$tc class add dev $isp parent 2:1 classid 2:15 htb rate 1kbit ceil 125kbit prio 3
#Dienste
$tc class add dev $isp parent 2:1 classid 2:16 htb rate 1kbit ceil 125kbit prio 3
##Filter
$tc filter add dev $isp parent 1:1 prio 0 protocol ip handle 11 fw flowid 1:11
$tc filter add dev $isp parent 1:1 prio 0 protocol ip handle 12 fw flowid 1:12
$tc filter add dev $isp parent 1:1 prio 0 protocol ip handle 13 fw flowid 1:13
$tc filter add dev $isp parent 1:1 prio 0 protocol ip handle 14 fw flowid 1:14
$tc filter add dev $isp parent 1:1 prio 0 protocol ip handle 15 fw flowid 1:15
$tc filter add dev $isp parent 1:1 prio 0 protocol ip handle 16 fw flowid 1:16
$tc filter add dev $isp parent 1:1 prio 0 protocol ip handle 17 fw flowid 1:17
$tc filter add dev $isp parent 1:1 prio 0 protocol ip handle 18 fw flowid 1:18
$tc filter add dev $isp parent 1:1 prio 0 protocol ip handle 19 fw flowid 1:19
$tc filter add dev $isp parent 2:1 prio 0 protocol ip handle 21 fw flowid 2:11
$tc filter add dev $isp parent 2:1 prio 0 protocol ip handle 22 fw flowid 2:12
$tc filter add dev $isp parent 2:1 prio 0 protocol ip handle 23 fw flowid 2:13
$tc filter add dev $isp parent 2:1 prio 0 protocol ip handle 24 fw flowid 2:14
$tc filter add dev $isp parent 2:1 prio 0 protocol ip handle 25 fw flowid 2:15
$tc filter add dev $isp parent 2:1 prio 0 protocol ip handle 26 fw flowid 2:16
##Makierungen
#Download
iptables -A PREROUTING -t mangle -i $isp -p udp --sport 8767 -j MARK --set-mark 13 #TS2(manche)
iptables -A PREROUTING -t mangle -i $isp -p udp --dport 27005 -j MARK --set-mark 13 #CS - testweise
iptables -A PREROUTING -t mangle -i $isp -p icmp -j MARK --set-mark 14
iptables -A PREROUTING -t mangle -i $isp -p udp --sport 53 -j MARK --set-mark 15
iptables -A PREROUTING -t mangle -i $isp -p tcp --sport 80 -j MARK --set-mark 16
iptables -A PREROUTING -t mangle -i $isp -p tcp --sport 21 -j MARK --set-mark 17
iptables -A PREROUTING -t mangle -i $isp -p tcp -m multiport --sport 25, -j MARK --set-mark 18
#Upload
iptables -A POSTROUTING -t mangle -o $isp -p udp --sport 27005 -j MARK --set-mark 22 #CS - testweise
iptables -A POSTROUTING -t mangle -o $isp -p udp --dport 14567 -j MARK --set-mark 22 #BF(manche)
iptables -A POSTROUTING -t mangle -o $isp -p udp --dport 8767 -j MARK --set-mark 23 #TS2(manche)
iptables -A POSTROUTING -t mangle -o $isp -p icmp -j MARK --set-mark 24
iptables -A POSTROUTING -t mangle -o $isp -p tcp --dport 25 -j MARK --set-mark 25
#iptables -A OUTPUT -t mangle -o $isp -p tcp --sport 80 -o $isp -j MARK --set-mark 26
}
###
###No QOS
###
function noqos() {
tc qdisc del dev eth0 root
}
################################################
####
#### Start/Stop-Script
####
case "$1" in
start)
echo -n "Starting firewall..."
startFirewall
qos
echo "...done"
;;
stop)
echo -n "Stopping firewall..."
stopFirewall
noqos
echo "...done"
;;
restart)
$0 stop
$0 start
;;
block)
echo -n "Blocking all Traffic..."
blockFirewall
noqos
echo "...done"
;;
qos)
echo -n "Enabling Qos..."
qos
echo "...done"
;;
noqos)
echo -n "Disabling Qos..."
noqos
echo "...done"
;;
*)
echo "Usage: firewall {start|stop|block|qos|noqos|restart}"
exit 1
;;
esac
Weis einer von euch, was der Fehler sein könnte?