Hi ....

ok... only started using Linux (RedHat 7) a few weeks ago because i was instructed to build a firewall on a zero budget. I've been closely following the 'Firewall how-to' and the advice from various sites and everythings been going great; (rebuilt the kernel, installed 2 network cards, enabled packet forwarding, etc.) everything that should be working is, that is until now (cue sinister music).

I've gotten to the stage where i set the rules for ipchains. I've written the firewall script rc.firewall with all the services i need etc.(thanks to R.Zieglers site http://www.linux-firewall-tools.com/linux/), but i can't get the script to run properly!

When i run the script (using the command #sh /etc/rc.d/rc.firewall) i get a load of error messages e.g. command not found & no such file or directory etc. The thing is, is that if i type the command in on the command line it works fine, but if its in the script it dosent work. Also the files its says arent there are. Because of my lack of experience in Linux, I presume (hope) i am missing something simple. What am i doing wrong?

Please help!

Dalk,

I assume ipchains is at /sbin/ipchains
type at the root prompt:
#which ipchains "if not found its not in the path"

Anyway you say it works from the command line so try this, make sure your root.

chown root /etc/rc.d/rc.firewall
chgrp root /etc/rc.d/rc.firewall
chmod 700 /etc/rc.d/rc.firewall
then run it with this:

/etc/rc.d/rc.firewall
also add this line to your rc.local file so it starts up on boot.

if you still get lots of errors it's ipchains telling you some of your rules are incorrect.
Solution is to go through each one and find the cause.

if you need help on setting up an ipchains rule file shout.
this is an example
10.1.1.10 is the internal IP. "eth0"
219.200.1.10 is the external IP address "eth1"

rc.firewall
# setup the ipv4 files for packet options
# echo 1 > /proc/sys/net/ipv4/ip_forward
# echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# echo 1 > /proc/sys/net/ipv4/ip_always_defrag
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# clear all ipchains settings
ipchains -F

# Deny all access to server secure mode enabled.
ipchains -P input DENY
ipchains -P output REJECT
ipchains -P forward DENY

# startup firewall script
# sets timeout vaules for FIN flags etc..
ipchains -M -S 3600 10 160

# magic NAT setting for MASQing
ipchains -A forward -i eth0 -s 10.1.1.0/24 -j MASQ

# allows access to server from IPN
ipchains -A input -i lo -j ACCEPT
ipchains -A output -i lo -j ACCEPT
ipchains -A input -i eth0 -s 10.1.1.0/24 -j ACCEPT
ipchains -A output -i eth0 -d 10.1.1.0/24 -j ACCEPT
# Deny windoze etc netbios etc
ipchains -A input -p tcp -s 0/0 --dport 137:139 -j DENY
ipchains -A input -p udp -s 0/0 --dport 137:139 -j DENY
ipchains -A forward -p tcp -s 0/0 --dport 137:139 -j DENY
ipchains -A forward -p udp -s 0/0 --dport 137:139 -j DENY
ipchains -A output -p tcp -s 0/0 --dport 137:139 -j DENY
ipchains -A output -p udp -s 0/0 --dport 137:139 -j DENY
ipchains -A input -i eth0 -s 10.0.0.0/8 -d 0/0 -j DENY -l
ipchains -A input -i eth1 -s 10.0.0.0/8 -d 0/0 -j DENY -l
ipchains -A input -i eth0 -s 127.0.0.0/8 -d 0/0 -j DENY -l
ipchains -A input -i eth1 -s 127.0.0.0/8 -d 0/0 -j DENY -l
ipchains -A input -i eth0 -s 255.255.255.255 -j DENY -l
ipchains -A input -i eth1 -s 255.255.255.255 -j DENY -l
ipchains -A input -i eth0 -d 0.0.0.0 -j DENY -l
ipchains -A input -i eth1 -d 0.0.0.0 -j DENY -l
# http access out on
ipchains -A output -p tcp -s 219.200.1.10 1023:65535 --dport 80 -t 0x01 0x10 -j ACCEPT
ipchains -A input -p tcp ! -y -s 0/0 --sport 80 -d 219.200.1.10 1023:65535 -j ACCEPT
# dns access out on
ipchains -A output -p tcp -s 219.200.1.10 1023:65535 --dport 53 -j ACCEPT
ipchains -A input -p tcp ! -y -s 0/0 --sport 53 -d 219.200.1.10 1024:65535 -j ACCEPT
ipchains -A output -p tcp -s 10.1.1.0/24 1023:65535 --dport 53 -j ACCEPT

# DNS lookup udp allowed
ipchains -A input -p udp -s 0/0 53 -d 219.200.1.10 1023:65535 -j ACCEPT
ipchains -A output -p udp -s 219.200.1.10 1023:65535 -d 0/0 -j ACCEPT
ipchains -A output -p udp -s 10.1.1.0/24 1024:65535 -d 0/0 -j ACCEPT


This is secure'ish, but people can scan your ports open above 1023 if they fake a DNS packet.
You can fix it but putting in your ISP's DNS servers.

Anyway it's something to play with.

/Raz

thanks raz...

yeah ipchains is in /sbin/ipchains.

I still have a problem though, which leads me to believe i'm missed something earlier. When I try to run the script using /etc/rc.d/rc.firewall i get this error

bash: /etc/rc.d/rc.firewall: no such file or directory

The file is in the directory, i'm sure of that.

mmmm.. I originally knocked out the script on a Windoze machine and transferred it to the firewall machine on a (msdos) floppy. I'm grasping at straws, here!

Thanks for the example script by the way. I'm gonna concentrate more on that when i've sorted this problem out....

Dalk,

Could be anything.
Make sure you have the line
#!/bin/sh
at the start of your script.

then try that command again.
etc/rc.d/rc.firewall

if it says that bash error then try:

#cd /etc/rc.d
#./rc.firewall

what happens does it run.

Yes windose can add hidden return codes that cause scripts to fail.

If you every write anything in windozes use "notepad".

Try to open the script file in "kedit" or "vi" or make a new one and see if it loads. "must do the chmod -x name or 700 to enable it to run when done"

/Raz
/Raz

ok..

thanks again Raz..

yeah #!/bin/sh is at the top of the script

Still dosent run even when in the directory. Same error.

The script was written using notepad so thats alright. I can open the script in vi and emacs no problem and it looks fine, the way it should be...

i'm gonna re-write the script on the linux box now and see if it makes a difference.... fingers crossed.

Raz

I rewrote the script on the linux box this time and its working just fine (just have to optimise the rules now). All this time and it was just because of something that was added somewhere by windoze.... theres a lesson there someplace...