Help with SAMS' iptables script

John E. Mayorga john.mayorga@hsa.hitachi.com
Wed, 13 Jun 2001 10:21:00 -0700 

Has anyone tried the iptables script from the book "SAMS Teach Yourself
Linux Security Basics in 24 hours"?  It seems to have some kind of bug
in it, but I can't nail it down.  I've tried commenting lines out to
isolate the problem, but to no avail.  Here is the output followed by
the script (modified for verbose output):


[root@c1448019-a firewall]# ./sams
Clear out all existing rules and user-created chains
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Add your own external IP here
And your internal network plus mask here if applicable
And your Web servers address here if applicable
WEB=192.168.1.1
 
 
echo Edit to reflect your network(s)
INTERNAL=eth1
EXTERNAL=eth0
 
echo Allow any traffic that we initiated
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT
 
echo Find the nameservers in /etc/resolv.conf; allow lookups
for DNS in $(grep ^n /etc/resolv.conf | awk {print }); do
        iptables -t filter -A INPUT -p udp -s $DNS --source-port domain
-j ACCEPT
done
 
echo Allow incoming Web if necessary
if [ "$WEB" != "" ]; then
        iptables -t filter -A INPUT -p tcp --source-port www -j ACCEPT
fi
 
echo Deny and log everything else that isnt on loopback
Now enable network address traslation if necessary
echoing to ip_forward
echoing rp_filter
echoed rp_filter
./sams: [: =: unary operator expected
Warning: wierd character in interface `-j' (No aliases, :, ! or *).
Bad argument `SNAT'
Try `iptables -h' or 'iptables --help' for more information.
And set up port forwarding to our Web server
end script
[root@c1448019-a firewall]#






#! /bin/bash

echo Clear out all existing rules and user-created chains
for TABLE in filter nat mangle; do
        iptables -t $TABLE -F
        iptables -t $TABLE -X
done

ipchains -L

echo Add your own external IP here (not my real IP)
MYIP=1.2.3.4

echo And your internal network plus mask here if applicable
INT=192.168.1.0/24

echo And you Web server's address here if applicable
WEB=192.168.1.14

echo Edit to reflect your network(s)
INTERNAL=eth1
EXTERNAL=eth0

echo Allow any traffic that we initiated
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT

echo Find the nameservers in /etc/resolv.conf; allow lookups
for DNS in $(grep ^n /etc/resolv.conf|awk '{print $2}'); do
        iptables -t filter -A INPUT -p udp -s $DNS --source-port domain
-j ACCEPT
done

echo Allow incoming Web if necessary
if [ "$WEB" != "" ]; then
        iptables -t filter -A INPUT -p tcp --source-port www -j ACCEPT
fi

echo Deny and log everything else taht isn't on loopback
iptables -N logdeny
iptables -t filter -A logdeny -j LOG --log-prefix "iptables: "
iptables -t filter -A logdeny -j DROP
iptables -t filter -A INPUT -i ! lo -m state --state NEW,INVALID -j
logdeny

echo Now, enable network address translation if necessary
if [ "$INT" != "" ]; then
echo echoing ip_forward
        echo 1 > /proc/sys/net/ipv4/ip_forward
echo echoing rp_filter
        echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo echoed rp_filter
        if [ $EXTERNAL = ppp0 ]; then
                iptables -t nat -A POSTROUTING -o $EXTERNAL -j
MASQUERADE
        else
                iptables -t nat -A POSTROUTING -o $EXTERNAL -j SNAT --to
$MYIP
        fi
fi

echo And set up port forwarding to our Web server
if [ "$WEB" != "" ]; then
        iptables -t nat -A PREROUTING -p tcp -d $MYIP --dport http -j
DNAT --to $WEB:80
fi

echo End Script




-- 
John E. Mayorga
HSA Email Administrator
postmaster@hsa.hitachi.com
john.mayorga@hsa.hitachi.com
+1.408.922.4031






















-- 
John E. Mayorga
HSA Email Administrator
postmaster@hsa.hitachi.com
john.mayorga@hsa.hitachi.com
+1.408.922.4031