On Friday 2005-September-02 13:01, Tim P wrote: > Here is the firewall script I am attempting to use/modify to work > The goal is to forward some services/port back to a system on the > niternal network while allowing everyone on the internal network > access to the internet. > > # > #!/bin/sh For a script of this nature the shabang line is not necessary, but anyway FYI, it is ignored if it's not the first line of the script. > # Set default policies for packets going through this firewall box > iptables -N PREROUTING > iptables -N POSTROUTING You just created those chains in your filter table. > iptables -t nat -P PREROUTING DROP > iptables -t nat -P POSTROUTING DROP DROP policies in the nat table are not a good idea. > iptables -P FORWARD DROP > > # Set default policies for packet entering this box > > iptables -P OUTPUT ALLOW > iptables -P INPUT ALLOW ALLOW is not a valid policy. No further comment on the script, except to recommend that you read the Packet Filtering HOWTO. It tells you a better way to do this. > When running this script as root (chmod 755 permisions) I get the > following error: > [root@gtds-vpnserver init.d]# ./masqfirewall.sh > not found.le ip_conntrack_ftp I smell a custom kernel here. > iptables: Bad policy name Some of these might be the ALLOW policies, but ... > 'ptables v1.3.0: Invalid target name `DROP This looks really bad. Your custom kernel must be missing important netfilter drivers. > iptables v1.3.0: multiple -d flags not allowed Right, every packet has only one destination, so you cannot match a packet with two destinations. > : No such file or directory /proc/sys/net/ipv4/ip_forward > : command not foundline 69: > > [root@gtds-vpnserver init.d]# > > > These errors don't make sense as the modprobes work fine from the > commandline I think I know what's wrong. > I have tried about four ready-made firewall scripts from > http://www.linuxguruz.com/iptables/ just to see if it was something > weird in my script and encounter very similar problems. Has anyone And you edited and saved them using a Windows text editor, right? > had any luck with this on Fedora Core 4 or is there something I am There is nothing wrong with stock FC distributions. (The default firewall is junk, probably, but good firewalls are possible.) > missing? The last time I made a firewall/router was when ipchains was > the thing to use so I am not entirely unfamiliar with the process. Your script must be in Unix text format. Open it in mc(1) using the built-in editor, and I bet you will see a bunch of ^M characters at line ends. Delete all those and it might work. But really ... no ... don't. Use the Packet Filtering HOWTO method, which is much better than your script, and might help you begin to understand how it all works. -- mail to this address is discarded unless "/dev/rob0" or "not-spam" is in Subject: header
