[Firewall] force-reload error

Randy thejunk.b at gmail.com
Tue Feb 19 03:11:30 CET 2013

Thanks Lonnie for a great and very useful firewall script. :)))
Following an idea that was in one of the mailing list mails that came recently 
I decided to implement the drop list from Spamhaus.org.
The version I am using is Arno's Iptables Firewall Script v1.9.2k as installed 
out of the Debian Squeeze repos.
With a lot of help, as I know very little program/scripting I managed to get a 
script to download the drop.txt and edrop.txt files and put put them in 
/etc/arno-iptables-firewal/blocked-hosts and force-reload.
The script
# Thanks to muchomas from my local lug
URI="http://www.spamhaus.org/drop"; CONF="/etc/arno-iptables-firewall/blocked-
TMPDROP=`mktemp -p /tmp`
TMPEDROP=`mktemp -p /tmp`
TMPFILE=`mktemp -p /tmp`
[ -f $TMPFILE ] || { echo "Error, exiting." >/dev/stderr; exit 1; }
  wget -q $URI/drop.txt -O /dev/stdout | tail -n +5 > $TMPDROP
  wget -q $URI/edrop.txt -O /dev/stdout | tail -n +5 > $TMPEDROP
[ -s $TMPFILE ] || { echo "Error, exiting." >/dev/stderr; rm -f $TMPFILE; exit 
1; }
OLDLINES=`cat $CONF | wc -l`; NEWLINES=`cat $TMPFILE | wc -l`
cp -f $CONF /var/cache/`/bin/date +'%Y%m%d'`_blocked-hosts
sed -e 's/\;.*$//g; /^$/d' $TMPFILE > $CONF && arno-iptables-firewall force-
echo "Blocked-hosts had $OLDLINES lines, now $NEWLINES. Finished, exiting."
The script works fine on my Debian amd64 Wheezy (fully patched weekly) laptop, 
and it also works fine on my current external host Debian Squeezy (distro-
upgraded from Lenny) [not sure arno's version atm]
The machine I am having issues with is a new external, clean install Squeezy, 
selinux, and hardened.  The firewall was working fine before I ran the script as 
far as I know.  When I ran the script for the first time I got this error.
:~$ sudo /etc/arno-iptables-firewall/5drop.list
cat: /etc/arno-iptables-firewall/blocked-hosts: No such file or directory
cp: cannot stat `/etc/arno-iptables-firewall/blocked-hosts': No such file or 
Arno's Iptables Firewall Script v1.9.2k
Sanity checks passed...OK
(Re)loading list of BLOCKED hosts from /etc/arno-iptables-firewall/blocked-
  480 line(s) read.
/sbin/iptables-restore: (2) iptables-restore v1.4.8: chain name 
`,HOST_BLOCK_SRC,-s,,-j,HOST_BLOCK_DROP' too long (must be under 
30 chars)
Error occurred at line: 177
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
/sbin/iptables-restore: (2) iptables-restore v1.4.8: chain name 
`,HOST_BLOCK_DST,-d,,-j,HOST_BLOCK_DROP' too long (must be under 
30 chars)
Error occurred at line: 176
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Feb 15 14:59:54 WARNING: Not all firewall rules are applied.
Blocked-hosts had 0 lines, now 480. Finished, exiting.
I was connected to the machine at the time via ssh and all seam to still work.  
But then I had to shut down for the day.  I restarted the machine tonight to 
continue working on it and got a very similar message during boot.
Do I remember seeing some thing about this on the list some time ago?  And 
upgrading to a more recent version was the fix. I looked back trough what I 
have but didn't see it.


If it ain't broke tweek it
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20130218/0f4e5812/attachment.html>

More information about the Firewall mailing list