[Firewall] force-reload error

Randy thejunk.b at gmail.com
Tue Feb 19 03:11:30 CET 2013


Thanks Lonnie for a great and very useful firewall script. :)))
 
Following an idea that was in one of the mailing list mails that came recently 
I decided to implement the drop list from Spamhaus.org.
 
The version I am using is Arno's Iptables Firewall Script v1.9.2k as installed 
out of the Debian Squeeze repos.
 
With a lot of help, as I know very little program/scripting I managed to get a 
script to download the drop.txt and edrop.txt files and put put them in 
/etc/arno-iptables-firewal/blocked-hosts and force-reload.
 
The script
----------------------------------
#!/bin/bash
 
# Thanks to muchomas from my local lug
 
LANG=C; LC_ALL=C; export LANG LC_ALL;
 
URI="http://www.spamhaus.org/drop"; CONF="/etc/arno-iptables-firewall/blocked-
hosts"
 
TMPDROP=`mktemp -p /tmp`
TMPEDROP=`mktemp -p /tmp`
TMPFILE=`mktemp -p /tmp`
 
[ -f $TMPFILE ] || { echo "Error, exiting." >/dev/stderr; exit 1; }
  wget -q $URI/drop.txt -O /dev/stdout | tail -n +5 > $TMPDROP
  wget -q $URI/edrop.txt -O /dev/stdout | tail -n +5 > $TMPEDROP
  cat $TMPDROP $TMPEDROP > $TMPFILE
 
[ -s $TMPFILE ] || { echo "Error, exiting." >/dev/stderr; rm -f $TMPFILE; exit 
1; }
OLDLINES=`cat $CONF | wc -l`; NEWLINES=`cat $TMPFILE | wc -l`
cp -f $CONF /var/cache/`/bin/date +'%Y%m%d'`_blocked-hosts
sed -e 's/\;.*$//g; /^$/d' $TMPFILE > $CONF && arno-iptables-firewall force-
reload
echo "Blocked-hosts had $OLDLINES lines, now $NEWLINES. Finished, exiting."
rm -f $TMPDROP $TMPEDROP $TMPFILE; exit 0
 
-----------------------------
 
The script works fine on my Debian amd64 Wheezy (fully patched weekly) laptop, 
and it also works fine on my current external host Debian Squeezy (distro-
upgraded from Lenny) [not sure arno's version atm]
 
The machine I am having issues with is a new external, clean install Squeezy, 
selinux, and hardened.  The firewall was working fine before I ran the script as 
far as I know.  When I ran the script for the first time I got this error.
 
----------------------
:~$ sudo /etc/arno-iptables-firewall/5drop.list
cat: /etc/arno-iptables-firewall/blocked-hosts: No such file or directory
cp: cannot stat `/etc/arno-iptables-firewall/blocked-hosts': No such file or 
directory
Arno's Iptables Firewall Script v1.9.2k
-------------------------------------------------------------------------------
Sanity checks passed...OK
(Re)loading list of BLOCKED hosts from /etc/arno-iptables-firewall/blocked-
hosts...
 0%.........20%.........40%.........60%.........80%.........100%
  480 line(s) read.
 
/sbin/iptables-restore: (2) iptables-restore v1.4.8: chain name 
`,HOST_BLOCK_SRC,-s,5.62.128.0/17,-j,HOST_BLOCK_DROP' too long (must be under 
30 chars)
Error occurred at line: 177
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
 
/sbin/iptables-restore: (2) iptables-restore v1.4.8: chain name 
`,HOST_BLOCK_DST,-d,5.62.128.0/17,-j,HOST_BLOCK_DROP' too long (must be under 
30 chars)
Error occurred at line: 176
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
 
Feb 15 14:59:54 WARNING: Not all firewall rules are applied.
Blocked-hosts had 0 lines, now 480. Finished, exiting.
:~$ 
-----------------------
 
I was connected to the machine at the time via ssh and all seam to still work.  
But then I had to shut down for the day.  I restarted the machine tonight to 
continue working on it and got a very similar message during boot.
 
Do I remember seeing some thing about this on the list some time ago?  And 
upgrading to a more recent version was the fix. I looked back trough what I 
have but didn't see it.

Thanks

Randy
 
-- 
If it ain't broke tweek it
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20130218/0f4e5812/attachment.html>


More information about the Firewall mailing list