[Firewall] force-reload error

Lonnie Abelbeck lists at lonnie.abelbeck.com
Tue Feb 19 06:58:09 CET 2013


Randy,

To be clear, this is Arno's firewall script, though I have contributed from time to time.

In the AstLinux project, we have a CRON script that downloads the Spamhaus drop/edrop lists and applies them with "force-reload", you can view it here:

http://astlinux.svn.sourceforge.net/viewvc/astlinux/branches/1.0/package/arnofw/reload-spamhaus-drop

I think the script should be fairly portable.  Most will want to use "/etc/arno-iptables-firewall/blocked-hosts" instead of my "/mnt/kd/blocked-hosts".
==
# reload-spamhaus-drop /mnt/kd/blocked-hosts
The file "/mnt/kd/blocked-hosts" has been updated. Contains 486 lines.

Arno's Iptables Firewall Script v2.0.1d
-------------------------------------------------------------------------------
Blocking (blackhole) direction: Inbound and Outbound
(Re)loading list of BLOCKED hosts from /mnt/kd/blocked-hosts...
 0%.........20%.........40%.........60%.........80%.........100%.........478 host line(s) read

Feb 18 23:54:07 All firewall rules applied.
==

We are using AIF v2.0.1d, your v1.9.2k is quite old.

Lonnie


On Feb 18, 2013, at 8:11 PM, Randy wrote:

> Thanks Lonnie for a great and very useful firewall script. :)))
>  
> Following an idea that was in one of the mailing list mails that came recently I decided to implement the drop list from Spamhaus.org.
>  
> The version I am using is Arno's Iptables Firewall Script v1.9.2k as installed out of the Debian Squeeze repos.
>  
> With a lot of help, as I know very little program/scripting I managed to get a script to download the drop.txt and edrop.txt files and put put them in /etc/arno-iptables-firewal/blocked-hosts and force-reload.
>  
> The script
> ----------------------------------
> #!/bin/bash
>  
> # Thanks to muchomas from my local lug
>  
> LANG=C; LC_ALL=C; export LANG LC_ALL;
>  
> URI="http://www.spamhaus.org/drop"; CONF="/etc/arno-iptables-firewall/blocked-hosts"
>  
> TMPDROP=`mktemp -p /tmp`
> TMPEDROP=`mktemp -p /tmp`
> TMPFILE=`mktemp -p /tmp`
>  
> [ -f $TMPFILE ] || { echo "Error, exiting." >/dev/stderr; exit 1; }
>   wget -q $URI/drop.txt -O /dev/stdout | tail -n +5 > $TMPDROP
>   wget -q $URI/edrop.txt -O /dev/stdout | tail -n +5 > $TMPEDROP
>   cat $TMPDROP $TMPEDROP > $TMPFILE
>  
> [ -s $TMPFILE ] || { echo "Error, exiting." >/dev/stderr; rm -f $TMPFILE; exit 1; }
> OLDLINES=`cat $CONF | wc -l`; NEWLINES=`cat $TMPFILE | wc -l`
> cp -f $CONF /var/cache/`/bin/date +'%Y%m%d'`_blocked-hosts
> sed -e 's/\;.*$//g; /^$/d' $TMPFILE > $CONF && arno-iptables-firewall force-reload
> echo "Blocked-hosts had $OLDLINES lines, now $NEWLINES. Finished, exiting."
> rm -f $TMPDROP $TMPEDROP $TMPFILE; exit 0
>  
> -----------------------------
>  
> The script works fine on my Debian amd64 Wheezy (fully patched weekly) laptop, and it also works fine on my current external host Debian Squeezy (distro-upgraded from Lenny) [not sure arno's version atm]
>  
> The machine I am having issues with is a new external, clean install Squeezy, selinux, and hardened.  The firewall was working fine before I ran the script as far as I know.  When I ran the script for the first time I got this error.
>  
> ----------------------
> :~$ sudo /etc/arno-iptables-firewall/5drop.list
> cat: /etc/arno-iptables-firewall/blocked-hosts: No such file or directory
> cp: cannot stat `/etc/arno-iptables-firewall/blocked-hosts': No such file or directory
> Arno's Iptables Firewall Script v1.9.2k
> -------------------------------------------------------------------------------
> Sanity checks passed...OK
> (Re)loading list of BLOCKED hosts from /etc/arno-iptables-firewall/blocked-hosts...
>  0%.........20%.........40%.........60%.........80%.........100%
>   480 line(s) read.
>  
> /sbin/iptables-restore: (2) iptables-restore v1.4.8: chain name `,HOST_BLOCK_SRC,-s,5.62.128.0/17,-j,HOST_BLOCK_DROP' too long (must be under 30 chars)
> Error occurred at line: 177
> Try `iptables-restore -h' or 'iptables-restore --help' for more information.
>  
> /sbin/iptables-restore: (2) iptables-restore v1.4.8: chain name `,HOST_BLOCK_DST,-d,5.62.128.0/17,-j,HOST_BLOCK_DROP' too long (must be under 30 chars)
> Error occurred at line: 176
> Try `iptables-restore -h' or 'iptables-restore --help' for more information.
>  
> Feb 15 14:59:54 WARNING: Not all firewall rules are applied.
> Blocked-hosts had 0 lines, now 480. Finished, exiting.
> :~$ 
> -----------------------
>  
> I was connected to the machine at the time via ssh and all seam to still work.  But then I had to shut down for the day.  I restarted the machine tonight to continue working on it and got a very similar message during boot.
>  
> Do I remember seeing some thing about this on the list some time ago?  And upgrading to a more recent version was the fix. I looked back trough what I have but didn't see it.
>  
> Thanks
>  
> Randy
>  
> -- 
> If it ain't broke tweek it
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl



More information about the Firewall mailing list