[Firewall] force-reload error

Randy thejunk.b at gmail.com
Wed Feb 20 02:23:27 CET 2013


Slap me in the head for stupid.  My apologies both to you Lonnie and to Arno.  
Guess I just was not paying attenion.

I don't really want to change scripts again.  I am using the 5th different 
already than the one I started with.  And I bearly understand this one, the 
one you linked me to is way over my head and I have no clue how to port it to 
my system.

As for the script I am using it works fine on two other boxes and I will be 
testing it on others shortly as I have time.  I would really like to determin 
what software is causing the issue.

There is one change that needs to be made to the script for it to work as a 
cron job, the line containing "arno-iptables-firewall force-reload" needs to be 
the absolute path.  At least on my systems where I have the script in the 
/etc/arno-iptables-firewall directory.  I have yet to make this change on the 
malfunctioning host.  But I don't think that will affect the iptables-restore 
error.

The existing external host that works correctly has 2.0 on it.  I will be 
updating the new external as soon as time permits.  Maybe that will fix it.

What I find puzzling is that all the other lines in the blocked-hosts file are 
in the same format, with some even being longer as they contain 3 charaters 
for each segment, yet they don't kick out the error.

Thanks

Randy

On Tuesday, February 19, 2013, Lonnie Abelbeck wrote:
> Randy,
> 
> To be clear, this is Arno's firewall script, though I have contributed from
> time to time.
> 
> In the AstLinux project, we have a CRON script that downloads the Spamhaus
> drop/edrop lists and applies them with "force-reload", you can view it
> here:
> 
> http://astlinux.svn.sourceforge.net/viewvc/astlinux/branches/1.0/package/ar
> nofw/reload-spamhaus-drop
> 
> I think the script should be fairly portable.  Most will want to use
> "/etc/arno-iptables-firewall/blocked-hosts" instead of my
> "/mnt/kd/blocked-hosts". ==
> # reload-spamhaus-drop /mnt/kd/blocked-hosts
> The file "/mnt/kd/blocked-hosts" has been updated. Contains 486 lines.
> 
> Arno's Iptables Firewall Script v2.0.1d
> ---------------------------------------------------------------------------
> ---- Blocking (blackhole) direction: Inbound and Outbound
> (Re)loading list of BLOCKED hosts from /mnt/kd/blocked-hosts...
>  0%.........20%.........40%.........60%.........80%.........100%.........47
> 8 host line(s) read
> 
> Feb 18 23:54:07 All firewall rules applied.
> ==
> 
> We are using AIF v2.0.1d, your v1.9.2k is quite old.
> 
> Lonnie
> 
> On Feb 18, 2013, at 8:11 PM, Randy wrote:
> > Thanks Lonnie for a great and very useful firewall script. :)))
> > 
> > Following an idea that was in one of the mailing list mails that came
> > recently I decided to implement the drop list from Spamhaus.org.
> > 
> > The version I am using is Arno's Iptables Firewall Script v1.9.2k as
> > installed out of the Debian Squeeze repos.
> > 
> > With a lot of help, as I know very little program/scripting I managed to
> > get a script to download the drop.txt and edrop.txt files and put put
> > them in /etc/arno-iptables-firewal/blocked-hosts and force-reload.
> > 
> > The script
> > ----------------------------------
> > #!/bin/bash
> > 
> > # Thanks to muchomas from my local lug
> > 
> > LANG=C; LC_ALL=C; export LANG LC_ALL;
> > 
> > URI="http://www.spamhaus.org/drop";
> > CONF="/etc/arno-iptables-firewall/blocked-hosts"
> > 
> > TMPDROP=`mktemp -p /tmp`
> > TMPEDROP=`mktemp -p /tmp`
> > TMPFILE=`mktemp -p /tmp`
> > 
> > [ -f $TMPFILE ] || { echo "Error, exiting." >/dev/stderr; exit 1; }
> > 
> >   wget -q $URI/drop.txt -O /dev/stdout | tail -n +5 > $TMPDROP
> >   wget -q $URI/edrop.txt -O /dev/stdout | tail -n +5 > $TMPEDROP
> >   cat $TMPDROP $TMPEDROP > $TMPFILE
> > 
> > [ -s $TMPFILE ] || { echo "Error, exiting." >/dev/stderr; rm -f $TMPFILE;
> > exit 1; } OLDLINES=`cat $CONF | wc -l`; NEWLINES=`cat $TMPFILE | wc -l`
> > cp -f $CONF /var/cache/`/bin/date +'%Y%m%d'`_blocked-hosts
> > sed -e 's/\;.*$//g; /^$/d' $TMPFILE > $CONF && arno-iptables-firewall
> > force-reload echo "Blocked-hosts had $OLDLINES lines, now $NEWLINES.
> > Finished, exiting." rm -f $TMPDROP $TMPEDROP $TMPFILE; exit 0
> > 
> > -----------------------------
> > 
> > The script works fine on my Debian amd64 Wheezy (fully patched weekly)
> > laptop, and it also works fine on my current external host Debian
> > Squeezy (distro-upgraded from Lenny) [not sure arno's version atm]
> > 
> > The machine I am having issues with is a new external, clean install
> > Squeezy, selinux, and hardened.  The firewall was working fine before I
> > ran the script as far as I know.  When I ran the script for the first
> > time I got this error.
> > 
> > ----------------------
> > 
> > :~$ sudo /etc/arno-iptables-firewall/5drop.list
> > 
> > cat: /etc/arno-iptables-firewall/blocked-hosts: No such file or directory
> > cp: cannot stat `/etc/arno-iptables-firewall/blocked-hosts': No such file
> > or directory Arno's Iptables Firewall Script v1.9.2k
> > -------------------------------------------------------------------------
> > ------ Sanity checks passed...OK
> > (Re)loading list of BLOCKED hosts from
> > /etc/arno-iptables-firewall/blocked-hosts...
> > 
> >  0%.........20%.........40%.........60%.........80%.........100%
> >  
> >   480 line(s) read.
> > 
> > /sbin/iptables-restore: (2) iptables-restore v1.4.8: chain name
> > `,HOST_BLOCK_SRC,-s,5.62.128.0/17,-j,HOST_BLOCK_DROP' too long (must be
> > under 30 chars) Error occurred at line: 177
> > Try `iptables-restore -h' or 'iptables-restore --help' for more
> > information.
> > 
> > /sbin/iptables-restore: (2) iptables-restore v1.4.8: chain name
> > `,HOST_BLOCK_DST,-d,5.62.128.0/17,-j,HOST_BLOCK_DROP' too long (must be
> > under 30 chars) Error occurred at line: 176
> > Try `iptables-restore -h' or 'iptables-restore --help' for more
> > information.
> > 
> > Feb 15 14:59:54 WARNING: Not all firewall rules are applied.
> > Blocked-hosts had 0 lines, now 480. Finished, exiting.
> > 
> > :~$
> > 
> > -----------------------
> > 
> > I was connected to the machine at the time via ssh and all seam to still
> > work.  But then I had to shut down for the day.  I restarted the machine
> > tonight to continue working on it and got a very similar message during
> > boot.
> > 
> > Do I remember seeing some thing about this on the list some time ago? 
> > And upgrading to a more recent version was the fix. I looked back trough
> > what I have but didn't see it.
> > 
> > Thanks
> > 
> > Randy
> 
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl


-- 
If it ain't broke tweek it
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20130219/c81d6964/attachment-0001.html>


More information about the Firewall mailing list