firewall-2.4 execvp : Permission Denied
According to http://www.e-infomax.com/ipmasq/, there are 2 ways to automatically load things in Redhat: /etc/rc.d/rc.local or a init script in /etc/rc.d/init.d/.
The preferred approach is to have the firewall loaded just after the networking subsystem is loaded. To do this, copy the following file into the /etc/rc.d/init.d directory. I did it but when the red hat 7.3 rebooted, it showed: firewall-2.4 execvp : Permission Denied and the firewall rules cannot be loaded automatically. How should I fix it? Thanks a lot gogo |
Does the file have the executable bit set? I would check to see if that was the case first.
|
file have the executable bit set - what do you mean?
Here is the file: /etc/rc.d/init.d directory: #!/bin/sh # # chkconfig: 2345 11 89 # # description: Loads the rc.firewall-2.4 ruleset. # # processname: firewall-2.4 # pidfile: /var/run/firewall.pid # config: /etc/rc.d/rc.firewall # probe: true # ---------------------------------------------------------------------------- # v02/09/02 # # Part of the copyrighted and trademarked TrinityOS document. # http://www.ecst.csuchico.edu/~dranch # # Written and Maintained by David A. Ranch # dranch@trinnet.net # # Updates # ------- # # ---------------------------------------------------------------------------- # Source function library. . /etc/rc.d/init.d/functions # Check that networking is up. # This line no longer work with bash2 #[ ${NETWORKING} = "no" ] && exit 0 # This should be OK. [ "XXXX${NETWORKING}" = "XXXXno" ] && exit 0 [ -x /sbin/ifconfig ] || exit 0 # The location of various iptables and other shell programs # # If your Linux distribution came with a copy of iptables, most # likely it is located in /sbin. If you manually compiled # iptables, the default location is in /usr/local/sbin # # ** Please use the "whereis iptables" command to figure out # ** where your copy is and change the path below to reflect # ** your setup # IPTABLES=/usr/local/sbin/iptables # See how we were called. case "$1" in start) /etc/rc.d/rc.firewall-2.4 ;; stop) echo -e "\nFlushing firewall and setting default policies to DROP\n" $IPTABLES -P INPUT DROP $IPTABLES -F INPUT $IPTABLES -P OUTPUT DROP $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -F -t nat # Delete all User-specified chains $IPTABLES -X # # Reset all IPTABLES counters $IPTABLES -Z ;; restart) $0 stop $0 start ;; status) $IPTABLES -L ;; mlist) cat /proc/net/ip_conntrack ;; *) echo "Usage: firewall-2.4 {start|stop|status|mlist}" exit 1 esac exit 0 |
List contents of the directory you have the script in using "ls -l|grep rc.firewall-2.4" and send it there.
|
(/usr/local)/sbin/iptables?
|
OK, I list the files and dir again:
/etc/rc.d/rc.firewall-2.4 #!/bin/sh # # rc.firewall-2.4 FWVER=0.63 # # Initial SIMPLE IP Masquerade test for 2.4.x kernels # using IPTABLES. # # Once IP Masquerading has been tested, with this simple # ruleset, it is highly recommended to use a stronger # IPTABLES ruleset either given later in this HOWTO or # from another reputable resource. # # # # Log: # 0.63 - Added support for the IRC IPTABLES module # 0.62 - Fixed a typo on the MASQ enable line that used eth0 # instead of $EXTIF # 0.61 - Changed the firewall to use variables for the internal # and external interfaces. # 0.60 - 0.50 had a mistake where the ruleset had a rule to DROP # all forwarded packets but it didn't have a rule to ACCEPT # any packets to be forwarded either # - Load the ip_nat_ftp and ip_conntrack_ftp modules by default # 0.50 - Initial draft # echo -e "\n\nLoading simple rc.firewall version $FWVER..\n" # The location of the 'iptables' program # # If your Linux distribution came with a copy of iptables, most # likely it is located in /sbin. If you manually compiled # iptables, the default location is in /usr/local/sbin # # ** Please use the "whereis iptables" command to figure out # ** where your copy is and change the path below to reflect # ** your setup # IPTABLES=/sbin/iptables #IPTABLES=/usr/local/sbin/iptables #Setting the EXTERNAL and INTERNAL interfaces for the network # # Each IP Masquerade network needs to have at least one # external and one internal network. The external network # is where the natting will occur and the internal network # should preferably be addressed with a RFC1918 private address # scheme. # # For this example, "eth0" is external and "eth1" is internal" # # NOTE: If this doesnt EXACTLY fit your configuration, you must # change the EXTIF or INTIF variables above. For example: # # EXTIF="ppp0" # # if you are a modem user. # EXTIF="eth0" INTIF="eth1" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF" #====================================================================== #== No editing beyond this line is required for initial MASQ testing == echo -en " loading modules: " # Need to verify that all modules have all required dependencies # echo " - Verifying that all kernel modules are ok" /sbin/depmod -a # With the new IPTABLES code, the core MASQ functionality is now either # modular or compiled into the kernel. This HOWTO shows ALL IPTABLES # options as MODULES. If your kernel is compiled correctly, there is # NO need to load the kernel modules manually. # # NOTE: The following items are listed ONLY for informational reasons. # There is no reason to manual load these modules unless your # kernel is either mis-configured or you intentionally disabled # the kernel module autoloader. # # Upon the commands of starting up IP Masq on the server, the # following kernel modules will be automatically loaded: # # NOTE: Only load the IP MASQ modules you need. All current IP MASQ # modules are shown below but are commented out from loading. # =============================================================== #Load the main body of the IPTABLES module - "iptable" # - Loaded automatically when the "iptables" command is invoked # # - Loaded manually to clean up kernel auto-loading timing issues # echo -en "ip_tables, " /sbin/insmod ip_tables #Load the IPTABLES filtering module - "iptable_filter" # - Loaded automatically when filter policies are activated #Load the stateful connection tracking framework - "ip_conntrack" # # The conntrack module in itself does nothing without other specific # conntrack modules being loaded afterwards such as the "ip_conntrack_ftp" # module # # - This module is loaded automatically when MASQ functionality is # enabled # # - Loaded manually to clean up kernel auto-loading timing issues # echo -en "ip_conntrack, " /sbin/insmod ip_conntrack #Load the FTP tracking mechanism for full FTP tracking # # Enabled by default -- insert a "#" on the next line to deactivate # echo -en "ip_conntrack_ftp, " /sbin/insmod ip_conntrack_ftp #Load the IRC tracking mechanism for full IRC tracking # # Enabled by default -- insert a "#" on the next line to deactivate # echo -en "ip_conntrack_irc, " /sbin/insmod ip_conntrack_irc #Load the general IPTABLES NAT code - "iptable_nat" # - Loaded automatically when MASQ functionality is turned on # # - Loaded manually to clean up kernel auto-loading timing issues # echo -en "iptable_nat, " /sbin/insmod iptable_nat #Loads the FTP NAT functionality into the core IPTABLES code # Required to support non-PASV FTP. # # Enabled by default -- insert a "#" on the next line to deactivate # echo -en "ip_nat_ftp, " /sbin/insmod ip_nat_ftp # Just to be complete, here is a list of the remaining kernel modules # and their function. Please note that several modules should be only # loaded by the correct master kernel module for proper operation. # -------------------------------------------------------------------- # # ipt_mark - this target marks a given packet for future action. # This automatically loads the ipt_MARK module # # ipt_tcpmss - this target allows to manipulate the TCP MSS # option for braindead remote firewalls. # This automatically loads the ipt_TCPMSS module # # ipt_limit - this target allows for packets to be limited to # to many hits per sec/min/hr # # ipt_multiport - this match allows for targets within a range # of port numbers vs. listing each port individually # # ipt_state - this match allows to catch packets with various # IP and TCP flags set/unset # # ipt_unclean - this match allows to catch packets that have invalid # IP/TCP flags set # # iptable_filter - this module allows for packets to be DROPped, # REJECTed, or LOGged. This module automatically # loads the following modules: # # ipt_LOG - this target allows for packets to be # logged # # ipt_REJECT - this target DROPs the packet and returns # a configurable ICMP packet back to the # sender. # # iptable_mangle - this target allows for packets to be manipulated # for things like the TCPMSS option, etc. echo ". Done loading modules." #CRITICAL: Enable IP forwarding since it is disabled by default since # # Redhat Users: you may try changing the options in # /etc/sysconfig/network from: # # FORWARD_IPV4=false # to # FORWARD_IPV4=true # echo " enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward # Dynamic IP users: # # If you get your IP address dynamically from SLIP, PPP, or DHCP, # enable this following option. This enables dynamic-address hacking # which makes the life with Diald and similar programs much easier. # echo " enabling DynamicAddr.." echo "1" > /proc/sys/net/ipv4/ip_dynaddr # Enable simple IP forwarding and Masquerading # # NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT. # # NOTE #2: The following is an example for an internal LAN address in the # 192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask # connecting to the Internet on external interface "eth0". This # example will MASQ internal traffic out to the Internet but not # allow non-initiated traffic into your internal network. # # # ** Please change the above network numbers, subnet mask, and your # *** Internet connection interface name to match your setup # #Clearing any previous configuration # # Unless specified, the defaults for INPUT and OUTPUT is ACCEPT # The default for FORWARD is DROP # echo " clearing any existing rules and setting default policy.." $IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -t nat -F echo " FWD: Allow all connections OUT and only existing and related ones IN" $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -j LOG echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE echo -e "\nrc.firewall-2.4 v$FWVER done.\n" chmod 700 /etc/rc.d/rc.firewall-2.4 con't with next thread.... |
/etc/rc.d/init.d/firewall-2.4
#!/bin/sh # # chkconfig: 2345 11 89 # # description: Loads the rc.firewall-2.4 ruleset. # # processname: firewall-2.4 # pidfile: /var/run/firewall.pid # config: /etc/rc.d/rc.firewall # probe: true # ---------------------------------------------------------------------------- # v02/09/02 # # Part of the copyrighted and trademarked TrinityOS document. # http://www.ecst.csuchico.edu/~dranch # # Written and Maintained by David A. Ranch # dranch@trinnet.net # # Updates # ------- # # ---------------------------------------------------------------------------- # Source function library. . /etc/rc.d/init.d/functions # Check that networking is up. # This line no longer work with bash2 #[ ${NETWORKING} = "no" ] && exit 0 # This should be OK. [ "XXXX${NETWORKING}" = "XXXXno" ] && exit 0 [ -x /sbin/ifconfig ] || exit 0 # The location of various iptables and other shell programs # # If your Linux distribution came with a copy of iptables, most # likely it is located in /sbin. If you manually compiled # iptables, the default location is in /usr/local/sbin # # ** Please use the "whereis iptables" command to figure out # ** where your copy is and change the path below to reflect # ** your setup # IPTABLES=/sbin/iptables # See how we were called. case "$1" in start) /etc/rc.d/rc.firewall-2.4 ;; stop) echo -e "\nFlushing firewall and setting default policies to DROP\n" $IPTABLES -P INPUT DROP $IPTABLES -F INPUT $IPTABLES -P OUTPUT DROP $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -F -t nat # Delete all User-specified chains $IPTABLES -X # # Reset all IPTABLES counters $IPTABLES -Z ;; restart) $0 stop $0 start ;; status) $IPTABLES -L ;; mlist) cat /proc/net/ip_conntrack ;; *) echo "Usage: firewall-2.4 {start|stop|status|mlist}" exit 1 esac exit 0 chkconfig --level=345 firewall-2.4 on That's it. The module cannot be loaded automatically. Any advice? gogo |
Mara did not ask for the contents of the files, just do
Quote:
|
ls -l|grep rc.firewall-2.4 -> return
NOTHING is shown. |
From which directory have you started the command? If from the one, your script is in, there's something really wrong.
In many places inside the script it's refered as rc.firewall-2.4. It looks for me as the name of the file your script should be in. What's the name of the file? |
Yes, just from the file directory to type that command.
here are the file names and paths: /etc/rc.d/rc.firewall-2.4 rc.firewall-2.4 is file name /etc/rc.d/init.d/rc.firewall rc.firewall is file name Thanks for help gogo |
Since it's a script, you could try executing it debug stylee with "sh -x /etc/rc.d/rc.firewall-2.4 2>&1 > /tmp/logfile" and see where the execvp error is issued, however somewhere you mention a line "The module cannot be loaded automatically.", if this references to iptables modules, maybe you should first see if theyre there and if you can load them manually.
|
Thank you for all of your kind help. But, it's hard for me to debug the script.
So, I decided to add the path to rc.local file. It works now. Regards gogo |
Just for completeness of the thread and for anyone else who performs a search for gogo's error msg here is the answer.....
The error "firewall-2.4 execvp : Permission Denied" on boot is caused by following the MASQ HOWTO documents instructions and appears when you restart the computer. It is simply a lack of executable permissions on the /etc/rc.d/init.d/firewall-2.4 file Hope that helps someone :) |
All times are GMT -5. The time now is 02:54 AM. |