rc.local is not executable

slacker_me · 01-28-2009, 05:14 AM

Hi guys!

Im using squid for a SOHO running on Debian etch. It worked fine for a couple of weeks before I tried to block all ports except for the ones we will need in iptables.

The thing is, I edited the rc.local script to enter the new rules I found online using my windows workstation.

When I restarted the script by ./rc.local, it gave me the error -bash: ./rc.local: Bad interpreter bin/sTh and then my box stoped giving clients on the network connection to the internet.

I then tried to put back my original configuration in rc.local which is /sbin/iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

but then again, same errors. it seemed that the rules were no longer executable cause they were no longer color coded.

I would appreciate any help from you masters.

Thanks!

bathory · 01-28-2009, 05:38 AM

Quote:

./rc.local, it gave me the error -bash: ./rc.local: Bad interpreter bin/sTh

Take a look at the 1st line of rc.local because the sebang is wrong. It should be

Code:

#!/bin/sh

slacker_me · 01-28-2009, 08:44 AM

thanks bathory. had it fixed immediately.

If you dont mind me asking one more thing though. This is actually the very reason why my proxy got screwed in the 1st place.

How do i block all ports from the server and only allow the common ports we need like 80, 8080, 25, 110, 143, 993, 22, 1863 and then all else is blocked.

Thanks in advance!

bathory · 01-28-2009, 09:12 AM

You can use something like the following:

Code:

iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
...
<same as above changing the port number you want to allow>
...
iptables -A INPUT -i eth0 -p tcp --dport 0:65535 -j DROP

Regards

slacker_me · 01-28-2009, 09:28 AM

thanks sir! will try this immediately

slacker_me · 01-29-2009, 01:05 AM

Hi sir,

it seems that i can still download from limewire and ftp sites.

I followed the rules you gave me and wrote it in my rc.local script.

i know this sounds a bit dumb but do i have to lose the line

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

in my rc.local script?

currently this is what i have:

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
......(for other ports i need opened)
iptables -A INPUT -i eth0 -p tcp --dport 0:65535 -j DROP

thanks in advance.

bathory · 01-29-2009, 02:30 AM

Quote:

i know this sounds a bit dumb but do i have to lose the line
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

These rules are for NAT and port forwarding. So it's up to you to see if you need them.
Mind that you don't have to put any iptables rules in rc.local. You can create a rc.firewall file (just make sure it's executable) and write there your rules. Slackware by default looks for this file on boot and if it find it, it executes it.
There is also a nice script named quicktables you can use to create the rc.firewall file.

slacker_me · 01-29-2009, 02:48 AM

Thanks! I'll take a look at it