iptables; unexpexted operator

tidiman07 · 11-19-2006, 03:08 PM

sup ya'll. Recently my iptables has been acting weird; i have not installed anything that might cause this except maybe vmplayer.
During boot i see an unexpected operator error when starting iptables- firewall.
also whenever i try iptables-rules, i get

Code:

tidiman07@Box1:~$ iptables-rules
Which ports do you want to open ?
Allow ping (y/n)? [y] y
[: 33: ==: unexpected operator
[: 33: ==: unexpected operator
[: 33: ==: unexpected operator
[: 33: ==: unexpected operator
Allow ftp (file transfert) (y/n)?

The iptables still works, i have firestarter so i see blocked connections. I tried reinstalling iptables, still get the same error.

Thanks in advance.

gilead · 11-19-2006, 04:40 PM

It looks like a syntax error. What is on line 33 of iptables-rules? Can you post the contents of iptables-rules (and maybe iptables-firewall as well)?

tidiman07 · 11-21-2006, 04:55 PM

umm.. how do i check that? you mean the file in /sbin? let me check.

rednuht · 11-21-2006, 05:19 PM

what does
which iptables-rules
or
locate iptables-rules
and
iptables-rules --version
give you ?
iptables-rules --help
and
man iptables-rules
might show where the file/s are saved

tidiman07 · 11-21-2006, 05:35 PM

i tried removing firehol, cause i just installed it and i got same error, i compared iptables in /etc/init.d/iptables to another in my friend's pc and they are the same.

tidiman07 · 11-21-2006, 05:54 PM

sorry, it appears iptables had blocked my browser, fixed now. To be clear, the errors i get are for all commands issued during iptables-rules. here it is in its entirety.

Code:

tidiman07@Box1:~$ sudo iptables-rules
Which ports do you want to open ?
Allow ping (y/n)? [y] y
[: 33: ==: unexpected operator
[: 33: ==: unexpected operator
[: 33: ==: unexpected operator
[: 33: ==: unexpected operator
Allow ftp (file transfert) (y/n)? [y] y
[: 40: ==: unexpected operator
[: 40: ==: unexpected operator
[: 40: ==: unexpected operator
[: 40: ==: unexpected operator
Allow ssh (secure shell) (y/n)? [y] y
[: 47: ==: unexpected operator
[: 47: ==: unexpected operator
[: 47: ==: unexpected operator
[: 47: ==: unexpected operator
Allow smtp (mail sending) (y/n)? [y] y
[: 54: ==: unexpected operator
[: 54: ==: unexpected operator
[: 54: ==: unexpected operator
[: 54: ==: unexpected operator
Allow http (web server) (y/n)? [y] y
[: 61: ==: unexpected operator
[: 61: ==: unexpected operator
[: 61: ==: unexpected operator
[: 61: ==: unexpected operator
Allow pop3 (pop3 mail server) (y/n)? [y] y
[: 68: ==: unexpected operator
[: 68: ==: unexpected operator
[: 68: ==: unexpected operator
[: 68: ==: unexpected operator
Allow imap (imap mail server) (y/n)? [y] y
[: 75: ==: unexpected operator
[: 75: ==: unexpected operator
[: 75: ==: unexpected operator
[: 75: ==: unexpected operator
Allow https (secured web server) (y/n)? [y] y
[: 82: ==: unexpected operator
[: 82: ==: unexpected operator
[: 82: ==: unexpected operator
[: 82: ==: unexpected operator
Allow mysql (database server) (y/n)? [y] y
[: 89: ==: unexpected operator
[: 89: ==: unexpected operator
[: 89: ==: unexpected operator
[: 89: ==: unexpected operator
Allow vnc (remote desktop) (y/n)? [y] y
[: 96: ==: unexpected operator
[: 96: ==: unexpected operator
[: 96: ==: unexpected operator
[: 96: ==: unexpected operator
Allow samba (Windows file sharing) (y/n)? [y] y
[: 103: ==: unexpected operator
[: 103: ==: unexpected operator
[: 103: ==: unexpected operator
[: 103: ==: unexpected operator
-e
Do you really want to apply iptables rules ? This will clear every iptables
settings. Use Ctrl-C then 'iptables-save' to save your current settings.
(y/n)? [n] y
[: 112: ==: unexpected operator
[: 112: ==: unexpected operator
[: 112: ==: unexpected operator
[: 112: ==: unexpected operator
Applying rules... ok !
tidiman07@Box1:~$

As i said before, i checked out the file in /etc/init.d/iptables and it looks fine.
Thanks,

edit: upon further observation the errors listed coincide with the fi code line in /etc/init.d/iptables ; see below.

Code:

#! /bin/sh

#
# Initialize the rules with iptables.
#

ROOT_UID="0"

#Ctrl-C trapping
trap ctrlc INT
ctrlc()
{
	echo -e "\nAborted by user."
	rm -rf $TMP_DIR
	exit 2
}

#Check if run as root
if [ "$UID" -ne "$ROOT_UID" ] ; then
	echo "You must be root to do that!"
	exit 1
fi


echo "Which ports do you want to open ?"


allow_icmp="0"
echo -n "Allow ping (y/n)? [y] "
read input
if [ -z "$input" ] || [ "$input" == "y" ] || [ "$input" == "yes" ] || [ "$input" == "Y" ] || [ "$input" == "YES" ] ; then
	allow_icmp="1"
fi

allow_ftp="0"
echo -n "Allow ftp (file transfert) (y/n)? [y] "
read input
if [ -z "$input" ] || [ "$input" == "y" ] || [ "$input" == "yes" ] || [ "$input" == "Y" ] || [ "$input" == "YES" ] ; then
	allow_ftp="1"
fi

allow_ssh="0"
echo -n "Allow ssh (secure shell) (y/n)? [y] "
read input
if [ -z "$input" ] || [ "$input" == "y" ] || [ "$input" == "yes" ] || [ "$input" == "Y" ] || [ "$input" == "YES" ] ; then
	allow_ssh="1"
fi

allow_smtp="0"
echo -n "Allow smtp (mail sending) (y/n)? [y] "
read input
if [ -z "$input" ] || [ "$input" == "y" ] || [ "$input" == "yes" ] || [ "$input" == "Y" ] || [ "$input" == "YES" ] ; then
	allow_smtp="1"
fi

allow_http="0"
echo -n "Allow http (web server) (y/n)? [y] "
read input
if [ -z "$input" ] || [ "$input" == "y" ] || [ "$input" == "yes" ] || [ "$input" == "Y" ] || [ "$input" == "YES" ] ; then
	allow_http="1"
fi

allow_pop3="0"
echo -n "Allow pop3 (pop3 mail server) (y/n)? [y] "
read input
if [ -z "$input" ] || [ "$input" == "y" ] || [ "$input" == "yes" ] || [ "$input" == "Y" ] || [ "$input" == "YES" ] ; then
	allow_pop3="1"
fi

allow_imap="0"
echo -n "Allow imap (imap mail server) (y/n)? [y] "
read input
if [ -z "$input" ] || [ "$input" == "y" ] || [ "$input" == "yes" ] || [ "$input" == "Y" ] || [ "$input" == "YES" ] ; then
	allow_imap="1"
fi

allow_https="0"
echo -n "Allow https (secured web server) (y/n)? [y] "
read input
if [ -z "$input" ] || [ "$input" == "y" ] || [ "$input" == "yes" ] || [ "$input" == "Y" ] || [ "$input" == "YES" ] ; then
	allow_https="1"
fi

allow_mysql="0"
echo -n "Allow mysql (database server) (y/n)? [y] "
read input
if [ -z "$input" ] || [ "$input" == "y" ] || [ "$input" == "yes" ] || [ "$input" == "Y" ] || [ "$input" == "YES" ] ; then
	allow_mysql="1"
fi

allow_vnc="0"
echo -n "Allow vnc (remote desktop) (y/n)? [y] "
read input
if [ -z "$input" ] || [ "$input" == "y" ] || [ "$input" == "yes" ] || [ "$input" == "Y" ] || [ "$input" == "YES" ] ; then
	allow_vnc="1"
fi

allow_samba="0"
echo -n "Allow samba (Windows file sharing) (y/n)? [y] "
read input
if [ -z "$input" ] || [ "$input" == "y" ] || [ "$input" == "yes" ] || [ "$input" == "Y" ] || [ "$input" == "YES" ] ; then
	allow_samba="1"
fi


echo -e "\nDo you really want to apply iptables rules ? This will clear every iptables"
echo "settings. Use Ctrl-C then 'iptables-save' to save your current settings."
echo -n "(y/n)? [n] "
read input
if [ -z "$input" ] || [ "$input" == "n" ] || [ "$input" == "no" ] || [ "$input" == "N" ] || [ "$input" == "NO" ] ; then
	exit 1
fi


echo -n "Applying rules..."


#Flushing the current rules
iptables -F


#Allow connections already established
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#Accept everything from localhost
iptables -A INPUT -i lo -j ACCEPT


#Ping
if [ $allow_icmp -eq "1" ] ; then
	iptables -A INPUT -p icmp -j ACCEPT
fi

#ftp (20,21)
if [ $allow_ftp -eq "1" ] ; then
	iptables -A INPUT -p tcp -m multiport --destination-ports ftp-data,ftp -j ACCEPT
fi

#ssh (22)
if [ $allow_ssh -eq "1" ] ; then
	iptables -A INPUT -p tcp --dport ssh -j ACCEPT
fi

#smtp (25)
if [ $allow_smtp -eq "1" ] ; then
	iptables -A INPUT -p tcp --dport smtp -j ACCEPT
fi

#http (80)
if [ $allow_http -eq "1" ] ; then
	iptables -A INPUT -p tcp --dport http -j ACCEPT
fi

#pop3 (110)
if [ $allow_pop3 -eq "1" ] ; then
	iptables -A INPUT -p tcp --dport pop3 -j ACCEPT
fi

#imap (143)
if [ $allow_imap -eq "1" ] ; then
	iptables -A INPUT -p tcp --dport imap2 -j ACCEPT
fi

#https (443)
if [ $allow_https -eq "1" ] ; then
	iptables -A INPUT -p tcp --dport https -j ACCEPT
fi

#mysql (3306)
if [ $allow_mysql -eq "1" ] ; then
	iptables -A INPUT -p tcp --dport mysql -j ACCEPT
fi

#vnc (5900)
if [ $allow_vnc -eq "1" ] ; then
	iptables -A INPUT -p tcp --dport 5900 -j ACCEPT
fi

#samba (tcp 135,139,445, udp 135,137,138,139,445)
if [ $allow_samba -eq "1" ] ; then
	iptables -A INPUT -p tcp -m multiport --destination-ports 135,139,445 -j ACCEPT
	iptables -A INPUT -p udp -m multiport --destination-ports 135,137,138,139,445 -j ACCEPT
fi


#Drop everything else
iptables -A INPUT -j DROP

#Outbound: allow everything
iptables -A OUTPUT -j ACCEPT

echo " ok !"

exit 0

gilead · 11-21-2006, 06:49 PM

I copy/pasted the following chunk of your code into a script here and it worked properly. Was your version of the script created outside of Linux? If the line endings are DOS based instead of Linux that can cause problems with scripts.

Code:

#! /bin/sh

#
# Initialize the rules with iptables.
#

ROOT_UID="0"

#Ctrl-C trapping
trap ctrlc INT
ctrlc()
{
  echo -e "\nAborted by user."
  rm -rf $TMP_DIR
  exit 2
}

#Check if run as root
if [ "$UID" -ne "$ROOT_UID" ] ; then
  echo "You must be root to do that!"
  exit 1
fi

echo "Which ports do you want to open ?"

allow_icmp="0"
echo -n "Allow ping (y/n)? [y] "
read input
if [ -z "$input" ] || [ "$input" == "y" ] || [ "$input" == "yes" ] || [ "$input" == "Y" ] || [ "$input" == "YES" ] ; then
  allow_icmp="1"
fi

tidiman07 · 11-21-2006, 10:39 PM

no, its the script that was default install, it was working fine until a couple of days ago. maybe it is other applications interfering, i removed all recent applications and i still get the same problem. The firewall works but i dont like seeing lines of error codes during boot.

tidiman07 · 11-22-2006, 11:51 AM

ok, this is becaming an issue; now whenver i reboot iptables resets rules and blocks everything. It took me like 10 min right now to figure it out, i had to add rules for http, https, and dns. This sucks! Im gonna try to remove it and see what happens.