rc.inet2... -f or -x options?!?

bripage · 04-23-2003, 09:32 PM

what is the difference in this...

if [ -x /usr/sbin/iptables ] ;then
/usr/sbin/iptables -t nat -A POSTROUTING -o pppO -j MASQUERADE
echo "Loading IPTABLES: /usr/sbin/iptables"
fi

or

if [ -f /usr/sbin/iptables ] ;then
/usr/sbin/iptables -t nat -A POSTROUTING -o pppO -j MASQUERADE
echo "Loading IPTABLES: /usr/sbin/iptables"
fi

The only thing different it the -f or -x option .. .I dont understand what the difference these to make. Which one do I have to have to perfomr the function I want correctly?

Tinkster · 04-23-2003, 09:50 PM

-x checks for existence,
-f checks for existence and whether it's a regular
file ...

So if somebody created a pipe or a symlink
/usr/sbin/iptabes the latter snippet wouldn't run it :)

Cheers,
Tink

bripage · 04-23-2003, 09:55 PM

now... for some reason everytime I start my box.... when it somes time to load the section for ip tables ... I get a response :

/usr/sbin/iptables: Enabling: command not found

What am I doing wrong here?

bripage · 04-23-2003, 10:02 PM

Well.. I wrote it this way:

if [ -x /usr/sbin/iptables ] ; then
echo "Starting iptables: /usr/sbin/iptables . /usr/sbin/iptables -t nat -A POSTROUTING -o pppO -j MASQUERADE
fi

Then I restarted, and I didnt get that message.. so I asumed that it worked.

Tinkster · 04-23-2003, 10:03 PM

Guess I'd need a bigger chunk of
your script to be able to tell, :) and
a bit more of the output context.

Cheers,
Tink

Tinkster · 04-23-2003, 10:07 PM

To see whether it worked or not, do
iptables -L
in a shell ... if you see some sensible
output it might have ;)

However, I miss the closing " in your
snippet and would be quite surprised
if it worked ;)

Cheers,
Tink

bripage · 04-23-2003, 10:13 PM

yeah the " was in there.. at least on the nix box.. I just forgot it here. But... when I used the iptables -L command, I got:

/usr/sbin/iptables: Enabling: command not found

Ok now Im really confused!

Tinkster · 04-23-2003, 10:18 PM

That's odd, indeed ... are the modules for
iptables loaded? Never seen that one before :)

Try
lsmod
and post the output...

Cheers,
Tink

bripage · 04-23-2003, 10:24 PM

lsmod results:

Module Size Used by Not tainted
pcmcia_core 40896 0
natsemi 15752 1
8139too 13792 1
mii 1008 0 [8139too]

should I just try to do this in the rc.local file?

Tinkster · 04-23-2003, 11:37 PM

Try a

modprobe iptable_filter

and see what it says ... it looks as if
the modules aren't loaded. Or did you
build iptables into the kernel as a fixed
part rather than as modules?

Cheers,
Tink

bripage · 04-23-2003, 11:47 PM

the modprobe iptable_filter turns up nothing at all.

Hmm...now when I do "iptables -L" I get :

Chain INPUt (policy ACCEPT)
target prot opt source destination

Chain FORWARD ( policy ACCEPT)
" "

Chain OUTPUT (policy ACCEPT)
" "

I got this after I tried doing it and I got a message saying that 1.2.6 might be out dated to the protocol. So I went and upgraded to 1.2.8. now my rc.inet2 section looks like this:

if [ -x /usr/local/sbin/iptables ] ; then
echo "loading iptables: /usr/local/sbin/iptables"
/usr/local/sbin/iptables start -t nat -A POSTROUTING -o pppO -j MASQUERADE
fi

I still dont see anything different in my lsmod read out though. So I really dont know if I acutally did anything or not.

bripage · 04-24-2003, 12:01 AM

Well.. now after I did the modprobe iptable_filter, I have these showing up:

iptabe_filter 1728 0 (unused)
ip_tables 10432 0 [iptable_filter]

I could just for the modprobe in rc.modules couldnt I? If I did... would that be it?

Tinkster · 04-24-2003, 02:00 AM

My recommendation would be to get yourself
a full-fledged iptables script, say from http://www.linuxguruz.com/iptables/
or so ... if that line with the postrouting
is all you did you're quite a way away
from a working firewall...

Most firewall scripts will load the required
modules for you.

One tool I quite liked is http://easyfwgen.morizot.net/gen/
You feed it with the information of your
setup, and it generates a firewall script
for you

As you are in Slack you could put a
rc.firewall into /etc/rc.d
and have your rc.local call it.

Cheers,
Tink

bripage · 04-24-2003, 01:54 PM

I got it working. Apperently there was a "." infront of the whole startup line. It just kept screwing it it up. Now, the modules load smothly and so does IP TABLES. The only thing left is to check to make sure that my rc.firewall script is loading and I dont how exaclty to check that. It seems to load fine to me.

Tinkster · 04-24-2003, 05:02 PM

Again, iptables -L will list all chains & rules...

If you get more than just

Code:

root@darkstar: ~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

your chains are loaded and active.

If you are online from that box it's safe
to assume that your rules make some
sort of sense ;)

Cheers,
Tink