Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: Anthony on November 04, 2003, 08:09:38 AM

Title: broken template (my fault I think)
Post by: Anthony on November 04, 2003, 08:09:38 AM

Hello.

I screwed around with:

/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustICMPIn

Now its broken.
Didn't back it up (yes I know...)

Can someone send me an original copy?
Or just post contents into the forum or an email to me?
I am on 6beta3.

Title: Re: broken template (my fault I think)
Post by: Anthony on November 04, 2003, 10:53:34 AM

Ok.   A kind soul has supplied the broken template.

I want to block ICMP (please don't tell me off).

I do the following:

/sbin/e-smith/config setprop masq Stealth yes
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq

I get:

WARNING in /etc/e-smith/templates//etc/rc.d/init.d/masq/90adjustICMPIn: Use of uninitialized value in concatenation (.) or string at /etc/e-smith/templates//etc/rc.d/init.d/masq/90adjustICMPIn line 7.
WARNING: Template processing succeeded for //etc/rc.d/init.d/masq: 1 fragment generated warnings
 at /sbin/e-smith/expand-template line 49

I then try:
service masq restart

Shutting down IP masquerade and firewall rules:         Done!

Enabling IP masquerading: Bad argument icmp'
Try iptables -h' or 'iptables --help' for more information.
done


Clearly the iptables inboundICMP rule doesn't change.

What am I doing wrong?

Title: Re: broken template (my fault I think)
Post by: Byte on November 04, 2003, 12:16:43 PM

Next time copy the file you want from /etc/e-smith/templates to /etc/e-smith/templates-custom in the correct way (see on frontpage of e-smith.org) then you can always revert back to original template that way.

Title: Re: broken template (my fault I think)
Post by: Ergin on November 04, 2003, 07:31:46 PM

Here it comes...
----- START ----

    # Find the current InboundICMP_$$ chain, and create a new one.
    IBI=$(get_safe_id InboundICMP filter find)
    new=$(get_safe_id InboundICMP filter new)
    /sbin/iptables --new-chain $new
{
    my $stealth = $masq{Stealth} || 'no';
    if ($stealth eq 'yes')
    {
        $OUT .= <    /sbin/iptables --append $new --proto icmp \
        --icmp-type echo-request --in-interface \$OUTERIF --jump denylog
HERE
    }
    # We want to be very selective on the ICMPs we accept to stop
    # route hijacking

    my @OKicmpTypes = (
                qw(
                    echo-request
                    echo-reply
                    destination-unreachable
                    source-quench
                    time-exceeded
                    parameter-problem
                ) );


    foreach my $icmpType (@OKicmpTypes)
    {
        $OUT .= <    /sbin/iptables --append \$new --proto icmp \
        --icmp-type $icmpType --jump ACCEPT
HERE
    }
    # Having created a new Inbound ICMP chain, activate it and
    # destroy the old.
}
    /sbin/iptables --append $new --jump denylog
    /sbin/iptables --replace InboundICMP 1 --jump $new
    /sbin/iptables --flush "$IBI"
    /sbin/iptables --delete-chain "$IBI"

----- END ----

Good luck

Title: Re: broken template (my fault I think)
Post by: Anthony on November 05, 2003, 01:52:19 PM

Ok.

there is a syntax error in the file if Stealth=yes

 if ($stealth eq 'yes')
    {
        $OUT .= <    /sbin/iptables --append $new --proto icmp \
    --icmp-type echo-request --in-interface \$OUTERIF --jump denylog

It should be:

 if ($stealth eq 'yes')
    {
        $OUT .= <    /sbin/iptables --append \$new --proto icmp \
    --icmp-type echo-request --in-interface \$OUTERIF --jump denylog

I will send a note to Bugs  (not Bunny)