Hi,
I've got another problem while I was trying to run my iptables shell script.
I've done these commands:
[root@news-srv2 ~]# wget http://yyahmee.la.coocan.jp/iptables.sh
--04:37:37-- http://yyahmee.la.coocan.jp/iptables.sh
=> `iptables.sh'
Resolving yyahmee.la.coocan.jp... 202.248.237.142
Connecting to yyahmee.la.coocan.jp|202.248.237.142|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5,604 (5.5K) [text/plain]

100%[====================================>] 5,604 27.21K/s

04:37:38 (27.19 KB/s) - `iptables.sh' saved [5604/5604]

[root@news-srv2 ~]# chmod 700 iptables.sh
[root@news-srv2 ~]# chmod +x iptables.sh
[root@news-srv2 ~]# ./iptables.sh
: bad interpreter: No such file or directory
[root@news-srv2 ~]#


Here's my iptables script:
#!/bin/bash


#---------------------------------------#
# Begin Setting #
#---------------------------------------#

# Interface Name
LAN=eth0

#---------------------------------------#
# Finish Setting #
#---------------------------------------#

# Grab Internal Network Mask
LOCALNET_MASK=`ifconfig $LAN|sed -e 's/^.*Mask:\([^ ]*\)$/\1/p' -e d`

# Grab Internal Address
LOCALNET_ADDR=`netstat -rn|grep $LAN|grep $LOCALNET_MASK|cut -f1 -d' '`
LOCALNET=$LOCALNET_ADDR/$LOCALNET_MASK

# Add FTP Helper Module tp all other IPTables Modules
sed -i '/IPTABLES_MODULES/d' /etc/sysconfig/iptables-config
echo "IPTABLES_MODULES=\"ip_conntrack_ftp\"" >> /etc/sysconfig/iptables-config

# Stop IPTables to clear out the settings
/etc/rc.d/init.d/iptables stop

# Set Default Rule
iptables -P INPUT DROP # Drop all imcomings
iptables -P OUTPUT ACCEPT # Accept all outgoings
iptables -P FORWARD DROP # Drop all fowarding packets

# Enable SYN Cookie
# Defece from TCP SYN Flood Attack
sysctl -w net.ipv4.tcp_syncookies=1 > /dev/null
sed -i '/net.ipv4.tcp_syncookies/d' /etc/sysctl.conf
echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.conf

# Do not answer ping request to global address
# Defence from Smurf Attack
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 > /dev/null
sed -i '/net.ipv4.icmp_echo_ignore_broadcasts/d' /etc/sysctl.conf
echo "net.ipv4.icmp_echo_ignore_broadcasts=1" >> /etc/sysctl.conf

# Block ICMP Redirect Packets
sed -i '/net.ipv4.conf.*.accept_redirects/d' /etc/sysctl.conf
for dev in `ls /proc/sys/net/ipv4/conf/`
do
sysctl -w net.ipv4.conf.$dev.accept_redirects=0 > /dev/null
echo "net.ipv4.conf.$dev.accept_redirects=0" >> /etc/sysctl.conf
done

# Block Source Routed Packets
sed -i '/net.ipv4.conf.*.accept_source_route/d' /etc/sysctl.conf
for dev in `ls /proc/sys/net/ipv4/conf/`
do
sysctl -w net.ipv4.conf.$dev.accept_source_route=0 > /dev/null
echo "net.ipv4.conf.$dev.accept_source_route=0" >> /etc/sysctl.conf
done

# Log and drop fragmentted packets.
iptables -N LOG_FRAGMENT
iptables -A LOG_FRAGMENT -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES FRAGMENT] : '
iptables -A LOG_FRAGMENT -j DROP
iptables -A INPUT -f -j LOG_FRAGMENT

# Drop outside connections to NetBIOS Stuff
iptables -A INPUT -s ! $LOCALNET -p tcp -m multiport --dports 135,137,138,139,445 -j DROP
iptables -A INPUT -s ! $LOCALNET -p udp -m multiport --dports 135,137,138,139,445 -j DROP
iptables -A OUTPUT -d ! $LOCALNET -p tcp -m multiport --sports 135,137,138,139,445 -j DROP
iptables -A OUTPUT -d ! $LOCALNET -p udp -m multiport --sports 135,137,138,139,445 -j DROP

# Block and log Ping of Death Attack (No more then 4 pings in one sec)
iptables -N LOG_PINGDEATH
iptables -A LOG_PINGDEATH -m limit --limit 1/s --limit-burst 4 -j ACCEPT
iptables -A LOG_PINGDEATH -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES PINGDEATH] : '
iptables -A LOG_PINGDEATH -j DROP
iptables -A INPUT -p icmp --icmp-type echo-request -j LOG_PINGDEATH

# Allow all connections from localhost
iptables -A INPUT -i lo -j ACCEPT

# Allow all connections from localnet
iptables -A INPUT -s $LOCALNET -j ACCEPT

# Inside > Outside OK
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Block 255.255.255.255 and 224.0.0.1
iptables -A INPUT -d 255.255.255.255 -j DROP
iptables -A INPUT -d 224.0.0.1 -j DROP

# Block connections to IDENT (113)
iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset

#----------------------------------------------------------#
# Services Settings #
#----------------------------------------------------------#

# Allow SSH connections
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow HTTP connections
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

# Allow HTTPS Connections
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Allow NNTPD Connections
iptables -A INPUT -p tcp --dport 119 -j ACCEPT

#----------------------------------------------------------#
# End All Sevice Settings #
#----------------------------------------------------------#

# Block and don't log connections from all blocked IPs
if [ -s /root/deny_ip ]; then
for ip in `cat /root/deny_ip`
do
iptables -I INPUT -s $ip -j DROP
done
fi

# Block and don't log connections from all blocked countries
# Blocked Countries: Korea
COUNTRYLIST='KR'
wget -q http://ftp.apnic.net/stats/apnic/delegated-apnic-latest
iptables -N OTHERFILTER
iptables -A OTHERFILTER -j DROP
for country in $COUNTRYLIST
do
for ip in `cat delegated-apnic-latest | grep "apnic|$country|ipv4|"`
do
FILTER_ADDR=`echo $ip |cut -d "|" -f 4`
TEMP_CIDR=`echo $ip |cut -d "|" -f 5`
FILTER_CIDR=32
while [ $TEMP_CIDR -ne 1 ];
do
TEMP_CIDR=$((TEMP_CIDR/2))
FILTER_CIDR=$((FILTER_CIDR-1))
done
iptables -I INPUT -s $FILTER_ADDR/$FILTER_CIDR -j OTHERFILTER
done
done
rm -f delegated-apnic-latest

# Log and block all connections that are undefined
iptables -A INPUT -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES INPUT] : '
iptables -A INPUT -j DROP
iptables -A FORWARD -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES FORWARD] : '
iptables -A FORWARD -j DROP

# Save rule
/etc/rc.d/init.d/iptables save

# Start Firewall
/etc/rc.d/init.d/iptables start

I've tried adding -- after #!/bin/bash and came up with this result:
[root@news-srv2 ~]# vi iptables.sh
[root@news-srv2 ~]# ./iptables.sh
: invalid option
Usage: /bin/bash [GNU long option] [option] ...
/bin/bash [GNU long option] [option] script-file ...
GNU long options:
--debug
--debugger
--dump-po-strings
--dump-strings
--help
--init-file
--login
--noediting
--noprofile
--norc
--posix
--protected
--rcfile
--rpm-requires
--restricted
--verbose
--version
--wordexp
Shell options:
-irsD or -c command or -O shopt_option (invocation only)
-abefhkmnptuvxBCHP or -o option
[root@news-srv2 ~]#


I've tried changing #!/bin/bash to #!/bin/sh and I got this:
[root@news-srv2 ~]# vi iptables.sh
[root@news-srv2 ~]# ./iptables.sj
-bash: ./iptables.sj: No such file or directory
[root@news-srv2 ~]# ./iptables.sh
: bad interpreter: No such file or directory
[root@news-srv2 ~]#


I've tried locating bash and sh and got following results:
[root@news-srv2 ~]# which bash
/bin/bash
[root@news-srv2 ~]# which sh
/bin/sh
[root@news-srv2 ~]#


Now what's wrong with this?
Thanks
Yudai Yamagishi

I just realised that interface wasn't eth0
I've changed interface name to:
LAN=venet0:0 venet0:1

(is this correct way to set 2 interfaces?)

I've seen this before, difficult to troubleshoot. Basically there are some microsoft line breaks in there or something, I'm not exactly sure. The way I fix that is copy it out of your ssh window into a notepad, vi a new file and paste it all back in.

Also, this may work

cat iptables.sh > iptables2.sh
./iptables2.sh


I know the first one works, if the file is long it can be a pain in the ass.

did that solve the problem with the script not executing though? use venet0 instead of eth0.

There's a tool called dos2unix which would help here. It's not included with all distros, the package name tends to vary, and how it works tends to vary too.

However, in Debian Etch it's part of tofodos and is run as dos2unix filename.txt.

I remember seeing this problem about a year ago, and I thought the same thing. I tried dos2unix but it didnt help. Truly I don't know what the problem is,I just know that copy and pasting it into an editor on your workstation works.

I'll try copy and pasting to vi.
I did make this script this script using Microsoft Visual Studio 2005 so that may be the reason

Ok here's another problem:
[root@news-srv2 ~]# rm iptables.sh
rm: remove regular file `iptables.sh'? y
[root@news-srv2 ~]# vi iptables.sh
[root@news-srv2 ~]# ./iptables.sh
-bash: ./iptables.sh: Permission denied
[root@news-srv2 ~]# chmod 700 iptables.sh
[root@news-srv2 ~]# ./iptables.shj
-bash: ./iptables.shj: No such file or directory
[root@news-srv2 ~]# ./iptables.sh
eth0: error fetching interface information: Device not found
Usage: grep [OPTION]... PATTERN [FILE]...
Try `grep --help' for more information.
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: mangle filter nat [ OK ]
Unloading iptables modules: [ OK ]
error: unknown error 1 setting key 'net.ipv4.tcp_syncookies'
error: unknown error 1 setting key 'net.ipv4.icmp_echo_ignore_broadcasts'
error: unknown error 1 setting key 'net.ipv4.conf.all.accept_redirects'
error: unknown error 1 setting key 'net.ipv4.conf.default.accept_redirects'
error: unknown error 1 setting key 'net.ipv4.conf.lo.accept_redirects'
error: unknown error 1 setting key 'net.ipv4.conf.venet0.accept_redirects'
error: unknown error 1 setting key 'net.ipv4.conf.all.accept_source_route'
error: unknown error 1 setting key 'net.ipv4.conf.default.accept_source_route'
error: unknown error 1 setting key 'net.ipv4.conf.lo.accept_source_route'
error: unknown error 1 setting key 'net.ipv4.conf.venet0.accept_source_route'
iptables v1.2.11: invalid mask `' specified
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.11: invalid mask `' specified
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.11: invalid mask `' specified
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.11: invalid mask `' specified
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.11: invalid mask `' specified
Try `iptables -h' or 'iptables --help' for more information.

[root@news-srv2 ~]# vi iptables.sh
[root@news-srv2 ~]# ./iptables.sh
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: mangle filter nat [ OK ]
Unloading iptables modules: [ OK ]
error: unknown error 1 setting key 'net.ipv4.tcp_syncookies'
error: unknown error 1 setting key 'net.ipv4.icmp_echo_ignore_broadcasts'
error: unknown error 1 setting key 'net.ipv4.conf.all.accept_redirects'
error: unknown error 1 setting key 'net.ipv4.conf.default.accept_redirects'
error: unknown error 1 setting key 'net.ipv4.conf.lo.accept_redirects'
error: unknown error 1 setting key 'net.ipv4.conf.venet0.accept_redirects'
error: unknown error 1 setting key 'net.ipv4.conf.all.accept_source_route'
error: unknown error 1 setting key 'net.ipv4.conf.default.accept_source_route'
error: unknown error 1 setting key 'net.ipv4.conf.lo.accept_source_route'
error: unknown error 1 setting key 'net.ipv4.conf.venet0.accept_source_route'
iptables v1.2.11: host/network `' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.11: host/network `' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.11: host/network `' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.11: host/network `' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.11: host/network `' not found
Try `iptables -h' or 'iptables --help' for more information.

[root@news-srv2 ~]#

What's causing this?
I've tried this on my localnet server and it did work but not on VPS :(

First create a backup...cp scriptname scriptname.bakThen try either:
col < scriptname.bak > scriptnameor:tr -d '\r' < scriptname.bak > scriptnameAnd then set execute permission on the new script:chmod +x scriptnameYou may need to install 'col' for the first method to work.

well, i actually figured out the first problem.
now i have problem with the actual script

well, i actually figured out the first problem.

tell us how you solved it dude!

now i have problem with the actual script

probably give us some details and we can help you

well, i actually figured out the first problem.ok, so you know to use tr for the next time...;)
now i have problem with the actual scriptWell one problem is that some things cannot be done on a VPS, even as root. ~# echo 0 > /proc/sys/net/ipv4/tcp_syncookies
-su: /proc/sys/net/ipv4/tcp_syncookies: Operation not permitted
~#So comment the lines in the script which do that.

But your script also has other issues...iptables v1.2.11: host/network `' not found...which looks suspiciously like expansion of a null variable.

tell us how you solved it dude!
I did these commands:
rm -f iptables.sh
vi iptables.sh
(Copy&Paste from Visual Studio)
chmod 700 iptables.sh
./iptables.sh

probably give us some details and we can help you
I did.
It was post #8 I think.
I hope you check it out cause you are VERY good at linux!

ok, so you know to use tr for the next time...;)
Well one problem is that some things cannot be done on a VPS, even as root. ~# echo 0 > /proc/sys/net/ipv4/tcp_syncookies
-su: /proc/sys/net/ipv4/tcp_syncookies: Operation not permitted
~#So comment the lines in the script which do that.
From looking at the code, I think that these commands must be deleted.
# Enable SYN Cookie
# Defece from TCP SYN Flood Attack
sysctl -w net.ipv4.tcp_syncookies=1 > /dev/null
sed -i '/net.ipv4.tcp_syncookies/d' /etc/sysctl.conf
echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.conf

# Do not answer ping request to global address
# Defence from Smurf Attack
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 > /dev/null
sed -i '/net.ipv4.icmp_echo_ignore_broadcasts/d' /etc/sysctl.conf
echo "net.ipv4.icmp_echo_ignore_broadcasts=1" >> /etc/sysctl.conf

# Block ICMP Redirect Packets
sed -i '/net.ipv4.conf.*.accept_redirects/d' /etc/sysctl.conf
for dev in `ls /proc/sys/net/ipv4/conf/`
do
sysctl -w net.ipv4.conf.$dev.accept_redirects=0 > /dev/null
echo "net.ipv4.conf.$dev.accept_redirects=0" >> /etc/sysctl.conf
done

# Block Source Routed Packets
sed -i '/net.ipv4.conf.*.accept_source_route/d' /etc/sysctl.conf
for dev in `ls /proc/sys/net/ipv4/conf/`
do
sysctl -w net.ipv4.conf.$dev.accept_source_route=0 > /dev/null
echo "net.ipv4.conf.$dev.accept_source_route=0" >> /etc/sysctl.conf
done
Is this correct?

Here's the current full script:
#!/bin/bash


#---------------------------------------#
# Begin Setting #
#---------------------------------------#

# Interface Name
LAN=venet0

#---------------------------------------#
# Finish Setting #
#---------------------------------------#

# Grab Internal Network Mask
LOCALNET_MASK=`ifconfig $LAN|sed -e 's/^.*Mask:\([^ ]*\)$/\1/p' -e d`

# Grab Internal Address
LOCALNET_ADDR=`netstat -rn|grep $LAN|grep $LOCALNET_MASK|cut -f1 -d' '`
LOCALNET=$LOCALNET_ADDR/$LOCALNET_MASK

# Add FTP Helper Module tp all other IPTables Modules
sed -i '/IPTABLES_MODULES/d' /etc/sysconfig/iptables-config
echo "IPTABLES_MODULES=\"ip_conntrack_ftp\"" >> /etc/sysconfig/iptables-config

# Stop IPTables to clear out the settings
/etc/rc.d/init.d/iptables stop

# Set Default Rule
iptables -P INPUT DROP # Drop all imcomings
iptables -P OUTPUT ACCEPT # Accept all outgoings
iptables -P FORWARD DROP # Drop all fowarding packets

# Enable SYN Cookie
# Defece from TCP SYN Flood Attack
sysctl -w net.ipv4.tcp_syncookies=1 > /dev/null
sed -i '/net.ipv4.tcp_syncookies/d' /etc/sysctl.conf
echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.conf

# Do not answer ping request to global address
# Defence from Smurf Attack
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 > /dev/null
sed -i '/net.ipv4.icmp_echo_ignore_broadcasts/d' /etc/sysctl.conf
echo "net.ipv4.icmp_echo_ignore_broadcasts=1" >> /etc/sysctl.conf

# Block ICMP Redirect Packets
sed -i '/net.ipv4.conf.*.accept_redirects/d' /etc/sysctl.conf
for dev in `ls /proc/sys/net/ipv4/conf/`
do
sysctl -w net.ipv4.conf.$dev.accept_redirects=0 > /dev/null
echo "net.ipv4.conf.$dev.accept_redirects=0" >> /etc/sysctl.conf
done

# Block Source Routed Packets
sed -i '/net.ipv4.conf.*.accept_source_route/d' /etc/sysctl.conf
for dev in `ls /proc/sys/net/ipv4/conf/`
do
sysctl -w net.ipv4.conf.$dev.accept_source_route=0 > /dev/null
echo "net.ipv4.conf.$dev.accept_source_route=0" >> /etc/sysctl.conf
done

# Log and drop fragmentted packets.
iptables -N LOG_FRAGMENT
iptables -A LOG_FRAGMENT -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES FRAGMENT] : '
iptables -A LOG_FRAGMENT -j DROP
iptables -A INPUT -f -j LOG_FRAGMENT

# Drop outside connections to NetBIOS Stuff
iptables -A INPUT -s ! $LOCALNET -p tcp -m multiport --dports 135,137,138,139,445 -j DROP
iptables -A INPUT -s ! $LOCALNET -p udp -m multiport --dports 135,137,138,139,445 -j DROP
iptables -A OUTPUT -d ! $LOCALNET -p tcp -m multiport --sports 135,137,138,139,445 -j DROP
iptables -A OUTPUT -d ! $LOCALNET -p udp -m multiport --sports 135,137,138,139,445 -j DROP

# Block and log Ping of Death Attack (No more then 4 pings in one sec)
iptables -N LOG_PINGDEATH
iptables -A LOG_PINGDEATH -m limit --limit 1/s --limit-burst 4 -j ACCEPT
iptables -A LOG_PINGDEATH -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES PINGDEATH] : '
iptables -A LOG_PINGDEATH -j DROP
iptables -A INPUT -p icmp --icmp-type echo-request -j LOG_PINGDEATH

# Allow all connections from localhost
iptables -A INPUT -i lo -j ACCEPT

# Allow all connections from localnet
iptables -A INPUT -s $LOCALNET -j ACCEPT

# Inside > Outside OK
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Block 255.255.255.255 and 224.0.0.1
iptables -A INPUT -d 255.255.255.255 -j DROP
iptables -A INPUT -d 224.0.0.1 -j DROP

# Block connections to IDENT (113)
iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset

#----------------------------------------------------------#
# Services Settings #
#----------------------------------------------------------#

# Allow SSH connections
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow HTTP connections
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

# Allow HTTPS Connections
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Allow NNTPD Connections
iptables -A INPUT -p tcp --dport 119 -j ACCEPT

#----------------------------------------------------------#
# End All Sevice Settings #
#----------------------------------------------------------#

# Block and don't log connections from all blocked IPs
if [ -s /root/deny_ip ]; then
for ip in `cat /root/deny_ip`
do
iptables -I INPUT -s $ip -j DROP
done
fi

# Block and don't log connections from all blocked countries
# Blocked Countries: Korea
COUNTRYLIST='KR'
wget -q http://ftp.apnic.net/stats/apnic/delegated-apnic-latest
iptables -N OTHERFILTER
iptables -A OTHERFILTER -j DROP
for country in $COUNTRYLIST
do
for ip in `cat delegated-apnic-latest | grep "apnic|$country|ipv4|"`
do
FILTER_ADDR=`echo $ip |cut -d "|" -f 4`
TEMP_CIDR=`echo $ip |cut -d "|" -f 5`
FILTER_CIDR=32
while [ $TEMP_CIDR -ne 1 ];
do
TEMP_CIDR=$((TEMP_CIDR/2))
FILTER_CIDR=$((FILTER_CIDR-1))
done
iptables -I INPUT -s $FILTER_ADDR/$FILTER_CIDR -j OTHERFILTER
done
done
rm -f delegated-apnic-latest

# Log and block all connections that are undefined
iptables -A INPUT -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES INPUT] : '
iptables -A INPUT -j DROP
iptables -A FORWARD -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES FORWARD] : '
iptables -A FORWARD -j DROP

# Save rule
/etc/rc.d/init.d/iptables save

# Start Firewall
/etc/rc.d/init.d/iptables start

EDIT: I deleted those commands I mentioned and run the script.
Last login: Thu Sep 7 05:43:00 from nttkyo256028.tkyo.nt.adsl.ppp.infoweb.ne.jp
[root@news-srv2 ~]# vi iptables.sh
[root@news-srv2 ~]# chmod 700 iptables.sh
i^H.[root@news-srv2 ~]# ./iptables.sh
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: mangle filter nat [ OK ]
Unloading iptables modules: [ OK ]
iptables v1.2.11: host/network `' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.11: host/network `' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.11: host/network `' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.11: host/network `' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.11: host/network `' not found
Try `iptables -h' or 'iptables --help' for more information.
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: mangle filter nat [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_ftp [ OK ]
[root@news-srv2 ~]#
[root@news-srv2 ~]#
I think permission error is now fixed.
Now I have to find the null variable.

But your script also has other issues......which looks suspiciously like expansion of a null variable.
hmm... I can't find any null variables :confused:

Thanks for your help!

From looking at the code, I think that these commands must be deleted.
[snip]
Is this correct?
The errors you see are emitted by the iptables commands.

Add 'set -x' at the top of the script to see what is going on:
#!/bin/bash

set -x
This block is prime suspect in my mind...
# Block and don't log connections from all blocked countries
# Blocked Countries: Korea
COUNTRYLIST='KR'
wget -q http://ftp.apnic.net/stats/apnic/delegated-apnic-latest
iptables -N OTHERFILTER
iptables -A OTHERFILTER -j DROP
for country in $COUNTRYLIST
do
for ip in `cat delegated-apnic-latest | grep "apnic|$country|ipv4|"`
do
FILTER_ADDR=`echo $ip |cut -d "|" -f 4`
TEMP_CIDR=`echo $ip |cut -d "|" -f 5`
FILTER_CIDR=32
while [ $TEMP_CIDR -ne 1 ];
do
TEMP_CIDR=$((TEMP_CIDR/2))
FILTER_CIDR=$((FILTER_CIDR-1))
done
iptables -I INPUT -s $FILTER_ADDR/$FILTER_CIDR -j OTHERFILTER
done
done
rm -f delegated-apnic-latestFar too complicated a piece of code to see in a firewall script..:eek:

Does the problem go away if you edit it like this?:#COUNTRYLIST='KR'
COUNTRYLIST=

Ok, here is what happened.
I added:
set -x
and deleted:
'KR'

Here's the output:
edrhku$v2a$1@news-srv2.codebusterz.net
Last login: Fri Sep 8 06:05:26 from nttkyo256028.tkyo.nt.adsl.ppp.infoweb.ne.jp
You have new mail.
[root@news-srv2 ~]# vi iptables.sh
[root@news-srv2 ~]# chmod 700 iptables.sh
[root@news-srv2 ~]# ./iptables.sh
+ LAN=venet0
++ ifconfig venet0
++ sed -e 's/^.*Mask:\([^ ]*\)$/\1/p' -e d
+ LOCALNET_MASK=255.255.255.255
++ netstat -rn
++ grep venet0
++ grep 255.255.255.255
++ cut -f1 '-d '
+ LOCALNET_ADDR=
+ LOCALNET=/255.255.255.255
+ sed -i /IPTABLES_MODULES/d /etc/sysconfig/iptables-config
+ echo 'IPTABLES_MODULES="ip_conntrack_ftp"'
+ /etc/rc.d/init.d/iptables stop
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: mangle filter nat [ OK ]
Unloading iptables modules: [ OK ]
+ iptables -P INPUT DROP
+ iptables -P OUTPUT ACCEPT
+ iptables -P FORWARD DROP
+ iptables -N LOG_FRAGMENT
+ iptables -A LOG_FRAGMENT -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES FRAGMENT] : '
+ iptables -A LOG_FRAGMENT -j DROP
+ iptables -A INPUT -f -j LOG_FRAGMENT
+ iptables -A INPUT -s '!' /255.255.255.255 -p tcp -m multiport --dports 135,137,138,139,445 -j DROP
iptables v1.2.11: host/network `' not found
Try `iptables -h' or 'iptables --help' for more information.
+ iptables -A INPUT -s '!' /255.255.255.255 -p udp -m multiport --dports 135,137,138,139,445 -j DROP
iptables v1.2.11: host/network `' not found
Try `iptables -h' or 'iptables --help' for more information.
+ iptables -A OUTPUT -d '!' /255.255.255.255 -p tcp -m multiport --sports 135,137,138,139,445 -j DROP
iptables v1.2.11: host/network `' not found
Try `iptables -h' or 'iptables --help' for more information.
+ iptables -A OUTPUT -d '!' /255.255.255.255 -p udp -m multiport --sports 135,137,138,139,445 -j DROP
iptables v1.2.11: host/network `' not found
Try `iptables -h' or 'iptables --help' for more information.
+ iptables -N LOG_PINGDEATH
+ iptables -A LOG_PINGDEATH -m limit --limit 1/s --limit-burst 4 -j ACCEPT
+ iptables -A LOG_PINGDEATH -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES PINGDEATH] : '
+ iptables -A LOG_PINGDEATH -j DROP
+ iptables -A INPUT -p icmp --icmp-type echo-request -j LOG_PINGDEATH
+ iptables -A INPUT -i lo -j ACCEPT
+ iptables -A INPUT -s /255.255.255.255 -j ACCEPT
iptables v1.2.11: host/network `' not found
Try `iptables -h' or 'iptables --help' for more information.
+ iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+ iptables -A INPUT -d 255.255.255.255 -j DROP
+ iptables -A INPUT -d 224.0.0.1 -j DROP
+ iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
+ iptables -A INPUT -p tcp --dport 22 -j ACCEPT
+ iptables -A INPUT -p tcp --dport 80 -j ACCEPT
+ iptables -A INPUT -p tcp --dport 443 -j ACCEPT
+ iptables -A INPUT -p tcp --dport 119 -j ACCEPT
+ '[' -s /root/deny_ip ']'
+ COUNTRYLIST=
+ wget -q http://ftp.apnic.net/stats/apnic/delegated-apnic-latest
+ iptables -N OTHERFILTER
+ iptables -A OTHERFILTER -j DROP
+ rm -f delegated-apnic-latest
+ iptables -A INPUT -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES INPUT] : '
+ iptables -A INPUT -j DROP
+ iptables -A FORWARD -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES FORWARD] : '
+ iptables -A FORWARD -j DROP
+ /etc/rc.d/init.d/iptables save
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
+ /etc/rc.d/init.d/iptables start
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: mangle filter nat [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: [ OK ]
Loading additional iptables modules: ip_conntrack_ftp [ OK ]
[root@news-srv2 ~]#
[root@news-srv2 ~]#

I think deleting 'KR' won't do anythin :(
From what it looks this part is causing the problem:
# Drop outside connections to NetBIOS Stuff
iptables -A INPUT -s ! $LOCALNET -p tcp -m multiport --dports 135,137,138,139,445 -j DROP
iptables -A INPUT -s ! $LOCALNET -p udp -m multiport --dports 135,137,138,139,445 -j DROP
iptables -A OUTPUT -d ! $LOCALNET -p tcp -m multiport --sports 135,137,138,139,445 -j DROP
iptables -A OUTPUT -d ! $LOCALNET -p udp -m multiport --sports 135,137,138,139,445 -j DROP
But if I delete this doesn't it cause some security problems?

I'm gonna put 'KR' back and comment out the NetBIOS part.
Than this happened:
Due to big log, I couldn't send or attach the log
It has been uploaded to:
http://yyahmee.la.coocan.jp/log.txt
Thanks

I think this is causing some problem too:
+ iptables -A INPUT -s /255.255.255.255 -j ACCEPT
iptables v1.2.11: host/network `' not found
Try `iptables -h' or 'iptables --help' for more information.

I'll comment that out.
THanks

The problem is for some reason that LOCALNET is not being constructed properly. I say "the problem", as it relates to your question... but to be honest, I wouldn't bother with a firewall script that was trying to be so clever, and I have doubts as to whether the script achieves what you want anyway (rather than a false sense of security).

That said, however, here's the bit about LOCALNET:
# Interface Name
LAN=venet0

# Grab Internal Network Mask
LOCALNET_MASK=`ifconfig $LAN|sed -e 's/^.*Mask:\([^ ]*\)$/\1/p' -e d`

# Grab Internal Address
LOCALNET_ADDR=`netstat -rn|grep $LAN|grep $LOCALNET_MASK|cut -f1 -d' '`
LOCALNET=$LOCALNET_ADDR/$LOCALNET_MASKI believe what that is trying to do is grab the gateway address and mask. Try pasting those commands at the command line and see what happens. Also the output of 'netstat -rn' on its own would be instructive, because that is essentially where it is failing.

Or, as you discovered already, comment out anything using $LOCALNET, since it's probably not much relevant to a VPS anyway.

sorry I had my VPS reinstalled.
I was able to fix that problem by commenting out everything that had LOCALNET in it.
Thanks for your help!

Hmm, well that's alright then... ;)