|
Yes, ash (the shell built in Busybox) only likes "=",
whereas bash accepts both "=" and "==":
# if [ _$a = _1 ]; then echo "equal"; fi
# if [ _$a == _1
]; then echo "equal"; fi
[: ==: unknown operand
#
The fix here is easy: just replace any "==" with "=".
Also, iptables can only be run as root, so probably running
that script requires root privilege as well. But it is true that it is highly
likely that all preexisting iptables settings will be wiped out, so it may be
easier to manually add only the required iptables rules, rather than running a
complete firewall shell. Try this:
WAN="$EXTIF"
WANIP=$(/sbin/ifconfig $WAN | awk '/inet
addr/ \
{ gsub(".*:", "", $2) ; print $2 }')
fwd_to() { # destaddr[:destport] inport
[protocol]
case _$3 in
_)
$IPT -t nat -A PREROUTING -d
$WANIP -p tcp --dport $2 -j DNAT \
--to-destination
$1
$IPT -A FORWARD -i $WAN -p tcp
--dport $2 -j ACCEPT
$IPT -t nat
-A PREROUTING -d $WANIP -p udp --dport $2 -j DNAT \
--to-destination
$1
$IPT -A FORWARD -i $WAN -p udp
--dport $2 -j ACCEPT
;;
_*)
$IPT -t nat -A PREROUTING -d
$WANIP -p $3 --dport $2 -j DNAT \
--to-destination
$1
$IPT -A FORWARD -i $WAN -p $3
--dport $2 -j ACCEPT
;;
esac
}
BASTION='192.168.0.15' # or anyway IP
address of HTTP/SMTP server
fwd_to $BASTION 25 tcp # forward
SMTP
fwd_to $BASTION 80 tcp # forward HTTP
It works on my OpenWRT box, and, using "-d $WANIP" rather than "-i
$WAN", it also supports hairpinning, i.e. the ability of addressing your
mailserver / HTTP server from the internal LAN using the external IP
address of the router, which often is associated to a dynamic domain name. This
is convenient when using e.g. a laptop, sometimes connected to the
internal LAN and sometimes on the open Internet: the SMTP settings
in the mail client may always remain the
same.
Enzo
----- Original Message -----
Sent: Tuesday, February 21, 2006 4:28
AM
Subject: Re: [Astlinux-users] Destination
Nat
;-( not good. The FATAL error message is probably just a
default response to the failure to configure. Obviously if you are root then
that won't be the issue. I'm tending to think that this is probably an
incompatibility between busybox and this script - you would normally run it
under a standard bash shell.
I'll run it up here under busybox myself
and see if we can't get it going for you.
The alternative of course is
to pop a copy of bash on there and have another
go.
cheers,
Mark
On 21/02/06, Tom
Lynn <[EMAIL PROTECTED]>
wrote:
Mark,
I
tried running the script you suggested, as root. It failed saying
I
must have root permissions to complete the script.
Running
'./rc.firewall check'. Output will follow ...
-> Projectfiles.com Linux Firewall version
2.0rc9 running.
[: ==: unknown operand
[: ==: unknown operand
[:
==: unknown operand
[: ==: unknown operand
[: ==: unknown
operand
[: ==: unknown operand
-> Performing sanity checks. [
FAILED ]
-> FATAL: You must have root privileges to configure the
firewall.
Errors were detected in your system configuration.
See
the output above for specific details.
A copy of the Linux Firewall
initialization script preconfigured by this
program is located in
/tmp/rc.firewall
I'm also wondering what effect this script will
have on AstShape.
Will it completely pre-empt any existing
settings?
On 2/16/06, Mark Edwards < [EMAIL PROTECTED]>
wrote:
> Quickest way to get this going is to get thee to the projectfiles.com site
> and
download the "projectfiles" firewall script.
>
> This script is
dead easy to use and allows you to set up port whitelists,
> NAT and
port forwarding, the latter of which is what you are after
here.
>
> If you have any problems getting this script going,
get back to me and I'll
> work through the issue with
you.
>
> It builds a robust iptables based firewall for you with
just a couple of
> config
settings.
>
> cheers,
>
>
Mark.
>
>
> On 17/02/06, Tom Lynn <[EMAIL PROTECTED]> wrote:
>
>
> > My AstLinux box is now my router/firewall.
>
>
> > I'm looking for some help from those who have
set up destination NAT
> > under ASTLINUX. I'm looking
for the most efficient and *PERSISTENT*
> > means to direct inbound
SMTP and HTTP to another server on my inside
> >
network. I'm not trained in IPTables, so the documentation I'm
> > reading is pretty much greek at this point.
>
>
> > Thanks in advance.
> >
> > Tom
>
>
> > _______________________________________________
>
> Astlinux-users mailing list
> > [email protected]
>
>
> http://lists.kriscompanies.com/mailman/listinfo/astlinux-users
> >
> > Donations to support AstLinux are graciously
accepted via PayPal to
> [EMAIL PROTECTED].
>
>
>
>
>
> --
> regards,
>
>
Mark P. Edwards
> http://www.hearmymessage.com/now/
>
>
_______________________________________________
> Astlinux-users
mailing list
> [email protected]
>
http://lists.kriscompanies.com/mailman/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted
via PayPal to
> [EMAIL PROTECTED].
>
>
_______________________________________________
Astlinux-users mailing list
[email protected]
http://lists.kriscompanies.com/mailman/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal
to [EMAIL PROTECTED].
--
regards,
Mark P. Edwards
http://www.hearmymessage.com/now/
_______________________________________________
Astlinux-users
mailing
list
[email protected]
http://lists.kriscompanies.com/mailman/listinfo/astlinux-users
Donations
to support AstLinux are graciously accepted via PayPal to
[EMAIL PROTECTED]
| 