Help getting a firewall-start script to run

[digdesdev]

The previous thread on this subject is old, from 2015, and morphed into a discussion of version numbers and dos2unix without a complete answer on why it wouldn't run so I have started this thread.

Background:
The need here is to block specific inbound IP addresses per the request of the VoIP service provider, as these addresses are known sources of VoIP server hack attempts but VoIP ports must stay open. This is on an AC-1900P router flashed the latest RT-AC68U Merlin firmware (384.5)

I am DOS/Windows/computer/microcontroller assembly savvy, but pretty much a Linux nOOb. By that I mean that I can run command line interface and will understand the theory of what you might tell me but not the details of any specific commands other than the most basic ones without clear explanations. I hope that helps you frame any answers.

Up to this point I have used the information in the 2015 thread (https://www.snbforums.com/threads/solved-blocking-specific-incoming-ip-addresses.28805/page-2) along with other research and created this firewall-start script in /jffs/scripts. The script was created using vi so there is no DOS-Unix file format issue.

#!/bin/sh

touch  /tmp/000firewall-start
logger "Applying firewall-start rules"
iptables -I FORWARD -s xxx.172.121.124 -j DROP
iptables -I FORWARD -s xxx.23.181.142 -j DROP
iptables -I FORWARD -s xxx.154.41.135 -j DROP
iptables -I FORWARD -s xxx.210.157.169 -j DROP
iptables -I FORWARD -s xxx.83.138.191 -j DROP
touch /tmp/000firewall-stop

The system log only shows that the script was called but nothing else happens:

Jun 5 09:51:47 rc_service: ntp 443:notify_rc restart_diskmon
Jun 5 09:51:47 rc_service: waitting "start_firewall" via udhcpc ...
Jun 5 09:51:48 nat: apply nat rules (/tmp/nat_rules_eth0_eth0)
Jun 5 09:51:49 nat: apply nat rules (/tmp/nat_rules_eth0_eth0)
Jun 5 09:51:49 kernel: nf_conntrack_rtsp v0.6.21 loading
Jun 5 09:51:49 kernel: nf_nat_rtsp v0.6.21 loading
Jun 5 09:51:50 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
Jun 5 09:51:50 rc_service: udhcpc 425:notify_rc start_upnp
Jun 5 09:51:50 rc_service: waitting "stop_upnp" via udhcpc ...
Jun 5 09:51:50 disk_monitor: Finish
Jun 5 09:51:52 disk_monitor: be idle
Jun 5 09:51:52 miniupnpd[555]: HTTP listening on port 47121
Jun 5 09:51:52 miniupnpd[555]: Listening for NAT-PMP/PCP traffic on port 5351
Jun 5 09:51:52 dhcp_client: bound 192.168.0.194 via 192.168.0.1 during 86400 seconds.
Jun 5 09:52:20 crond[280]: time disparity of 686272 minutes detected

The file permissions seem correct:
-rwxr-xr-x 1 admin root 341 Jun 5 10:55 firewall-start

In the router settings:
Format JFFS partition at next boot = No
Enable JFFS custom scripts and configs = Yes

When I run the script from the command line it appears to work. I know that because the two start and stop files were created in the /tmp directory and this line is in the system log:
Jun 5 11:30:35 admin: Applying firewall-start rules

I'm sure that I am missing something obvious to a knowledgeable Linux user. Anything that would point me in the right direction would be appreciated.

 

[ColinTaylor]

Everything looks OK

Does it create the /tmp/000firewall-start file?

Probably worth doing a "dos2unix /jffs/scripts/firewall-start" just to be sure.

 

[digdesdev]

It does not create the file on a router reboot, nor does it echo the logger line to the system log.
It does do those things when I run it from the command line.

I did a dos2unix per your suggestion but it didn't help. Because it works when run manually from the command line I don't think the problem is in the script itself. It seems like the script is not actually being run even though this line is logged:
Jun 5 09:51:50 custom_script: Running /jffs/scripts/firewall-start (args: eth0)

From a post on another forum, I tried changing the first line of the script to:

#!/bin/bash

As expected, this didn't help either.

Thanks for your comments.

 

[FreshJR]

chmod 0755 /jffs/scripts/firewall-start

Leave it as sh not bash
The name IS case sensitive

 

[ColinTaylor]

chmod 0755 /jffs/scripts/firewall-start

He's already done that .

The file permissions seem correct:
-rwxr-xr-x 1 admin root 341 Jun 5 10:55 firewall-start

 

[FreshJR]

copy paste this to rule out spelling errors

l /jffs/scripts

 

[digdesdev]

Will do when I’m back where I can get access.

Just so I understand and can learn something, this is checking for spelling errors in the script, not the name?

Thanks.

 

[ColinTaylor]

Just so I understand and can learn something, this is checking for spelling errors in the script, not the name?

I think he's asking you to double-check the name (of both the directory and the script), just in case some weird characters got in there. I've had a few ^H's in my time .

 

[yk101]

Can you cat the actual script in jffs/scripts?

 

[digdesdev]

copy paste this to rule out spelling errors

l /jffs/scripts

Here is your command and the result:

admin@RT-AC1900P-96A0:/# l /jffs/scripts
-rwxr-xr-x    1 admin    root           342 Jun  5 15:31 firewall-start*

Thanks for your thought.

 

[ColinTaylor]

Delete the script just in case there's something "strange" in it and create a new one that contains only the following:

#!/bin/sh
logger "FIREWALL"

Then:
chmod 755 /jffs/scripts/firewall-start
service restart_wan

 

[digdesdev]

Can you cat the actual script in jffs/scripts?

Yes. Here it is again (with the IP addresses x'd out. I'm not sure why I'm protecting malicious hacker IPs.)

The -x was added to the shebang to supposedly enable debug logging but nothing is showing up in the system log. If I've done something wrong please let me know

admin@RT-AC1900P-96A0:/# cat /jffs/scripts/firewall-start
#!/bin/sh -x
touch  /tmp/000firewall-start
logger "Applying firewall-start rules"
iptables -I FORWARD -s xxx.172.121.124 -j DROP
iptables -I FORWARD -s xxx.23.181.142 -j DROP
iptables -I FORWARD -s xxx.154.41.135 -j DROP
iptables -I FORWARD -s xxx210.157.169 -j DROP
iptables -I FORWARD -s 212.83.138.191 -j DROP
touch /tmp/000firewall-stop

 

[FreshJR]

As Colin has said, paste these 4 lines and see what happens

( I simply converted his quoted portion, into 2 echo commands so no text editor has to be involved along any step of the way.)

echo "#!/bin/sh" > /jffs/scripts/firewall-start
echo 'logger "FIREWALL"' >> /jffs/scripts/firewall-start
chmod 755 /jffs/scripts/firewall-start
service restart_wan

 

[digdesdev]

It is now working, but I don't know why.

Thinking that I had missed a space character, I changed the shebang to include a space between the command "#!" and the path parameter "/bin/sh" and that seemed to fix it. I thought that was the issue but when I carefully checked all the other posts there didn't seem to be a space. As a test I reverted back to the original "#!/bin/sh" without a space and it is still working.

Now the system log shows that the script is running by displaying the logging line text:
Jun 5 22:21:41 custom_script: Running /jffs/scripts/firewall-start (args: eth0)
Jun 5 22:21:41 admin: Applying firewall-start rules

and the two test files exist in the /tmp folder.

I'm glad it's working but I'm confused as to why. Unless it fails again I might never discover the problem.

FreshJR & Colin- Sorry I didn't get to try your latest suggestions.

My thanks to everyone for your efforts.