1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

firewall script problem

Discussion in 'Tomato Firmware' started by szpunk, Nov 1, 2013.

  1. szpunk

    szpunk Networkin' Nut Member

    I wrote a script and put into /opt/etc/config/me.fire for running these command when firewall start/restart, something like that:

    ipt() {
      #REDSOCKS listing port
      #RSPORT="$(echo `netstat -lnp | grep redsocks | awk '/:*/ { print $4 }'` | cut -d ":" -f2)"
      DEST="`nvram get lan_ipaddr`:${RSPORT}"
      SOUCLI="-s `nvram get lan_ipaddr`/`nvram get lan_netmask`"
      # Redirect normal HTTP and HTTPS traffic
      iptables -t nat -A REDSOCKS -p tcp $SOUCLI --dport 80 -j DNAT --to-destination $DEST
      iptables -t nat -A REDSOCKS -p tcp $SOUCLI --dport 443 -j DNAT --to-destination $DEST
    Now the problem is: when i use RSPORT=8099, then:

    service firewall restart
    iptables -t nat -nvL
    I can see the iptables command is worked.

    But when i use RSPORT="$(echo `netstat -lnp | grep redsocks | awk '/:*/ { print $4 }'` | cut -d ":" -f2)" ,not worked.

    I insert a line like:

    echo $RSPORT
    then run the script manual:
    It's show 8099 success.

    What happened when firewall restart? It's not just run the script?
  2. jerrm

    jerrm Network Guru Member

    My busybox netstat doesn't support the -p parameter. Have you installed opt/entware netstat? If so, possibly an environment/path issue?
  3. lancethepants

    lancethepants Network Guru Member

    I always try to use full binary path for all binaries when writing a script. ie /opt/bin/netstat. jerrm has probably found the issue.

    edit: Entware automatically sets the $PATH variable when logging in through ssh. This is only for SSH though, so your router on boot won't know to use optware/entware unless you supply its full binary path.
  4. szpunk

    szpunk Networkin' Nut Member

    Thanks! it's path issue! I change netstat to /opt/bin/netstat is ok now!
  5. szpunk

    szpunk Networkin' Nut Member

    I type "service firewall restart" in ssh console, when firewall restarting and run the .fire script, it is not "read" the current $PATH variable? Thanks anyway, full path is working!
  6. lancethepants

    lancethepants Network Guru Member

    If you look at /opt/etc/profile, it modifies the $PATH variable. This is only in affect when you manually run the script when you log in with ssh.

    Entware puts /opt/bin:/opt/sbin etc, before /bin:/sbin/. So when you're logged in, it looks at /opt binaries first.

    If you temporarily remove /opt/etc/profile, relogin, and run 'echo $PATH', you will see that /bin:/sbin etc, are first. This is the default PATH order in tomato.

    Scripts you place in Firewall and Wanup gui only see the Tomato default PATH. They don't know about /opt/etc/profile. So if there is more than one binary, it will use the one tomato has built in first, unless you specify the full path.

    Glad you got it going :)
    szpunk likes this.

Share This Page