iptables shell failed

Question

I write a shell for iptables configuration but failed.
It's really strange here.

My shell

#!/bin/bash
#
# The interface that connect Internet
EXTIF="ppp0"

# the inside interface. if you don't have this one
# and you must let this be black ex> INIF=""
INIF="eth0"
INNET="192.168.1.0/24"     # This is for NAT's network
IPTABLES="/sbin/iptables"

#flush/erase original rules
$IPTABLES -F #清除所有已制定的rule
$IPTABLES -X #清除用户自定义的chain/table
$IPTABLES -Z #将所有的chain的计数和流量统计归零
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t nat -Z




#default policies
$IPTABLES -t filter -P OUTPUT DROP
$IPTABLES -t filter -P INPUT DROP
$IPTABLES -t filter -P FORWARD DROP


#Accept localhost connetting, no matter what it is
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

#Accept any response package which is initiated from inside
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#Drop invalid package
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP

#block most common network attacks(recon packets and syn-flood attack)
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP


#open ports for different services
#SSH
$IPTABLES -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
$IPTABLES -A OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT

#HTTP
$IPTABLES -A INPUT -p tcp --sport 80 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m tcp --dport 80 -m state --state RELATED,ESTABLISHED  -j ACCEPT


#HTTPS
$IPTABLES -A INPUT -p tcp --sport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT 
$IPTABLES -A OUTPUT -p tcp -m tcp --dport 443 -m state --state RELATED,ESTABLISHED -j ACCEPT

#DNS
$IPTABLES -A INPUT -p tcp -m tcp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT 
$IPTABLES -A INPUT -p udp -m tcp --sport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT 
$IPTABLES -A OUTPUT -p tcp -m tcp --dport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT 
$IPTABLES -A OUTPUT -p udp -m tcp --dport 53 -m state --state RELATED,ESTABLISHED -j ACCEPT 

#DHCP
$IPTABLES -A INPUT -p udp -m udp --sport 67 --dport 68 -m state --state RELATED,ESTABLISHED -j ACCEPT 


#8080
#$IPTABLES -A INPUT -p tcp -m tcp --sport 8080 -m state --state RELATED,ESTABLISHED -j ACCEPT


#$IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT #SMTP
#$IPTABLES -A INPUT -p tcp --dport 465 -j ACCEPT #Secure SMTP
#$IPTABLES -A INPUT -p tcp --dport 110 -j ACCEPT #POP3
#$IPTABLES -A INPUT -p tcp --dport 995 -j ACCEPT #Secure POP


#ICMP configuration
#To prevent ICMP DDOS,we do not allow ICMP type 8(echo-request) or limit this request with 1/second
#some ICMP requests are allowed.
icmp_type="0 3 4 11 12 14 16 18"
for ticmp in $icmp_type
do
    $IPTABLES -A INPUT -p icmp --icmp-type $ticmp -j ACCEPT
done

#$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPTABLES -A OUTPUT -p icmp -j ACCEPT


#FORWARD table
$IPTABLES -A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
$IPTABLES -A FORWARD -f -m limit --limit 100/sec --limit-burst 100 -j ACCEPT
$IPTABLES -A FORWARD -p icmp -m limit --limit 1/sec --limit-burst 10 -j ACCEPT
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
 
#mangle chain
$IPTABLES -A PREROUTING -s 10.0.0.0/8 -i eth0 -j DROP
$IPTABLES -A PREROUTING -s 172.16.0.0/12 -i eth0 -j DROP
$IPTABLES -A PREROUTING -s 192.168.0.0/16 -i eth0 -j DROP

#save
$IPTABLES-save

---

error log

: not foundh: 5: iptables7.sh:
: not foundh: 11: iptables7.sh:
: not foundh: 13: iptables7.sh: /sbin/iptables
: not foundh: 14: iptables7.sh: /sbin/iptables
: not foundh: 15: iptables7.sh: /sbin/iptables
: not foundh: 16: iptables7.sh: /sbin/iptables
: not foundh: 17: iptables7.sh: /sbin/iptables
: not foundh: 18: iptables7.sh: /sbin/iptables
: not foundh: 19: iptables7.sh:
: not foundh: 20: iptables7.sh:
: not foundh: 21: iptables7.sh:
: not foundh: 22: iptables7.sh:
: not foundh: 24: iptables7.sh: /sbin/iptables
: not foundh: 25: iptables7.sh: /sbin/iptables
: not foundh: 26: iptables7.sh: /sbin/iptables
: not foundh: 27: iptables7.sh:
: not foundh: 28: iptables7.sh:
: not foundh: 30: iptables7.sh: /sbin/iptables
: not foundh: 31: iptables7.sh: /sbin/iptables
: not foundh: 32: iptables7.sh:
: not foundh: 34: iptables7.sh: /sbin/iptables
: not foundh: 35: iptables7.sh: /sbin/iptables
: not foundh: 36: iptables7.sh:
: not foundh: 38: iptables7.sh: /sbin/iptables
: not foundh: 39: iptables7.sh: /sbin/iptables
: not foundh: 40: iptables7.sh:
: not foundh: 42: iptables7.sh: /sbin/iptables
: not foundh: 43: iptables7.sh: /sbin/iptables
: not foundh: 44: iptables7.sh: /sbin/iptables
: not foundh: 45: iptables7.sh:
: not foundh: 46: iptables7.sh:
: not foundh: 49: iptables7.sh: /sbin/iptables
: not foundh: 50: iptables7.sh: /sbin/iptables
: not foundh: 51: iptables7.sh:
: not foundh: 53: iptables7.sh: /sbin/iptables
: not foundh: 54: iptables7.sh: /sbin/iptables
: not foundh: 55: iptables7.sh:
: not foundh: 56: iptables7.sh:
: not foundh: 58: iptables7.sh: /sbin/iptables
: not foundh: 59: iptables7.sh: /sbin/iptables
: not foundh: 60: iptables7.sh:
: not foundh: 62: iptables7.sh: /sbin/iptables
: not foundh: 63: iptables7.sh: /sbin/iptables
: not foundh: 64: iptables7.sh: /sbin/iptables
: not foundh: 65: iptables7.sh: /sbin/iptables
: not foundh: 66: iptables7.sh:
: not foundh: 68: iptables7.sh: /sbin/iptables
: not foundh: 69: iptables7.sh:
: not foundh: 70: iptables7.sh:
: not foundh: 73: iptables7.sh:
: not foundh: 74: iptables7.sh:
: not foundh: 79: iptables7.sh:
: not foundh: 80: iptables7.sh:
iptables7.sh: 86: iptables7.sh: Syntax error: word unexpected (expecting "do")

We can find iptables in sbin directory.And then I can't understand the last message:there is true "do" on it.Why does it still expert a "do" ?

Any help will be appreciated.

Thanks.

PS:

more datails

If I use "ipatbles" instead of parameter "IPTABLES",the six rules following can be executed.

iptables -F 
iptables -X 
iptables -Z 
iptables  -P OUTPUT DROP
iptables  -P INPUT DROP
iptables  -P FORWARD DROP

but others still failed again.

---

I get this

But I think this is more inportant

CONFIG_IP_NF_IPTABLES=m
CONFIG_IP6_NF_IPTABLES=m

I don't know how to active it.

Thank you again.

Answer 1

由于不熟悉linux,
都是在windows下编辑文件在ssh 传过去

这里我用的编辑器 回车键 不是单纯的"0A"而是"0A0D"混入了"0D"导致linux 脚本识别错误。

Answer 2

环境是什么？

Answer 3

。。sorry，I not see detail , let me think for a moment, the /sbin/iptables is sure reachable? and then see the iptables command is executeable.