[opensuse] Why doesn't this work?
asus:~ # crontab -e -u root 15 11 * * * /root/OFF.sh 11 22 * * * /root/ON.sh :wq asus:~ # cat OFF.sh #!/bin/bash iptables -I OUTPUT -s 0/0 -p tcp --dport 80 -j DROP done manually asus:~ # ./OFF.sh asus:~ # iptables -L -n | less ... Chain OUTPUT (policy ACCEPT) target prot opt source destination DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELAT done automatically by cron /var/log/messages asus:~ # tailf /var/log/messages Nov 28 11:10:16 asus crontab[27601]: (root) REPLACE (root) Nov 28 11:10:16 asus crontab[27601]: (root) END EDIT (root) Nov 28 11:11:01 asus /usr/sbin/cron[10805]: (root) RELOAD (tabs/root) Nov 28 11:15:01 asus /usr/sbin/cron[27624]: (root) CMD (/root/OFF.sh ) asus:~ # iptables -L -n | less ... Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELAT When I execute OFF.sh manually, IPTABLES turns off port 80 outbound as I desire to prevent outbound access on the browser. The listing verifies that the OUTPUT chain is updated and in fact the browser cannot access anything. So far, so good. At 11:15, the messages log shows that cron executed the OFF.sh shell as the crontab entries for root commanded but the iptables dump for the OUTPUT section are unchanged and there is no interruption in outbounf access. Why would this not work from cron but work manually. BTW, it makes no difference if the command is run from a script or directly from the cron line after the time. It gets logged as if it is executing but does not affect iptables but the exact same command cut-and-paste as a command works as expected. What dumb am I overlooking? As a test, I had it ECHO to a file in my user account and it did create the files so the root crontab file actually does something, it just doesn't affect iptables. Thanks in advance -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Richard Creighton wrote:
asus:~ # crontab -e -u root
15 11 * * * /root/OFF.sh 11 22 * * * /root/ON.sh
:wq
asus:~ # cat OFF.sh #!/bin/bash iptables -I OUTPUT -s 0/0 -p tcp --dport 80 -j DROP
done manually asus:~ # ./OFF.sh asus:~ # iptables -L -n | less ... Chain OUTPUT (policy ACCEPT) target prot opt source destination DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELAT
done automatically by cron /var/log/messages asus:~ # tailf /var/log/messages Nov 28 11:10:16 asus crontab[27601]: (root) REPLACE (root) Nov 28 11:10:16 asus crontab[27601]: (root) END EDIT (root) Nov 28 11:11:01 asus /usr/sbin/cron[10805]: (root) RELOAD (tabs/root) Nov 28 11:15:01 asus /usr/sbin/cron[27624]: (root) CMD (/root/OFF.sh )
asus:~ # iptables -L -n | less ... Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELAT
When I execute OFF.sh manually, IPTABLES turns off port 80 outbound as I desire to prevent outbound access on the browser. The listing verifies that the OUTPUT chain is updated and in fact the browser cannot access anything. So far, so good.
At 11:15, the messages log shows that cron executed the OFF.sh shell as the crontab entries for root commanded but the iptables dump for the OUTPUT section are unchanged and there is no interruption in outbounf access. Why would this not work from cron but work manually. BTW, it makes no difference if the command is run from a script or directly from the cron line after the time. It gets logged as if it is executing but does not affect iptables but the exact same command cut-and-paste as a command works as expected. What dumb am I overlooking? As a test, I had it ECHO to a file in my user account and it did create the files so the root crontab file actually does something, it just doesn't affect iptables.
Might iptables not be in the PATH for the cron job? - -Jeff - -- Jeff Mahoney SUSE Labs -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFHTblXLPWxlyuTD7IRAsSLAJ9hGw3mShtYc19ulDvn8I9Euv+3bQCfeE2g aJ0vn3DmkHUHhWCqDECGrNY= =Cz2s -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Jeff Mahoney wrote:
Richard Creighton wrote:
asus:~ # crontab -e -u root
15 11 * * * /root/OFF.sh 11 22 * * * /root/ON.sh
:wq
asus:~ # cat OFF.sh #!/bin/bash iptables -I OUTPUT -s 0/0 -p tcp --dport 80 -j DROP
done manually asus:~ # ./OFF.sh asus:~ # iptables -L -n | less ...
Might iptables not be in the PATH for the cron job?
Also make sure the OFF.sh and ON.sh are executable: chmod +x Ken -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Ken Schneider wrote:
Jeff Mahoney wrote:
Richard Creighton wrote:
asus:~ # crontab -e -u root
15 11 * * * /root/OFF.sh 11 22 * * * /root/ON.sh
Might iptables not be in the PATH for the cron job?
Also make sure the OFF.sh and ON.sh are executable: chmod +x
I've observed that, in some cases, things started by cron (or init) run without a UID set at all. I can't remember any examples of this, and I could be wrong, but I do remember that I've solved similar problems in the past by explicitly declaring a UID, as in: 15 11 * * * su root -c /root/OFF.sh Or maybe within your script doing: su root -c iptables -I INPUT ... Just a thought, but that would be one reason why it might work under the shell, but not from cron... Glen -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (4)
-
Glen -
Jeff Mahoney -
Ken Schneider -
Richard Creighton