Getting IPTables to survive a reboot
Posted by ltackmann on Fri 6 Oct 2006 at 10:10
Debian does not provide an initscript for iptables by default. This does however not mean that it is impossible to get firewall rules to survive a reboot.
Actually the Debian way is logical and works very well. First create some iptables rules and list them:
iptables --list
if the listed rules satisfy your needs, then save them somewhere. I use /etc/firewall.conf but this location is not fixed:
iptables-save > /etc/firewall.conf
Then create a script so ifupdown loads these rules on boot:
echo "#!/bin/sh" > /etc/network/if-up.d/iptables echo "iptables-restore < /etc/firewall.conf" >> /etc/network/if-up.d/iptables chmod +x /etc/network/if-up.d/iptables
Now reboot your machine and pray - the rules should come up exactly like before (use "iptables --list" to verify this).
--
Dave
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
/etc/init.d/iptables clean if no only purged the rules, but also set default policy to ACCEPT, for example. Now I copy the /etc/init.d/iptables script into newly installed systems.
[ Parent | Reply to this comment ]
I.E:
iface eth0 inet dhcp
pre-up iptables-restore < /etc/iptables.conf
[ Parent | Reply to this comment ]
I think this is the preferred "debian way" to properly start your firewall.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
But now I understand why I never found an iptables configuration file anywhere, and why webmin generated its own config files.
[ Parent | Reply to this comment ]
I think using an init script helps keep the interface to services standardized, which in general eases administration.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
Lately, I have been doing some work using Voyage Linux, a Sarge derivative that runs from CF on single-board computers like the WRAP or net4801.
I have found that Shorewall is very heavy on these 266MHz machines so needs some tweaking to run effectively. The biggest change I have had to make is to turn off logging as that bogged things down considerably. When I was using logging I reduced the log rate to the examples shown in the default config file and that was OK.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
I use fail2ban to protect port 22 for ssh. It feeds IP tables with any brute-force-attacking IPs.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
... for those of us who need a little help, I've found this site most helpful:
http://www.lowth.com/LinWiz/1.09/
I would suggest that you don't use the real ip address in the form, then change it once you have your output stored locally.
Also, you may want to still tweak a little. In any event, I found it a useful way to get started when I was new to iptables.
[ Parent | Reply to this comment ]
I had same problem, when on post-woody /etc/init.d/iptables was 'lost', so I've created my own basic script http://nowak.eu.org/blog/images/iptables, which installation is very simple: chmod 755 /etc/init.d/iptables and update-rc.d iptables defaults.
It is not ideal but works (at least for me).
Bye,
Luke
[ Parent | Reply to this comment ]
# Q: You concocted this init.d setup, but you do not like it?
# A: I was pretty much hounded into providing it. I do not like it.
# Don't use it. Use /etc/network/interfaces, use /etc/network/*.d/
# scripts use /etc/ppp/ip-*.d/ script. Create your own custom
# init.d script -- no need to even name it iptables. Use ferm,
# ipmasq, ipmenu, guarddog, firestarter, or one of the many other
# firewall configuration tools available. Do not use the init.d
# script.
If only I could remember where it came from....
I must have learnt something, I used guarddog for desktop boxes that need a firewall, the rules are difficult to read, but the gui was okay.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
interfaces (even just a wireless plus ehternet, like most laptops).
iptables-restore wipes out all existing rules before loading the new
ones. So, if you have just one script, when the second interface is
coming up, for a moment your other interface (the one that is already
up) is left bare.
You can solve this by having separate scripts and rule files for each
interface, or by being clever inside the script and only executing
iptables-restore once. But then it also gets more complex, increasing
the odds of a fatal mistake. That's why I feel that a single script
running directly under rcS, pretty early in the sequence, is best. I
guess debian doesn't do that because they may need ports open to mount
network filesystems like nfs; I hate nfs and never use it, so for me
that is not a consideration.
[ Parent | Reply to this comment ]
why becouse i know better way haw to keep a firewall over reboot.
#apt-get install rcconf
in this stage you have a two option
#cp /etc/firewall.conf /etc/init.d/firewall
or
#cd /etc/init.d/ && vi firewall
... create your iptables script ...
#chmod +x firewall
#update-rc.d firewall defaults 20 //if you want you cane do this but you can do this same if you use a only rcconf
or
#rcconf
when you run a rcconf you see list where you can select/deselect witch script from /etc/init.d will be run when you reboot or turn on your compyter/server
if you want change your firewall you must only edit a /etc/init.d/firewall
[ Parent | Reply to this comment ]
- Make the saved file inaccessible to anyone but root.
- Add "-c" to iptables-save's and iptable-restore's command line so you won't loose network statistics across reboots.
[ Parent | Reply to this comment ]
#apt-get install ipkungfu
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
http://wiki.debian.org/iptables
The shell script uses /etc/network/if-pre-up.d/iptables
and #!/bin/bash instead of #!/bin/sh
Still this is a great site :)
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]