Getting IPTables to survive a reboot

Posted by ltackmann on Fri 6 Oct 2006 at 10:10

Debian does not provide an initscript for iptables by default. This does however not mean that it is impossible to get firewall rules to survive a reboot.

Actually the Debian way is logical and works very well. First create some iptables rules and list them:

iptables --list

if the listed rules satisfy your needs, then save them somewhere. I use /etc/firewall.conf but this location is not fixed:

iptables-save > /etc/firewall.conf

Then create a script so ifupdown loads these rules on boot:

echo "#!/bin/sh" > /etc/network/if-up.d/iptables 
echo "iptables-restore < /etc/firewall.conf" >> /etc/network/if-up.d/iptables 
chmod +x /etc/network/if-up.d/iptables 

Now reboot your machine and pray - the rules should come up exactly like before (use "iptables --list" to verify this).

 

 


Posted by Anonymous (81.74.xx.xx) on Fri 6 Oct 2006 at 10:39
On woody the /etc/init.d/iptables was present, on sarge they removed it (it's written in the README.debian), Why? it's very useful!

[ Parent | Reply to this comment ]

Posted by dreynolds (84.92.xx.xx) on Fri 6 Oct 2006 at 11:13
[ Send Message ]
iptables-save and iptables-load could be your friend here...

--
Dave

[ Parent | Reply to this comment ]

Posted by peej (59.178.xx.xx) on Fri 6 Oct 2006 at 11:34
[ Send Message ]
I haven't got my sarge system here, but I guess it's probably a bit of tidying up so that you could put it under /etc/network/if-up.d/ (that's what I have on my u**u machine).

[ Parent | Reply to this comment ]

Posted by Anonymous (62.209.xx.xx) on Fri 6 Oct 2006 at 11:45
I definately loved the /etc/init.d/iptables init script. If you issued:
/etc/init.d/iptables clean if no only purged the rules, but also set default policy to ACCEPT, for example. Now I copy the /etc/init.d/iptables script into newly installed systems.

[ Parent | Reply to this comment ]

Posted by tuxy (70.105.xx.xx) on Fri 6 Oct 2006 at 13:12
[ Send Message ]
Third option is to use /etc/network/interface:
I.E:
iface eth0 inet dhcp
        pre-up iptables-restore < /etc/iptables.conf

[ Parent | Reply to this comment ]

Posted by Kellen (84.217.xx.xx) on Fri 6 Oct 2006 at 14:18
[ Send Message | View Weblogs ]
Third option is to use /etc/network/interface...
I think this is the preferred "debian way" to properly start your firewall.

[ Parent | Reply to this comment ]

Posted by Anonymous (12.14.xx.xx) on Fri 6 Oct 2006 at 17:14
Suprising; I'd've thought that putting a file with those contents into /etc/network/if-preup.d/ would be preferred so that the iptables package could do it independent of any mucking around in /etc/network/interfaces

[ Parent | Reply to this comment ]

Posted by mvanbaak (80.126.xx.xx) on Fri 6 Oct 2006 at 17:58
[ Send Message ]
if you load your rules in if-preup.d make sure you dont use hostnames and stuff in it, because it will take ages to complete and probably messup.
What I do is: load a block-all script in if-preup.d that does allow dhcp and load my actual ruleset in if-up.d
That way my firewall is totally locked down till the correct interfaces and ip's are connected.

[ Parent | Reply to this comment ]

Posted by Anonymous (62.165.xx.xx) on Wed 26 Nov 2008 at 09:38
They have removed it because of serious vulnerabilities incompatible with real protection.

[ Parent | Reply to this comment ]

Posted by lykwydchykyn (66.236.xx.xx) on Fri 6 Oct 2006 at 17:55
[ Send Message | View Weblogs ]
I have to confess... I just install webmin and use its iptables interface.

But now I understand why I never found an iptables configuration file anywhere, and why webmin generated its own config files.

[ Parent | Reply to this comment ]

Posted by drew (171.65.xx.xx) on Fri 6 Oct 2006 at 18:39
[ Send Message ]
I'm a fan of creating a /etc/init.d/iptables script. Then I can easily open and close the firewall while I'm testing other services, and you can even put different levels of protection into it if necessary.

I think using an init script helps keep the interface to services standardized, which in general eases administration.

[ Parent | Reply to this comment ]

Posted by sonic2000gr (87.203.xx.xx) on Fri 6 Oct 2006 at 19:58
[ Send Message ]
iptables-restore and iptables-save are indeed valuable. I have a small firewall tutorial, complete with a firewall start / stop script at my debian wiki site at http://debian12.dyndns.org. You may wish to have a look (Please note this is on my home server and is bound to be slow at times).

[ Parent | Reply to this comment ]

Posted by paulgear (203.206.xx.xx) on Sat 7 Oct 2006 at 01:17
[ Send Message ]
I use shorewall. I find its concepts of dividing hosts into zones and then writing rules and policies to affect the flows between the two zones very intuitive, and it manages the iptables startup on all my firewalls. I even use an external script i wrote (shoregen) to push the same set of rules and policies to different firewalls.

[ Parent | Reply to this comment ]

Posted by sjpwong (59.167.xx.xx) on Mon 9 Oct 2006 at 02:14
[ Send Message ]
I find shorewall great too, especially because it is fully supported on Ubuntu (can i mention that here?!).

Lately, I have been doing some work using Voyage Linux, a Sarge derivative that runs from CF on single-board computers like the WRAP or net4801.

I have found that Shorewall is very heavy on these 266MHz machines so needs some tweaking to run effectively. The biggest change I have had to make is to turn off logging as that bogged things down considerably. When I was using logging I reduced the log rate to the examples shown in the default config file and that was OK.

[ Parent | Reply to this comment ]

Posted by mar (217.11.xx.xx) on Mon 9 Oct 2006 at 09:10
[ Send Message | View Weblogs ]
me too. shorewall is very intiutive in configuration. Probably a known tip, but nevermind -- i use simple script to reset my firewall periodically in crontab when mangling with the rules on remote host until im done

[ Parent | Reply to this comment ]

Posted by paulgear (203.206.xx.xx) on Mon 9 Oct 2006 at 09:26
[ Send Message ]
Another alternative is to use the ADMINISABSENTMINDED=Yes option in shorewall.conf. This will cause RELATED and ESTABLISHED packets to be accepted, even if Shorewall is stopped.

[ Parent | Reply to this comment ]

Posted by reluctant (65.78.xx.xx) on Sat 7 Oct 2006 at 02:02
[ Send Message ]
I use firestarter. For the small network, probably unnecessary with a router/firewall, but I installed it before I got the router and just kept it.

I use fail2ban to protect port 22 for ssh. It feeds IP tables with any brute-force-attacking IPs.

[ Parent | Reply to this comment ]

Posted by timur (80.240.xx.xx) on Sat 7 Oct 2006 at 02:51
[ Send Message ]
Please check the ipmasq package

[ Parent | Reply to this comment ]

Posted by Anonymous (81.168.xx.xx) on Sat 7 Oct 2006 at 11:20
I'm sure many of you are only happy if you've personally hand crafted your iptables rules ...

... for those of us who need a little help, I've found this site most helpful:

http://www.lowth.com/LinWiz/1.09/

I would suggest that you don't use the real ip address in the form, then change it once you have your output stored locally.

Also, you may want to still tweak a little. In any event, I found it a useful way to get started when I was new to iptables.

[ Parent | Reply to this comment ]

Posted by shufla (83.16.xx.xx) on Sat 7 Oct 2006 at 16:26
[ Send Message ]
Hello,

I had same problem, when on post-woody /etc/init.d/iptables was 'lost', so I've created my own basic script http://nowak.eu.org/blog/images/iptables, which installation is very simple: chmod 755 /etc/init.d/iptables and update-rc.d iptables defaults.

It is not ideal but works (at least for me).

Bye,
Luke

[ Parent | Reply to this comment ]

Posted by simonw (84.45.xx.xx) on Sat 7 Oct 2006 at 17:28
[ Send Message | View Weblogs ]
My /etc/default/iptables script has this in the comments:

# Q: You concocted this init.d setup, but you do not like it?
# A: I was pretty much hounded into providing it. I do not like it.
# Don't use it. Use /etc/network/interfaces, use /etc/network/*.d/
# scripts use /etc/ppp/ip-*.d/ script. Create your own custom
# init.d script -- no need to even name it iptables. Use ferm,
# ipmasq, ipmenu, guarddog, firestarter, or one of the many other
# firewall configuration tools available. Do not use the init.d
# script.

If only I could remember where it came from....

I must have learnt something, I used guarddog for desktop boxes that need a firewall, the rules are difficult to read, but the gui was okay.

[ Parent | Reply to this comment ]

Posted by Kellen (84.217.xx.xx) on Sun 8 Oct 2006 at 09:45
[ Send Message | View Weblogs ]
If you (or somebody else) reads Japanese, maybe this page provides some info.

[ Parent | Reply to this comment ]

Posted by nobrowser (75.30.xx.xx) on Fri 18 Mar 2011 at 17:49
[ Send Message ]
The problem with all these alternative hooks is when you have multiple
interfaces (even just a wireless plus ehternet, like most laptops).
iptables-restore wipes out all existing rules before loading the new
ones. So, if you have just one script, when the second interface is
coming up, for a moment your other interface (the one that is already
up) is left bare.

You can solve this by having separate scripts and rule files for each
interface, or by being clever inside the script and only executing
iptables-restore once. But then it also gets more complex, increasing
the odds of a fatal mistake. That's why I feel that a single script
running directly under rcS, pretty early in the sequence, is best. I
guess debian doesn't do that because they may need ports open to mount
network filesystems like nfs; I hate nfs and never use it, so for me
that is not a consideration.

[ Parent | Reply to this comment ]

Posted by _bolek_ (80.55.xx.xx) on Tue 10 Oct 2006 at 17:06
[ Send Message ]
hmm i think that way is very difficult :P
why becouse i know better way haw to keep a firewall over reboot.

#apt-get install rcconf
in this stage you have a two option
#cp /etc/firewall.conf /etc/init.d/firewall
or
#cd /etc/init.d/ && vi firewall
... create your iptables script ...
#chmod +x firewall
#update-rc.d firewall defaults 20 //if you want you cane do this but you can do this same if you use a only rcconf
or
#rcconf
when you run a rcconf you see list where you can select/deselect witch script from /etc/init.d will be run when you reboot or turn on your compyter/server

if you want change your firewall you must only edit a /etc/init.d/firewall

[ Parent | Reply to this comment ]

Posted by amosshapira (203.10.xx.xx) on Wed 18 Oct 2006 at 01:39
[ Send Message ]
I'd add the following:

  1. Make the saved file inaccessible to anyone but root.
  2. Add "-c" to iptables-save's and iptable-restore's command line so you won't loose network statistics across reboots.

[ Parent | Reply to this comment ]

Posted by acme (201.236.xx.xx) on Sat 28 Oct 2006 at 00:01
[ Send Message ]
Or you can use (and improve) ipkungfu

#apt-get install ipkungfu

[ Parent | Reply to this comment ]

Posted by Anonymous (194.106.xx.xx) on Sat 28 Oct 2006 at 13:59
works allright with 3.1 debian

[ Parent | Reply to this comment ]

Posted by Anonymous (81.18.xx.xx) on Mon 26 Feb 2007 at 11:05
or you can just add entire iptables code at the bototm of the /etc/init.d/rcS file. it works under any circumstances ;)

[ Parent | Reply to this comment ]

Posted by Anonymous (193.178.xx.xx) on Tue 29 Jun 2010 at 13:12
small coment very hard to see space in "#!/bin/sh"

[ Parent | Reply to this comment ]

Posted by nic (96.32.xx.xx) on Fri 8 Jul 2011 at 18:37
[ Send Message ]
I found this site more up to date with newer versions of Debian:
http://wiki.debian.org/iptables

The shell script uses /etc/network/if-pre-up.d/iptables
and #!/bin/bash instead of #!/bin/sh

Still this is a great site :)

[ Parent | Reply to this comment ]

Posted by Anonymous (91.187.xx.xx) on Fri 9 Sep 2011 at 21:39
i think in ubuntu 11.04 u can't use #!/bin/sh it is my opinion that you MUST include the space as follows "#! /bin/sh"

[ Parent | Reply to this comment ]

Sign In

Username:

Password:

[Register|Advanced]

 

Flattr

 

Current Poll

Which init system are you using in Debian?






( 1604 votes ~ 7 comments )