LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian
User Name
Password
Debian This forum is for the discussion of Debian Linux.

Notices

Reply
 
LinkBack Search this Thread
Old 07-15-2005, 09:58 AM   #1
synaptical
Senior Member
 
Registered: Jun 2003
Distribution: Mint 13/15, CentOS 6.4
Posts: 2,020

Rep: Reputation: 46
Question how can i load iptables rules at startup


i output the iptables rules i make manually to /etc/iptables.conf with iptables-save. how can i load those automatically at each boot? debian didn't seem to come with any startup scripts, so i had to modify one from a generic script i found on the net, which doesn't have any pointers in it to other files. thanks.
 
Old 07-15-2005, 10:12 AM   #2
harken
Member
 
Registered: Jan 2005
Location: Between the chair and the desk
Distribution: Debian Sarge, kernel 2.6.13
Posts: 666

Rep: Reputation: 30
Write a script which contains a line like
Code:
iptables-restore < previously_saved_file_name
, save it under whatever name you want (let's say iptables_loader.sh), copy it to /etc/init.d, then su and run
Quote:
update-rc.d iptables_loader.sh defaults
to generate the symlinks in rc*.d.
Then reboot and check if it works. Note that the script should contain the full path to the saved firewall rules file. Once you get the idea you may expand the script with functions for (re)starting/stopping the firewall (you even have a skeleton in /etc/init.d).

Last edited by harken; 07-15-2005 at 10:13 AM.
 
Old 07-15-2005, 10:29 AM   #3
synaptical
Senior Member
 
Registered: Jun 2003
Distribution: Mint 13/15, CentOS 6.4
Posts: 2,020

Original Poster
Rep: Reputation: 46
it's not working. i just noticed there's a lot of non-executable stuff in the file iptables-save writes. so i removed all that and just put plain iptables rules in there, which didn't work, either. there must be some other more standard way of doing it, right?


>>p.s. by skeleton you mean a stripped down generic file? no, i didn't have anything like that in init.d, unless it's called something totally unrelated to iptables. ? maybe someone could post one? tx.

Last edited by synaptical; 07-15-2005 at 10:30 AM.
 
Old 07-15-2005, 10:47 AM   #4
harken
Member
 
Registered: Jan 2005
Location: Between the chair and the desk
Distribution: Debian Sarge, kernel 2.6.13
Posts: 666

Rep: Reputation: 30
You should not edit the file outputted by iptables-save. iptables-restore will parse the file automatically. At most, if you wish to zero that numbers at the beginning of the file, call 'iptables -F' before iptables-save.
If you want to use directly the rules, you must write a script which calls iptables for each rule (so something like 'iptables -A INPUT -p tcp --dport XX -j LOG' will represent a line in your script). See a tutorial (one of many) at http://iptables-tutorial.frozentux.n...-tutorial.html
Also, don't forget to enable execution rights (chmod +x) for the script once you copied it into /etc/init.d.
Regarding that skeleton file, I don't have the Linux box near me right now, but see 'man update-rc.d', I think it's written there.

Last edited by harken; 07-15-2005 at 10:50 AM.
 
Old 07-15-2005, 11:05 AM   #5
synaptical
Senior Member
 
Registered: Jun 2003
Distribution: Mint 13/15, CentOS 6.4
Posts: 2,020

Original Poster
Rep: Reputation: 46
got it, thanks! the problem was there is no < in the restore command. i just put iptables-restore /etc/file in the script and it worked.

the symlinks concept to rc.d i don't understand -- is that strictly speaking necessary, or would it have worked with just the restore script? not a big deal, just curious. thanks for the help.

Last edited by synaptical; 07-15-2005 at 11:06 AM.
 
Old 07-15-2005, 11:24 AM   #6
harken
Member
 
Registered: Jan 2005
Location: Between the chair and the desk
Distribution: Debian Sarge, kernel 2.6.13
Posts: 666

Rep: Reputation: 30
Glad to hear it worked. If you want to make sure the rules are loaded, run a 'iptables -L' in a shell and it should output the ruleset. Funny though, mine works with a '<'. Actually, this is how it looks like:
Code:
/sbin/iptables-restore < /home/harken/iptables1
.
However, the idea of the symlinks is that they each correspond to a certain runlevel. So, when the kernel switches the current runlevel (like 3-multi-user console mode, 1-single user, 5-multiuser/graphical, 6-shutdown/reboot, etc.), it will execute only the scripts found in that rcX.d directory so things don't get messed up. And that's why I told you in my first reply that you can expand your script with some functions so that when the computer changes runlevel you can start/stop your firewall (if needed). For this, once you complete the script, you run update-rc.d with some extra parameters like
Code:
update-rc.d [-n] name start|stop NN runlevel runlevel ... start|stop NN runlevel runlevel
.

Last edited by harken; 07-15-2005 at 11:31 AM.
 
Old 07-15-2005, 11:28 AM   #7
demian
Member
 
Registered: Apr 2001
Location: Bremen, Germany
Distribution: Debian
Posts: 303

Rep: Reputation: 30
Up until a few months ago there was an init script distributed with the debian packaged iptables. Then they got rid of that script because the consensus was that iptables is more appropriately started when the network interfaces are brought up (I agree). The main arguments against having an init script for iptables is that you will have a problem when starting iptables before networking (for example when you use fqdn in your rules) and much worse when you start iptables after the network interfaces are up there will be a short time when you're running without a firewall.

So now the debian way is to call the iptables script from /etc/network/interfaces using pre-up, post-up, pre-down and post-down options to the interface.

Last edited by demian; 07-15-2005 at 05:59 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTABLES - rules in /etc/sysconfig/iptables The_JinJ Linux - Newbie 6 11-20-2004 01:40 AM
iptables rules Fatz Linux - Security 1 08-05-2004 06:04 AM
startup script to set up iptables rules doesn't run alexfittyfives Debian 2 06-01-2004 07:21 PM
how to get iptables to load rules on startup ? qwijibow Linux - Security 5 09-02-2003 09:48 AM
I can't load iptables rules Kinstonian Linux - General 15 04-13-2003 07:55 PM


All times are GMT -5. The time now is 01:52 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration