etc/sysconfig/iptables file explinations

Junior24 · 12-02-2004, 12:53 PM

Hi every one,
I am running a server with Redhat 8.0 on it
I want to setup iptables firewalls on it, using this config file.
But to do it, I would need some explination on some of the
main code line of the script below
Please any help would be appreciated.
PS- If you know a place(websyte) where I can have some explanations on the
codes lines, I would be glad too.

Junior

-----------------------------------------------------------------------------------
#!/bin/sh
#
# Startup script to implement /etc/sysconfig/iptables pre-defined rules.
#
# chkconfig: 2345 08 92
#
# description: Automates a packet filtering firewall with iptables.
#
# by bero@redhat.com, based on the ipchains script:
# Script Author: Joshua Jensen <joshua@redhat.com>
# -- hacked up by gafton with help from notting
# modified by Anton Altaparmakov <aia21@cam.ac.uk>:
# modified by Nils Philippsen <nils@redhat.de>
#
# config: /etc/sysconfig/iptables

# Source 'em up
. /etc/init.d/functions

IPTABLES_CONFIG=/etc/sysconfig/iptables

if [ ! -x /sbin/iptables ]; then
exit 0
fi

KERNELMAJ=`uname -r | sed -e 's,\..*,,'`
KERNELMIN=`uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'`

if [ "$KERNELMAJ" -lt 2 ] ; then
exit 0
fi
if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ] ; then
exit 0
fi

if /sbin/lsmod 2>/dev/null |grep -q ipchains ; then
# Don't do both
exit 0
fi

start() {
# don't do squat if we don't have the config file
if [ -f $IPTABLES_CONFIG ]; then
# If we don't clear these first, we might be adding to
# pre-existing rules.
action $"Flushing all current rules and user defined chains:" iptables -F
action $"Clearing all current rules and user defined chains:" iptables -X
chains=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $chains; do iptables -t $i -F; done && \
success $"Flushing all current rules and user defined chains:" || \
failure $"Flushing all current rules and user defined chains:"
for i in $chains; do iptables -t $i -X; done && \
success $"Clearing all current rules and user defined chains:" || \
failure $"Clearing all current rules and user defined chains:"

for i in $chains; do iptables -t $i -Z; done

echo $"Applying iptables firewall rules: "
grep -v "^:space:*#" $IPTABLES_CONFIG | grep -v '^:space:*$' | /sbin/iptables-restore -c && \
success $"Applying iptables firewall rules" || \
failure $"Applying iptables firewall rules"
echo
touch /var/lock/subsys/iptables
fi
}

stop() {
chains=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $chains; do iptables -t $i -F; done && \
success $"Flushing all chains:" || \
failure $"Flushing all chains:"
for i in $chains; do iptables -t $i -X; done && \
success $"Removing user defined chains:" || \
failure $"Removing user defined chains:"
echo -n $"Resetting built-in chains to the default ACCEPT policy:"
iptables -P INPUT ACCEPT && \
iptables -P OUTPUT ACCEPT && \
iptables -P FORWARD ACCEPT && \
iptables -t nat -P PREROUTING ACCEPT && \
iptables -t nat -P POSTROUTING ACCEPT && \
iptables -t nat -P OUTPUT ACCEPT && \
iptables -t mangle -P PREROUTING ACCEPT && \
iptables -t mangle -P OUTPUT ACCEPT && \
success $"Resetting built-in chains to the default ACCEPT policy" || \
failure $"Resetting built-in chains to the default ACCEPT policy"
echo
rm -f /var/lock/subsys/iptables
}

case "$1" in
start)
start
;;

stop)
stop
;;

restart)
# "restart" is really just "start" as this isn't a daemon,
# and "start" clears any pre-defined rules anyway.
# This is really only here to make those who expect it happy
start
;;

condrestart)
[ -e /var/lock/subsys/iptables ] && start
;;

status)
echo $"Table: filter"
iptables --list
echo $"Table: nat"
iptables -t nat --list
echo $"Table: mangle"
iptables -t mangle --list
;;

panic)
echo -n $"Changing target policies to DROP: "
iptables -P INPUT DROP && \
iptables -P FORWARD DROP && \
iptables -P OUTPUT DROP && \
iptables -t nat -P PREROUTING DROP && \
iptables -t nat -P POSTROUTING DROP && \
iptables -t nat -P OUTPUT DROP && \
iptables -t mangle -P PREROUTING DROP && \
iptables -t mangle -P OUTPUT DROP && \
success $"Changing target policies to DROP" || \
failure $"Changing target policies to DROP"
echo
iptables -F INPUT && \
iptables -F FORWARD && \
iptables -F OUTPUT && \
iptables -t nat -F PREROUTING && \
iptables -t nat -F POSTROUTING && \
iptables -t nat -F OUTPUT && \
iptables -t mangle -F PREROUTING && \
iptables -t mangle -F OUTPUT && \
success $"Flushing all chains:" || \
failure $"Flushing all chains:"
iptables -X INPUT && \
iptables -X FORWARD && \
iptables -X OUTPUT && \
iptables -t nat -X PREROUTING && \
iptables -t nat -X POSTROUTING && \
iptables -t nat -X OUTPUT && \
iptables -t mangle -X PREROUTING && \
iptables -t mangle -X OUTPUT && \
success $"Removing user defined chains:" || \
failure $"Removing user defined chains:"
;;

save)
echo -n $"Saving current rules to $IPTABLES_CONFIG: "
touch $IPTABLES_CONFIG
chmod 600 $IPTABLES_CONFIG
/sbin/iptables-save -c > $IPTABLES_CONFIG 2>/dev/null && \
success $"Saving current rules to $IPTABLES_CONFIG" || \
failure $"Saving current rules to $IPTABLES_CONFIG"
echo
;;

*)
echo $"Usage: $0 {start|stop|restart|condrestart|status|panic|save}"
exit 1
esac

exit 0
------------------------------------------------------------------------------------

musicman_ace · 12-03-2004, 01:31 AM

It might help if we new what lines you wanted help understanding.

PS: if you are doing this to learn IPtables, generally you will learn more starting your own script and building it.

UltimaGuy · 12-03-2004, 05:06 AM

Better get a good GUI frontent like guarddog and install it...It'll help you configure every thing easily as learning iptables suddenly is very difficult.

Junior24 · 12-07-2004, 01:35 PM

Thank you guys for the suggestions

I appreciate that.
But I still have another problem concerning IPtables

.
I have installed iptable ver 1.2.11, I have downloaded it and compiled it,
but It gives me an error after checking the Dependencies.
I would like to know how to resolve that error so that I can have
IPtable running on my SuSE 9.0 server.
Please any suggestion would be very appreciated.

Answer,
Junior

INCOMPATIBILITIES ip6tables-standalone.c iptables-standalone.c
junior:/usr/src/iptables-1.2.11 # /bin/sh -c make
Making dependencies: please wait...
In file included from extensions/libipt_REJECT.c:12:
/usr/src/linux/include/linux/version.h:6:2: #error "The kernel sources in /usr/src/linux are not yet configured."
/usr/src/linux/include/linux/version.h:7:2: #error "Please run 'make cloneconfig && make dep' in /usr/src/linux/"
/usr/src/linux/include/linux/version.h:8:2: #error "to get a kernel that is configured like the running kernel."
/usr/src/linux/include/linux/version.h:9:2: #error "Alternatively, you can copy one of the config files"
/usr/src/linux/include/linux/version.h:10:2: #error "arch/$ARCH/defconfig.* to .config, and run"
/usr/src/linux/include/linux/version.h:11:2: #error "'make oldconfig && make dep' to configure the kernel"
/usr/src/linux/include/linux/version.h:12:2: #error "for that configuration."
Something wrong... deleting dependencies.
make: *** [linux/autoconf.h] Error 1
junior:/usr/src/iptables-1.2.11 # /bin/sh -c make install
Making dependencies: please wait...
In file included from extensions/libipt_REJECT.c:12:
/usr/src/linux/include/linux/version.h:6:2: #error "The kernel sources in /usr/src/linux are not yet configured."
/usr/src/linux/include/linux/version.h:7:2: #error "Please run 'make cloneconfig && make dep' in /usr/src/linux/"
/usr/src/linux/include/linux/version.h:8:2: #error "to get a kernel that is configured like the running kernel."
/usr/src/linux/include/linux/version.h:9:2: #error "Alternatively, you can copy one of the config files"
/usr/src/linux/include/linux/version.h:10:2: #error "arch/$ARCH/defconfig.* to .config, and run"
/usr/src/linux/include/linux/version.h:11:2: #error "'make oldconfig && make dep' to configure the kernel"
/usr/src/linux/include/linux/version.h:12:2: #error "for that configuration."
Something wrong... deleting dependencies.
make: *** [linux/autoconf.h] Error 1