LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 12-30-2004, 05:30 PM   #1
tarballed
Member
 
Registered: Jun 2002
Distribution: RH, FC, FreeBSD,OpenBSD
Posts: 326

Rep: Reputation: 30
IPTables: config files, scripts, saving etc...confused


Back everyone, with im hoping, a rather simple answer to my question.

Been wrapping my head around IPTables for 2 weeks now, and finally have been able to get a few rules the way I like.

However, I am confused on a few things. let me explain.

Currently working with Fedora Core 3.

Now, adding rules via the command line is simple enough. Saving the rules is just a matter of:

service iptables save

Which, saves the rules to a file: /etc/sysconfig/iptables

Now, where I a bit lost is in the use of variables. For instance, I am going to be setting up a multi-homed firewall with iptables. It will use a DMZ and private lan. WIth that, I need to somehow specify the interfaces and IP address for each one in my rules some how. But im confused.

So how does one actually add variables to my rulesets? Can it be done via the command line? Can I edit /etc/init/iptables? Or maybe edit /etc/sysconfig/iptables?

Im just confused on how to put in my variables for IPTables to use.
If it calls for scripting, boy, I need to break out the books. It's been awhile.

Hopefully, someone can clear this up for me.

I appreciate it.

Tarballed
 
Old 12-30-2004, 07:11 PM   #2
Butt-Ugly
Member
 
Registered: Nov 2004
Location: Brisbane, Australia
Distribution: Fedora Core 5
Posts: 89

Rep: Reputation: 15
Don't touch the "/etc/sysconfig/iptables" or "/etc/init.d/iptables" files unless you know what you're doing. You can create a simple script, then save the changes to the appropriate files.

The script can be placed anywhere on your system as a standard file, then do "chmod +x scriptname" to make it executeable.
It can be executed by "./scriptname" or "/directory/names/scriptname".. You can't simply type "scriptname" if you're in the same directory.

The variables are used inside the script where you would want to use a certain value more than once, so if you used "eth0" a few times your script might look like:
Code:
# EXAMPLE ONLY

INT_DEV=eth0
iptables -A INPUT -i $INT_DEV -j LOG
iptables -A INPUT -i $INT_DEV -j ACCEPT
This just saves you having to type "eth0" in all of your commands. It doesn't matter which may you do it, however using variables and assigning values allows the script to be adjusted easily if you make any changes to your networing configuration.

Remember, bacis shell scripting is just adding a bunch of commands into a file that you can simply type at the command prompt one after the other, it just automates it.

Miles
 
Old 12-30-2004, 07:12 PM   #3
amfoster
Member
 
Registered: Aug 2004
Distribution: debian, SuSE
Posts: 365

Rep: Reputation: 34
i do all firewall rules from a script.
Then make sure the script executes at boot up time.

first rule is iptables -F
then I can create any variable I want in that script

example:

iface=eth0
xpbox=192.168.0.1

iptables -A INPUT -i $iface -s $xpbox -p tcp -j ACCEPT

Ok, stupid as a first rule, but it is there as an example.
 
Old 12-30-2004, 07:32 PM   #4
tarballed
Member
 
Registered: Jun 2002
Distribution: RH, FC, FreeBSD,OpenBSD
Posts: 326

Original Poster
Rep: Reputation: 30
Got it.

Not only do I need to put in my iptables rules, but I cannot leave out the modules to be loaded as well.
Once the script is executed, should work then.

Thanks guys.
 
Old 12-30-2004, 07:41 PM   #5
Butt-Ugly
Member
 
Registered: Nov 2004
Location: Brisbane, Australia
Distribution: Fedora Core 5
Posts: 89

Rep: Reputation: 15
If you create your firewall script, then execute it, then save it; the module loading does not get saved in "/etc/sysconfig/iptables".

If you plan on using initscripts to handle your iptables (perfectly ok), then you should manually add the modules you need to "/etc/sysconfig/iptables-config".

Miles.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
gtk-config and glib-config scripts not found? Frustin Linux - General 17 12-26-2008 03:14 PM
Config files, X issue, startup scripts... please help! shashir Slackware 4 08-05-2005 05:12 PM
scripts to edit config files twistedpair Linux - General 1 01-16-2004 01:34 PM
Saving the config in KNOPPIX? Konig Debian 1 01-09-2004 10:15 AM
Saving eth0 config davee Linux - Networking 3 01-21-2003 10:14 AM


All times are GMT -5. The time now is 08:35 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration