LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   iptables on Debian (https://www.linuxquestions.org/questions/linux-security-4/iptables-on-debian-362086/)

ujotne 09-10-2005 11:40 AM
iptables on Debian
 
1) How does one manually start/stop iptables on Debian 3.1 sarge?
What I am after is something like "/service iptables start" on Mandrake.

2) Which TCP port do I need to open to allow APT to fetch packetc vua ftp?

HappyTux 09-10-2005 12:00 PM
Re: iptables on Debian
 
Quote:
Originally posted by ujotne
1) How does one manually start/stop iptables on Debian 3.1 sarge?
What I am after is something like "/service iptables start" on Mandrake.

2) Which TCP port do I need to open to allow APT to fetch packetc vua ftp?
1) The general idea in Debian is that you either write your own script that uses iptables or install one of the packages that do it for you like Guarddog, Bastille or Firestarter among others.

2) None you should be able to access a ftp site without opening any ports. Are you behind some kind of proxy server?

ujotne 09-10-2005 12:42 PM
Re: Re: iptables on Debian
 
Quote:
Originally posted by HappyTux
1) The general idea in Debian is that you either write your own script that uses iptables or install one of the packages that do it for you like Guarddog, Bastille or Firestarter among others.
I have written my own script and it is very useful to be able to manually start and stop iptables for debygging purposes.

Quote:
[i]
2) None you should be able to access a ftp site without opening any ports. Are you behind some kind of proxy server? [/B]
Obviously I have to open either port 20 or 21 to allow ftp trafic. What I am not sure about is whether apt uses active or passive ftp.

HappyTux 09-10-2005 01:03 PM
Re: Re: Re: iptables on Debian
 
Quote:
Originally posted by ujotne
I have written my own script and it is very useful to be able to manually start and stop iptables for debygging purposes.


Well do you have start, stop, restart sections in your script that actually does the proper things when shutting down/starting/restarting iptables to make sure everything gets reset correctly? If so then you should be able to put the script in the /etc/init.d/ directory then use update-rc.d name_of_script defaults and it will create links for the script to be started and stopped in the proper directories. Then to start you would /etc/init.d/name_of_script start of course to stop you would put that on the end of the command.

Quote:
Obviously I have to open either port 20 or 21 to allow ftp trafic. What I am not sure about is whether apt uses active or passive ftp.
No you do not that is only if you want to allow ftp traffic into your server you would be looking for if I recall correctly loading the ip_conntrack_ftp module of iptables to allow for connection tracking when going through the firewall of course making sure that you have enabled the NAT and ip forwarding if needed as well.

/bin/bash 09-16-2005 07:36 PM
There is a script /etc/init.d/skeleton which you can use as a template to make SysV init scripts. I use this one to run my firewall script. Put the firewall script in /etc/rc.firewall. You may need to edit some paths to fit your system.

Code:
#! /bin/sh

#
#    This file should be  placed in /etc/init.d.
#
#
#

set -e

PATH=/sbin:/bin:/usr/sbin:/usr/bin
DESC="Use this script to start /etc/rc.firewall script"

if [ ! -f /etc/rc.firewall ]; then
  echo "Unable to start iptables firewall - /etc/rc.firewall does not exist"
  exit 1
fi
if [ ! -f /sbin/iptables ]; then
  echo "Cannot find  /sbin/iptables"
  exit 1
fi

case "$1" in
  restart|reload)
        echo "Restarting iptables firewall..."
        $0 stop
        /bin/bash /etc/rc.firewall
        ;;
  start)
        echo  "Setting up iptables firewall..."
        /bin/bash /etc/rc.firewall
        ;;
  stop)
        echo -n "Stopping iptables firewall..."
        iptables -P OUTPUT ACCEPT
        iptables -P INPUT ACCEPT
        iptables -P FORWARD ACCEPT
        iptables -F
        iptables -X
        echo "done."
        exit 0;
        ;;
  panic)
        echo -n "Closing all ports..."
        iptables -P OUTPUT DROP
        iptables -P INPUT DROP
        iptables -P FORWARD DROP
        iptables -F
        iptables -X
        echo "done."
        exit 0;
        ;;
  *)
        echo "Usage: $0  {start|stop|restart|reload|panic}" >&2
        exit 1
        ;;
esac

exit 0
Once you put the script in /etc/init.d you can use the SysV-Init Editor to make it run in the desired run levels.


All times are GMT -5. The time now is 09:10 AM.