LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices



Reply
 
Search this Thread
Old 10-31-2006, 04:41 PM   #1
Suhy
LQ Newbie
 
Registered: Aug 2005
Distribution: CentOS, Fedora
Posts: 25

Rep: Reputation: 15
Shorewall and iptables service


When i install Shorewall, do i still have to run iptables service or do i have to disable it from starting on boot?

And if i must disable it, can i delete iptables config file?
 
Old 10-31-2006, 04:51 PM   #2
dcdbutler
Member
 
Registered: Jan 2005
Location: Boston
Distribution: slackware
Posts: 502

Rep: Reputation: 30
Shorewall uses iptables/netfilter. Don't delete anything if you want your firewall to work.

Cheers
 
Old 10-31-2006, 05:05 PM   #3
Suhy
LQ Newbie
 
Registered: Aug 2005
Distribution: CentOS, Fedora
Posts: 25

Original Poster
Rep: Reputation: 15
BUT,

first i had service iptables also running..

After i disabled it(iptables), shorewall still running and works, tested with grc.com and all ports are closed.. and after reboot when iptables service is stoped and shorewall started, grc.com still shows i am fully closed- no open ports..

AND in file "iptables" there are no rules i made with shorewall(they are in shorewall folder), that's why i think "iptables" file is not needed, becouse there is no information for shorewall and iptables service is not starting at all..

???
me n00b confused

Last edited by Suhy; 10-31-2006 at 05:07 PM.
 
Old 10-31-2006, 06:08 PM   #4
dcdbutler
Member
 
Registered: Jan 2005
Location: Boston
Distribution: slackware
Posts: 502

Rep: Reputation: 30
Shorewall doesn't "run", except at boot.
Read the documentation on shorewall.net about how shorewall works.

Code:
# iptables -L
will show you which iptables rules are in effect.
 
Old 10-31-2006, 06:19 PM   #5
Suhy
LQ Newbie
 
Registered: Aug 2005
Distribution: CentOS, Fedora
Posts: 25

Original Poster
Rep: Reputation: 15
yes, i read docs(while ago), and yes if i type #iptables -L i get a loong list, and in that list is everything i have in policy and other shorewall files, but than please explain me this:

1) #service iptables status ... Firewall is stopped
2) #service shorewall status ... Shorewall is runing (maby this include iptables service or something??)
3) i don't have iptables file anymore, i renamed it to iptables_old and firewall is runing ok with all lines(that are configured in shorewall files) if i type #iptables -L
 
Old 10-31-2006, 06:27 PM   #6
dcdbutler
Member
 
Registered: Jan 2005
Location: Boston
Distribution: slackware
Posts: 502

Rep: Reputation: 30
When you refer to the iptables service, do you mean something in the init scripts? If so, then yes, you can delete it if you no longer want to use that script, or just disable it from running at boot (sounds like you already did that). I wasn't clear what you meant by the iptables file.

Cheers.
 
Old 10-31-2006, 06:57 PM   #7
tvynr
Member
 
Registered: Apr 2004
Distribution: Debian
Posts: 143

Rep: Reputation: 15
IIRC, iptables is simply used to change the state of the in-memory iptables kernel stuff. Once all of that is configured, deleting the iptables binary won't change anything... until the next time you try to boot the computer and it's not there, which will prevent the computer from setting the iptables stuff back up and so break your firewall.

Neither Shorewall nor iptables is a daemon (nor a "service"). You may have a script in /etc/init.d (or /etc/rc.d or somewhere else, depending on your distro) that is named "iptables" or something similar; that is a script which is run at startup which usually corresponds to something which will eventually sit around running in memory (such as your SSH daemon). However, /etc/init.d/iptables and /sbin/iptables are two completely different things.

Shorewall is, AFAIK, a mighty script which, when run, makes many many calls to /sbin/iptables. As Shorewall calls /sbin/iptables, /sbin/iptables makes a number of system calls that cause the kernel iptables modules to handle network traffic in a different way. Once /sbin/iptables has done its work, it terminates, leaving the iptables kernel modules to do their work.

If you have an iptables start-up script (/etc/somedir/iptables), it's probably designed to do the same task as Shorewall (but no promises). As a result, using both simultaneously could be a bad idea. Quickest way to find out, IMHO, is to open up the /etc/somedir/iptables file and see what it says.

However, I can assure you that Shorewall needs iptables to set up your firewall properly. Once the firewall is set up, it doesn't matter if iptables (or Shorewall, for that matter) is available or not; the firewall will continue working just as it has been configured. However, since you'll need iptables to make any changes or to set it back up again when you reboot, you should leave it installed.

Does all of that make sense? Happy firewalling.

(p.s.: you might want to set your distro in your LQ profile so we know what you're using; it'd help us customize answers, if nothing else)
 
Old 10-31-2006, 08:12 PM   #8
Suhy
LQ Newbie
 
Registered: Aug 2005
Distribution: CentOS, Fedora
Posts: 25

Original Poster
Rep: Reputation: 15
By refering to the iptables service i mean /sbin/iptables bin file.(not directly, becouse service file is in /etc/rc.d/init.d)-probably i am wrong here, but you got the point what i am talking about, right?

By refering to the iptables file i mean /etc/sysconfig/iptables with content:
----------------------------------------------------------------
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 6622 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
.
.
.
----------------------------------------------------------------

Conclusion::
Ok, if my little brain makes any sense:
-i don't need file iptables(pasted in this post), because files from shorewall, like policy file:
----------------------------------------------------------------
ACCEPT net $FW tcp 5900:5902
ACCEPT net $FW tcp 4662
ACCEPT net $FW udp 4662
ACCEPT net $FW udp 1194
DROP net $FW tcp 113
.
.
.
----------------------------------------------------------------
does the job instead of iptables file.
-i don't need service iptables to start at boot
-i don't delete /sbin/iptables, because shorewall needs this when starting up
-i need to start shorewall at boot
-shorewall starts firewall procedure by implementing own files, like policy and others through /sbin/iptables, and after that kernel iptables/netfilter manages them.

Am i close?

Big thanks to both of YOU
 
Old 11-01-2006, 12:29 AM   #9
tvynr
Member
 
Registered: Apr 2004
Distribution: Debian
Posts: 143

Rep: Reputation: 15
Yep, sounds like you've got it. Based upon that listing, it sounds like your iptables rc script is trying to do the same job as Shorewall, so they'd just step on each others' toes. So get rid of that and keep Shorewall. Make sure Shorewall starts up on boot and that /sbin/iptables is there to do Shorewall's bidding.

So, yeah, your comprehension of the situation seems to be spot on. Good job.
 
Old 11-01-2006, 05:40 AM   #10
Suhy
LQ Newbie
 
Registered: Aug 2005
Distribution: CentOS, Fedora
Posts: 25

Original Poster
Rep: Reputation: 15
BIG Thank you guys, You are the best
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
shorewall iptables, ftp xilace Linux - Networking 8 11-16-2006 11:52 AM
Newbie question about iptables/shorewall syeronne Linux - Security 4 12-05-2005 05:18 PM
Shorewall and iptables for mandrake 10 hoarenet Linux - Security 6 09-04-2004 10:31 AM
IPtables vs Shorewall in Mandrake 9.2 filiphw Linux - Security 1 12-30-2003 04:39 PM
Nightmare - IPTABLES / Shorewall acadcworks Linux - Security 1 01-27-2003 05:22 AM


All times are GMT -5. The time now is 03:30 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration