How to get Guarddog to start automatically?

I've searched these forums but haven't found an answer.
I'm using Guarddog in Mandrake 9.1, so I don't know if this should go in the Mandrake forum...

I have it configured the way I want it and all ports show up as "Stealth" in the grc.com test. But if I have to reboot my computer, Guarddog won't come back on unless I manually start it.

I'm just running a stand-alone box on a dialup modem. I think there's a Guarddog script somewhere that I could put into /etc/rc.d/rc.local, if I could only find it. Have done a file search for it but nothing strikes me as appropriate.

Oddly, iptables is configured to start at bootup, but when I turn on Guarddog, it seems to turn off iptables. It works, though.

TIA,
Siri Amrit

Netfilter/IPTables is constantly running. The root user can alter the rules held by it via a few commands. Guarddog generates a script which when run (with root privliges) automatically injects your selected rules each time. That IPTables service in Mandrake is the system's firewall script, and not the constantly running Netfilter (which is build into the kernel and its networking section). So because that script is executed on boot, your Guarddog-generated list of rules are automatically loaded, then the script ends, while NetFilter retains the rules until it's send different ones.

Thanks, Proud. I'm still a little confused, though.
Should I configure Mandrake's iptables to NOT start at boot? What do i do to make Guarddog start automatically at say, runlevel 1 or 2?

No no, the IPTables service should be run at boot, it's the generated script which'll add the rules to the Netfilter module of the kernel.
Guarddog simply generates a good script, it's up to your runlevel configurations whether you run it (by starting the IPTables service in that runlevel).

From /etc/inittab:

Quote:

# Default runlevel. The runlevels used by Mandrake Linux are: # 0 - halt (Do NOT set initdefault to this) # 1 - Single user mode # 2 - Multiuser, without NFS (The same as 3, if you do not have networking) # 3 - Full multiuser mode # 4 - unused # 5 - X11 # 6 - reboot (Do NOT set initdefault to this)

Your system doesnt go from runlevels1 through to 5, it simply runs in which ever level you've set as default (see the same file).

My system's IP-tables starts at boot and runs in levels 2, 3, 4, &5. I boot my computer to runlevel 3, then startx. Unless I manually start Guarddog as root, the Guarddog script doesn't load when I boot the system.
What am I missing? Is there a file where I should put a little script, telling it to start Guarddog automatically at boot?

TIA,
Siri Amrit

Guarddog should save the IPTable rules to /etc/rc.firewall, which should be automatically run for those runlevels. Honestly I havent found the line in the /etc/rc.d/ and /etc/sysconfig/ scripts which does this yet, but how are you checking it isnt being run? Do you simply mean the Guarddog window doesnt pop up?

Thanks Proud, for sticking with me on this.
There are two ways I check to see it isn't running:
First, I can go to grc.com and run the ShieldsUP! test. Everything is "closed" (not stealth) and one port is "open" for internet printer sharing.
Then I go into console as root and type "guarddog." The Guarddog window comes up and lets me click to turn it on- meaning it has been turned off until then. Then, when I go back to grc.com, everything is "stealth."

Here's how my /etc/rc.d/init.d/iptables reads:

#!/bin/sh
#
# Startup script to implement /etc/sysconfig/iptables pre-defined rules.
#
# chkconfig: 2345 03 92
#
# description: Automates a packet filtering firewall with iptables.
#
# by bero@redhat.com, based on the ipchains script:
# Script Author: Joshua Jensen <joshua@redhat.com>
# -- hacked up by gafton with help from notting
# modified by Anton Altaparmakov <aia21@cam.ac.uk>:
# modified by Nils Philippsen <nils@redhat.de>
#
# config: /etc/sysconfig/iptables

# Source 'em up
. /etc/init.d/functions

IPTABLES_CONFIG=/etc/sysconfig/iptables

if [ ! -x /sbin/iptables ]; then
exit 0
fi

KERNELMAJ=`uname -r | sed -e 's,\..*,,'`
KERNELMIN=`uname -r | sed -e 's,[^\.]*\.,,' -e 's,\..*,,'`

if [ "$KERNELMAJ" -lt 2 ] ; then
exit 0
fi
if [ "$KERNELMAJ" -eq 2 -a "$KERNELMIN" -lt 3 ] ; then
exit 0
fi



if /sbin/lsmod 2>/dev/null |grep -q ipchains ; then
# Don't do both
exit 0
fi

iftable() {
if fgrep -qsx $1 /proc/net/ip_tables_names; then
iptables -t "$@"
fi
}

start() {
# don't do squat if we don't have the config file
if [ -f $IPTABLES_CONFIG ]; then
# We do _not_ need to flush/clear anything when using iptables-restore
gprintf "Applying iptables firewall rules: \n"
grep -v "^[[:space:]]*#" $IPTABLES_CONFIG | grep -v '^[[:space:]]*$' | /sbin/iptables-restore -c && \
success "Applying iptables firewall rules" || \
failure "Applying iptables firewall rules"
echo
touch /var/lock/subsys/iptables
fi
}

stop() {
chains=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $chains; do iptables -t $i -F; done && \
success "Flushing all chains:" || \
failure "Flushing all chains:"
for i in $chains; do iptables -t $i -X; done && \
success "Removing user defined chains:" || \
failure "Removing user defined chains:"
gprintf "Resetting built-in chains to the default ACCEPT policy:"
iftable filter -P INPUT ACCEPT && \
iftable filter -P OUTPUT ACCEPT && \
iftable filter -P FORWARD ACCEPT && \
iftable nat -P PREROUTING ACCEPT && \
iftable nat -P POSTROUTING ACCEPT && \
iftable nat -P OUTPUT ACCEPT && \
iftable mangle -P PREROUTING ACCEPT && \
iftable mangle -P OUTPUT ACCEPT && \
success "Resetting built-in chains to the default ACCEPT policy" || \
failure "Resetting built-in chains to the default ACCEPT policy"
echo
rm -f /var/lock/subsys/iptables
}

case "$1" in
start)
start
;;

stop)
stop
;;

restart|reload)
# "restart" is really just "start" as this isn't a daemon,
# and "start" clears any pre-defined rules anyway.
# This is really only here to make those who expect it happy
start
;;

condrestart)
[ -e /var/lock/subsys/iptables ] && start
;;

status)
tables=`cat /proc/net/ip_tables_names 2>/dev/null`
for table in $tables; do
gprintf "Table: %s\n" "$table"
iptables -t $table --list
done
;;

panic)
gprintf "Changing target policies to DROP: "
iftable filter -P INPUT DROP && \
iftable filter -P FORWARD DROP && \
iftable filter -P OUTPUT DROP && \
iftable nat -P PREROUTING DROP && \
iftable nat -P POSTROUTING DROP && \
iftable nat -P OUTPUT DROP && \
iftable mangle -P PREROUTING DROP && \
iftable mangle -P OUTPUT DROP && \
success "Changing target policies to DROP" || \
failure "Changing target policies to DROP"
echo
iftable filter -F INPUT && \
iftable filter -F FORWARD && \
iftable filter -F OUTPUT && \
iftable nat -F PREROUTING && \
iftable nat -F POSTROUTING && \
iftable nat -F OUTPUT && \
iftable mangle -F PREROUTING && \
iftable mangle -F OUTPUT && \
success "Flushing all chains:" || \
failure "Flushing all chains:"
iftable filter -X INPUT && \
iftable filter -X FORWARD && \
iftable filter -X OUTPUT && \
iftable nat -X PREROUTING && \
iftable nat -X POSTROUTING && \
iftable nat -X OUTPUT && \
iftable mangle -X PREROUTING && \
iftable mangle -X OUTPUT && \
success "Removing user defined chains:" || \
failure "Removing user defined chains:"
;;

save)
gprintf "Saving current rules to %s: " "$IPTABLES_CONFIG"
touch $IPTABLES_CONFIG
chmod 600 $IPTABLES_CONFIG
/sbin/iptables-save -c > $IPTABLES_CONFIG 2>/dev/null && \
success "Saving current rules to %s" "$IPTABLES_CONFIG" || \
failure "Saving current rules to %s" "$IPTABLES_CONFIG"
echo
;;

*)
gprintf "Usage: %s {start|stop|restart|condrestart|status|panic|save}\n" "$0"
exit 1
esac

exit 0
_________________________________________
Any ideas?
Siri Amrit

Quote:

Everything is "closed" (not stealth) and one port is "open" for internet printer sharing.

Try turning off Mandrake's Shorewall firewall thing first. Then Guarddog should stick.

Well your suggestion to turn off Shorewall makes sense, but it doesn't save my settings. Shorewall by default allows connections to mail services and Cups. I have tried to block Cups many, many times, saved it that way, and Shorewall resets itself the instant I close it's configuration window to allow Cups internet access again. I have Cups configured to not allow any shared printing, so this doesn't make sense.

This time, I turned off Guarddog, told Shorewall to allow everything (no firewall), saved it, restarted Guarddog, and rebooted. When I rebooted, Shorewall was back in charge allowing Cups and mail connections, and once again I had to restart Guarddog.

I'm going to look to see if I can uninstall Shorewall completely.

I did a file search for Shorewall and all it turned up was /usr/sbin/drakfirewall. So I went into that file and put a "#" before every line. Rebooted.
IPtables starts at system boot.
Clicked the drakfirewall configuration button and got the error message: "This program exited abnormally." So I thought, cool, maybe now it won't interfere with Guarddog. Nope. I saw that the IPtables service was checked to start at boot, but it was stopped.
Went to ShieldsUP, ran a test, and all parts were closed, none stealth, and Port 631/Internet Printing Protocol was still wide open.
Started Guarddog by hand and everything went Stealth immediately.

There has got to be a way to make this start automatically. Any ideas?

Siri Amrit

Yeah, Shorewall is junk for me too.

A working solution should be to add an exec line to /etc/rc.d/rc.local which runs the rc.firewall script that Guarddog should be generating, but this doesnt stop the first lot of IPTable rules being added, though Guarddog flushes them all out iirc anyway.

I am clueless as to how to do that :-(

I think you can simply edit(dont run) that text file as root and add a line like exec fluxbox or sh fluxbox or fluxbox & but I'm not sure, and also think it would be better if you could fix your system to work as I guess it's meant to-like mine.

I've had the exact same problem before. Earlier versions of Guarddog correctly started up the iptables script automatically for me, but the newer ones did not. The new GD doesn't setup your /etc/ppp/ip-up/down.local properly with Mandrake 9.1, at least it didn't for me. To have the firewall start at dial-out and flush rules at disconnect you have to have the following files in /etc/ppp -

ip-down.local

Code:

#!/bin/bash
#
# This short script just runs any firewall script located at /etc/rc.firewall .
# It will be called whenever a ppp interface goes down. Normally we would hook
# our firewall script in via /sbin/ifdown-local, but a bug in the
# /etc/ppp/ip-down script prevents that from working. This script provides a
# workaround.
#
# cheers, Guardddog http://www.simonzone.com/software/guarddog/
#
[ -x /etc/rc.firewall ] && /etc/rc.firewall

ip-up.local

Code:

#!/bin/bash
#
# This short script just runs any firewall script located at /etc/rc.firewall .
# It will be called whenever a ppp interface comes up. Normally we would hook
# our firewall script in via /sbin/ifup-local, but a bug in the
# /etc/ppp/ip-up script prevents that from working. This script provides a
# workaround.
#
# cheers, Guardddog http://www.simonzone.com/software/guarddog/
#
[ -x /etc/rc.firewall ] && /etc/rc.firewall

The scripts at ip-up and down.local can also be configured very easily for automatic firewall action when your interface goes up and down.

Did I say files? I meant scripts, make sure to make them executable, (of course), and all you really need is the -

Code:

#!/bin/bash

[ -x /etc/rc.firewall ] && /etc/rc.firewall

part for each one.