What are some good ways for handling iptables firewall at boot
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
What are some good ways for handling iptables firewall at boot
My question is not about writing a firewall script or how to code the iptables rules, but about how to manage the firewall.
I've generally ignored iptables and just used the Slackware default because my home LAN is behind a router that firewalls everything coming in. Lately I've been setting up various servers that I want to access remotely over the internet, like ssh, openvpn, vsftpd, httpd, and sparkleshare. I soon started seeing intrusion attempts on well-known ports once I opened them up on my router. I installed fail2ban to deal with them.
My firewall is rudimentary. I created /etc/rc.d/rc.firewall and I invoke it from rc.local during boot. It only has a couple of iptables commands in it. Next I start fail2ban, which adds some additional iptables rules. Fail2ban adds and deletes more rules to ban or unban specific IP addresses as it monitors intrusions.
This is what I have now in rc.local:
Code:
if [ -x /etc/rc.d/rc.firewall ]; then
iptables -F
/etc/rc.d/rc.firewall
fi
if [ -x /etc/rc.d/rc.fail2ban ]; then
/etc/rc.d/rc.fail2ban start
fi
It's the dynamic nature of fail2ban that made me question best practices for managing the firewall. If it were completely static, I'd just code it in rc.firewall and start it during boot from rc.local. But when fail2ban is running, the firewall rules are modified dynamically.
I decided not to flush the iptables in rc.firewall so that it won't wipe out anything that fail2ban adds if I happen to update it and rerun it after fail2ban has started.
What I'd like to know is if this is a good way of handling the firewall, or if there are other practices I should consider.
I created /etc/rc.d/rc.firewall and I invoke it from rc.local during boot.
I'm not familiar with fail2ban and where in the boot process it starts, but you may be running your firewall script twice at reboot unintentionally.
You don't mention which Slackware release you're using, but with recent releases of Slackware if the /etc/rc.d/rc.firewall script is executable then the /etc/rc.d/rc.inet2 script will execute it.
Your rc.local script is probably running the rc.firewall script a second time.
Note that the rc.inet2 script uses the argument start. You can just ignore that if you don't want to use start/stop/reset/... in your rc.firewall script.
Last edited by TracyTiger; 06-04-2013 at 12:46 PM.
I'm running Slackware64 14.0. Thanks for the info about rc.inet2, Tracy. Before I added the iptables -F command in rc.local, I was getting duplicate rules, so it looks like it was indeed running twice. I've commented it out in rc.local.
I'm starting fail2ban in rc.local, so it starts late in the init sequence. As far as I know, there isn't anything else that starts it automatically.
I know the first link I had archived had vanished. I can send you a copy of mine, with my configuration removed, if you wish to send me your email address via LQ email.
I looked at that a few years ago, dive. My systems don't fit the description in the help text of either a single system or a private network gateway, so it didn't seem applicable to me. I think, in general, it isn't applicable to systems behind a router appliance that serves as a gateway to the internet. Once you start forwarding ports to an internal system from the firewall in the gateway appliance, such as for internet-facing servers, you begin to resemble one of those descriptions.
As a matter of curiousity, do either of you have a configuration that resembles what Eric describes as "Single System" or "Gateway/Firewall"? And do you use the generated firewall on your home systems, or on non-residential business systems?
From the help text for the "Single System or Private Network Gateway" question:
Quote:
If your linux computer is also your workstation and is not connected to another network while you are connected to the Internet, select the Single System option.
If your linux computer connects a network of computers to the Internet, it is a gateway system.
Neither of those circumstances are very common in the US for residential ISP customers these days. I see that one of you is from the UK, and the other from Canada, so I'm curious if the norm is different where you reside. Here in the US, the usual case is that one or more computers in the home are connected to a dedicated router/gateway appliance (like a Netgear or D-Link or Linksys, etc., device), often supplied by the ISP, that provides a firewall, serves as the internet gateway, and usually offers a dhcp server for the local network, dns forwarding, and a wifi AP.
It has never seemed likely to me that a computer system on the small residential local LAN sitting behind one of those router/firewall/gateway appliances has much need of another firewall unless the system has internet-accessible servers running on it. The latter is true for me now, which is why I'm suddenly interested in my firewall configuration.
I've been using Alien Bob's Firewall Generator too...
Suppose I'm just installing it on my laptop: I just use the "single system" configuration... this laptop roams around my home LAN using wifi, and thus it is behind the firewall on my home LAN's router...
My home LAN's router is just another slackware box, on on this one, I selected the "gateway" option.
Strictly, my laptop is already protected by the home LAN"s firewall, so I don't really need a firewall on it when I"m home... but since I travel, and I don't know whether every hotel or coffee shop's wifi has a properly configured firewall, I keep the "single system" firewall on my laptop...
I also have an asterisk server behind the firewall on my LAN... this box has to receive requests from the external internet servers, such as my voip direct inward dial service provider--if someone calls one of my DID numbers, the service provider forward the call to my asterisk box behind my LAN, which then routes the call based on what extension someone dialed... this setup happens over TCP port 5060, because it is using SIP, and so I have to create a rule in my gateway/router's firewall to forward all tcp traffic on port 5060 to my asterisk box...
Scrolling through the long firewall script generated by Alien's firewall generator, I found a section of user defined chains for Incoming TCP, Incoming UDP, and Outgoing TCP and Outgoing UDP... it is here that I added the rule for incoming tcp traffic on port 5060... of course I can do the same for other ports for other services... can make a rule for port 80 tcp to forward to local web server... etc., etc., etc... This is what you need to open for all the ports used for your remote services, httpd, sparkle share, etc... If it is just specific boxes out there that you are communicating with, then make your rules only allow incoming from those specific ip addresses, and this will limit the bruce force attacks...
I think that Alien's EFG is pretty thorough... there are really only three situations: 1) totally unprotected (he doesn't give this option, cause you wouldn't be configuring a firewall if you wanted that)... but this is ok if you are already protected by your gateway's firewall -- a system that is not a gateway, but wants to filter ip traffic -- this is the single system option; and a gateway... I can't think of a system that doesn't fall within these three categories...
Beware... I'm just a tinkering slacker and I don't know what I'm talking about
Last edited by slac-in-the-box; 06-07-2013 at 12:56 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.