Debian iptables

kingcomein · 10-26-2005, 01:55 AM

When i type "iptables -L" under command line that login as root.
It displayed below messages:

Note: /etc/modules.conf is more recent than /lib/modules/2.2.20-idepci/modules.dep
modprobe: Can't locate module ip_tables iptables v1.2.11: can't initialize iptables table 'filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.

What should I do?

thx....

kingcomein · 10-26-2005, 04:11 AM

I solve the above problem by updated the kernel.

But i have any other problem, how to save the change after i set the iptables?

I used the command:

"iptables-save -c" <---- but cannot work after i reboot the debian once.

"/etc/init.d/iptables save active" <----- it displayed "Bad argument 'save'"

have anyone know how can i do ?

jlinkels · 10-26-2005, 06:24 AM

I think it is actually better *not* to store the iptables settings.

It is much better to write a script which starts with flushing all chains, and then establish new rules.

If you do, it is MUCH easier to change things. Just edit the script and run it again. If you do save and restore, it is virtually impossible to change something. Unless you have a perfect memory so you can remember exactly what the status of iptables is at any moment that you perform a change.

There are many examples of iptables scripts available on the net. Also refer to this tutorial. It contains an excellent explanation of iptables, and a number of example scripts at the end.

Debian also comes with the ipmasq package. When you install ipmasq, it automatically generates a script which is makes your machine a masquerading firewall. This is very useful, I used it as the base for writing my own, highly tailored firewall script.

If you use a script, do not forget to start with flushing all chains, deleting all custom tables and setting the correct policy. If you forget to null out one rule, you can be looking for days why certain traffic never complets. I know from experience.

jlinkels

TigerOC · 10-26-2005, 07:35 AM

To continue from the networking forum thread (now closed) the first initiation of the script is at runlevel 2 and most of the other servers start after this so there should be adequate coverage during the period.

deception · 10-31-2005, 10:17 PM

Quote:

Originally posted by TigerOC
To continue from the networking forum thread (now closed) the first initiation of the script is at runlevel 2 and most of the other servers start after this so there should be adequate coverage during the period.

Why not get it up before the net devices?
Before ifup, like pre-up or something?

Grtz Decep.