Debian This forum is for the discussion of Debian Linux.
|
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
07-15-2005, 09:58 AM
|
#1
|
Senior Member
Registered: Jun 2003
Distribution: Mint 13/15, CentOS 6.4
Posts: 2,020
Rep:
|
how can i load iptables rules at startup
i output the iptables rules i make manually to /etc/iptables.conf with iptables-save. how can i load those automatically at each boot? debian didn't seem to come with any startup scripts, so i had to modify one from a generic script i found on the net, which doesn't have any pointers in it to other files. thanks.
|
|
|
07-15-2005, 10:12 AM
|
#2
|
Member
Registered: Jan 2005
Location: Between the chair and the desk
Distribution: Debian Sarge, kernel 2.6.13
Posts: 666
Rep:
|
Write a script which contains a line like
Code:
iptables-restore < previously_saved_file_name
, save it under whatever name you want (let's say iptables_loader.sh), copy it to /etc/init.d, then su and run
Quote:
update-rc.d iptables_loader.sh defaults
|
to generate the symlinks in rc*.d.
Then reboot and check if it works. Note that the script should contain the full path to the saved firewall rules file. Once you get the idea you may expand the script with functions for (re)starting/stopping the firewall (you even have a skeleton in /etc/init.d).
Last edited by harken; 07-15-2005 at 10:13 AM.
|
|
|
07-15-2005, 10:29 AM
|
#3
|
Senior Member
Registered: Jun 2003
Distribution: Mint 13/15, CentOS 6.4
Posts: 2,020
Original Poster
Rep:
|
it's not working. i just noticed there's a lot of non-executable stuff in the file iptables-save writes. so i removed all that and just put plain iptables rules in there, which didn't work, either. there must be some other more standard way of doing it, right?
>>p.s. by skeleton you mean a stripped down generic file? no, i didn't have anything like that in init.d, unless it's called something totally unrelated to iptables. ? maybe someone could post one? tx.
Last edited by synaptical; 07-15-2005 at 10:30 AM.
|
|
|
07-15-2005, 10:47 AM
|
#4
|
Member
Registered: Jan 2005
Location: Between the chair and the desk
Distribution: Debian Sarge, kernel 2.6.13
Posts: 666
Rep:
|
You should not edit the file outputted by iptables-save. iptables-restore will parse the file automatically. At most, if you wish to zero that numbers at the beginning of the file, call 'iptables -F' before iptables-save.
If you want to use directly the rules, you must write a script which calls iptables for each rule (so something like 'iptables -A INPUT -p tcp --dport XX -j LOG' will represent a line in your script). See a tutorial (one of many) at http://iptables-tutorial.frozentux.n...-tutorial.html
Also, don't forget to enable execution rights (chmod +x) for the script once you copied it into /etc/init.d.
Regarding that skeleton file, I don't have the Linux box near me right now, but see 'man update-rc.d', I think it's written there.
Last edited by harken; 07-15-2005 at 10:50 AM.
|
|
|
07-15-2005, 11:05 AM
|
#5
|
Senior Member
Registered: Jun 2003
Distribution: Mint 13/15, CentOS 6.4
Posts: 2,020
Original Poster
Rep:
|
got it, thanks! the problem was there is no < in the restore command. i just put iptables-restore /etc/file in the script and it worked.
the symlinks concept to rc.d i don't understand -- is that strictly speaking necessary, or would it have worked with just the restore script? not a big deal, just curious. thanks for the help.
Last edited by synaptical; 07-15-2005 at 11:06 AM.
|
|
|
07-15-2005, 11:24 AM
|
#6
|
Member
Registered: Jan 2005
Location: Between the chair and the desk
Distribution: Debian Sarge, kernel 2.6.13
Posts: 666
Rep:
|
Glad to hear it worked. If you want to make sure the rules are loaded, run a 'iptables -L' in a shell and it should output the ruleset. Funny though, mine works with a '<'. Actually, this is how it looks like:
Code:
/sbin/iptables-restore < /home/harken/iptables1
.
However, the idea of the symlinks is that they each correspond to a certain runlevel. So, when the kernel switches the current runlevel (like 3-multi-user console mode, 1-single user, 5-multiuser/graphical, 6-shutdown/reboot, etc.), it will execute only the scripts found in that rcX.d directory so things don't get messed up. And that's why I told you in my first reply that you can expand your script with some functions so that when the computer changes runlevel you can start/stop your firewall (if needed). For this, once you complete the script, you run update-rc.d with some extra parameters like
Code:
update-rc.d [-n] name start|stop NN runlevel runlevel ... start|stop NN runlevel runlevel
.
Last edited by harken; 07-15-2005 at 11:31 AM.
|
|
|
07-15-2005, 11:28 AM
|
#7
|
Member
Registered: Apr 2001
Location: Bremen, Germany
Distribution: Debian
Posts: 303
Rep:
|
Up until a few months ago there was an init script distributed with the debian packaged iptables. Then they got rid of that script because the consensus was that iptables is more appropriately started when the network interfaces are brought up (I agree). The main arguments against having an init script for iptables is that you will have a problem when starting iptables before networking (for example when you use fqdn in your rules) and much worse when you start iptables after the network interfaces are up there will be a short time when you're running without a firewall.
So now the debian way is to call the iptables script from /etc/network/interfaces using pre-up, post-up, pre-down and post-down options to the interface.
Last edited by demian; 07-15-2005 at 05:59 PM.
|
|
|
All times are GMT -5. The time now is 11:20 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|