iptables startup script

mushmaster · 02-23-2005, 11:08 PM

i use this command:

iptables -A INPUT -p tcp --syn -j DROP

to get iptables set up and running like i like it.

i want to make it do that when i boot up, automatically.

how?

harken · 02-24-2005, 02:01 AM

Create a script containing the lines you wish, give it a easy to remember name, like firewall_script.sh, place it in /etc/init.d then run as root 'update-rc.d firewall_script.sh defaults'. That creates symlinks in etc/rc*.d to your script. Instead of default settings (start script in runlevels 2-5 and stop it in 0,1,6) you can choose others using the start and stop options.

RHELL · 02-24-2005, 02:02 AM

http://www.die.net/doc/linux/man/man...es-save.8.html

mushmaster · 02-24-2005, 12:08 PM

wait a minute... iptables isn't some kind of program that needs to be running for a firewall to be up, it's just a command that configures packet filtering, right?

so it isn't something that needs to be "running" at all times, and there's no need to have it run at startup... or is there?

harken · 02-24-2005, 12:19 PM

I'll quote from the man pages:

Quote:

iptables - administration tool for IPv4 packet filtering and NAT...
DESCRIPTION
Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel...
TARGETS
A firewall rule specifies criteria for a packet, and a target.

Basically, with iptables you can create a firewall fitted to your demands.

Quote:

it's just a command that configures packet filtering, right?

so it isn't something that needs to be "running" at all times, and there's no need to have it run at startup... or is there?

To achieve packet filtering capabilities I think it's obvious that the program responsible with that needs to run continously. How else could it "see" and filter the packets?

And, after all, isn't this what you asked for in your first post?

Quote:

i want to make it do that when i boot up, automatically.

voyciz · 02-24-2005, 12:30 PM

I'm pretty new to this, harken, but I do believe you're wrong. I'm under the impression that iptables is used to modify rules in the kernel, and doesn't need to be running continuously. It's not a daemon.

harken · 02-24-2005, 12:42 PM

Yes, you're right A. F., I expressed myself wrong. Indeed, take a look at the first quote: it says that Iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. I wasn't meaning iptables itself when I said the program must be running permanently. I ment that the "modifications" in the rules must be permanent in order to filter the packets and the iptables entries must be added each time the kernel boots.

Sorry, my mistake. Hope I got it right this time.

michaelk · 02-24-2005, 01:31 PM

To be technically correct netfilter [edited] can be compiled into the kernel or loaded as modules. A typical start up script located in /etc/init.d would load the modules and rules.

I'm unfamilar with debian but there probably is a script called iptables-save which will save your current ruleset.

voyciz · 02-24-2005, 01:46 PM

michaelk, I thought it was netfilter that could be compiled into the kernel, not iptables...

michaelk · 02-24-2005, 01:54 PM

Your correct I messed up.

harken · 02-24-2005, 02:03 PM

Well A.F., looks like you've got us both

Nice job, two guys/day, keep it up!

voyciz · 02-24-2005, 02:16 PM

Haha, yeah, thanks. Just happened to remember those small details, still a newbie.

RHELL · 02-25-2005, 12:32 PM

/sbin/iptables is the tool to alter rules
/etc/init.d/iptables is the wrapper that allows the daemon to be started/stopped/restarted. The actual filtering is done by netfilter, but the service is still called 'iptables'.

The rules can be edited from command line, and also saved, but the daemon must be running to control access to the host.

Not sure how the wrappers are controlled from debian, but it's 'service iptables start' from RH.