iptables & rc.local starting script = applications are slowing down.

immer · 12-13-2003, 08:06 AM

Hello everybody!

Aurox 9.1 (based on RedHat 9.0).

my /etc/rc.firewall:

Code:

#!/bin/bash

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp

/sbin/iptables -F
/sbin/iptables -P INPUT DROP

/sbin/iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 20:21 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT

my /etc/rc.local:

Code:

#!/bin/sh

touch /var/lock/subsys/local
/etc/rc.firewall

After system startup some applications don't want to start - for example wine or Gnome (fluxbox starts OK). Some applications start perfectly (ex. Mozilla), but after while i can't do anything with them.

If i remove line:

Code:

/sbin/iptables -P INPUT DROP

from /etc/rc.firewall file everything is OK.

I don't want to use

Code:

service iptables save

I would like to start script with firewall configuration at system startup. How should i do it properly?

g-rod · 12-13-2003, 08:28 AM

Change your input policy to drop.
iptables -I INPUT -i eth1 -j ACCEPT
iptables -I INPUT -i lo -j ACCEPT
iptables -P INPUT DROP

I ASSUME that eth1 is your INTERNAL interface and you want to connect to the box from inside you network. If you only want to connect to it from the local terminal remove the first entry.

The second line allows local connections.
If you still have trouble add login before dropping.
iptables -A INPUT -j LOG --log-prefix IPTABLES-INPUT
cat /var/log/messages | grep IPTABLES-INPUT

david_ross · 12-13-2003, 08:39 AM

I have also had this problem the way I get round it is to allow connections to the machine from itself - ie:
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCPET

immer · 12-13-2003, 09:11 AM

Allowing traffic to loopback resolve problem!

Big thx! I didn't realised that iptables control traffic on lo.