Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have a server running Ubuntu 8.04. I have added a few iptable chains, but they keep resetting (by resetting, I mean an iptable -L shows nothing after a day). I have read the other posts about iptables and none of them have helped. I don't know what information is relevant, so sorry for the lack of it.
The problem is probably that the configuration you do (which you should save) is not loaded when the system (re)starts. The loading may fail for a variety of reasons, but one is that you haven't either saved the new ruleset or haven't made the system load it.
There are graphical front-ends to iptables that may allow you to easily just "save" the configuration, and the program takes care of the rest (making iptables load the configuration during boot). But you can just as well use a simple script to work it out; again this can be done in many ways, but a simple one is to have a file where you save the configuration using iptables-save and an init script that reads the configuration from that file using iptables-restore when the system boots.
See
Code:
man iptables-save
man iptables-restore
for information on how these work. A simple approach could be to create a configuration, then run (would probably require higher privileges than those of a regular user -- bear that in mind)
Code:
iptables-save > /etc/iptables.rules
and put
Code:
iptables-restore < /etc/iptables.rules
into an init script of your preference, like /etc/rc.local if you want it quick; note that this file is probably run as the last one, so if you consider it important to have it run in a specific order (to the other scripts), see the other init scripts in the system and modify them if needed.
Actually an even easier way would be to have a script that contained the whole configuration (as iptables commands) and in the end would run iptables-save (like in the above example), in addition to the script that loads the configuration during boot. This way you wouldn't have to start from scratch when you modified the firewall configuration, but would only have to edit the relevant parts of the rules-script and re-run it.
Probably (at least some of) the graphical front-ends to iptables do the "save setup" -thing that way, by creating an init script that loads the saved configuration from a file.
Last edited by b0uncer; 02-12-2009 at 01:17 PM.
Reason: typos, thanks for the small keyboard
...and the advantage of creating your iptables ruleset from a bash script is that you do stuff like defining a variable, say
int_net_addr
and then use the value of that variable everywhere you want to specify 'do this with anything in the internal network'. If you don't want to do this kind of thing, you probably might as well just do iptables-save and iptables-restore.
That's a big helper indeed, thanks for adding that..the use of variables instead re-typing lots of things should start right from the beginning, for example
Code:
IPT=$(which iptables)
# Flush all rules
$IPT -F
# The rest of the script
...
that way the script should work even if the environment changes (for example if the executable isn't where you suppose it was), or if you need to change something that is used throughout the script (path to executable, static address(es), ...), you only need to alter the variable definition (as salasi pointed out).
But even if you do use this script-based approach, you can still use iptables-save in the end to save the configuration to a file, and instead of re-running the script at each boot simply run iptables-restore to load the saved configuration. If you only need one firewall configuration that fills all your needs, it's probably all the same, but if you (for example) needed several configurations, you could simply make copies of the script and modify them (thus having several scripts that would all iptables-save to the same file) to your needs, and if you needed to alter your firewall configuration from config A to config B, you would only have to run the appropriate script -- iptables-restore would then take care of reloading that configuration during boot, without needing to modify any init scripts (other way to do this would be to use a symlink to determine the actual configuration, but having several scripts frees one from symlinks too).
There are a lot of options, but take your time and see what's the easiest one for you in your situation.
You may be helped by looking at a well worked out sample script. This (which is for RedHat, is very similar to the version in the printed Linux Quick Fix Notebook by harrison) http://www.linuxhomenetworking.com/w...Using_iptables
is pretty well worked out from a scripting point of view (err, imho). I don't think it is easy to run the script itself from Ubuntu without mods (something about permissions and writing direct to /proc/.. rather than using sysctl, if I remember), but I am guessing that a good hard look will enable you to get over your present problems.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.