If the server restarts, does the information in iptables get lost?
I have seen a number of pages where people recommend readding lines or creating bash scripts to get it to work again.

What about files like squid.conf, ncsa_auth files, etc.?

Anything that's a .conf file is a text file, usually configured by the human, and will remain unchanged during reboot.

Iptables however has it's running configuration stored in the kernel-space somewhere (in memory) so yes, it does get wiped during reboot, and needs to be restored after boot. Iptables includes a few tools to do this, one of which (important) is the command `iptables-restore`.

You would have typically one of two or three common means of setting up your iptables after a boot:

1) Have an iptables "script" file, which you would implement with the `iptables-restore` command. The "script" I refer to can be created using `iptables-save > somefile` to dump your running configuration to a file.
2) Have a (bash or other scripting language) firewall script, which reads its configuration file(s) and then sets up iptables.
3) OR, have a bash script (or other language) which actually runs a series of "iptables -A" commands directly, putting in place the chains & filters that you want.

Check the iptables man page -- it's very complete, but can be confusing -- or try HERE for what I have found to be a really handy breakdown of how to do lots of iptables stuff. Sections 8.3 and 8.4 talk about iptables-save/restore.

Sasha

Will this work in CentOS?
/etc/init.d/iptables save

One document said to do this:

Assuming that the symlink /etc/init.d/iptables exists, then yes, it should work. However, note in the Example you quoted, you need to use a redirect > to direct the save into a file. This file is then used to restore the identical configuration later.

I can't speak directly about how a CentOS server/system is configured, but the iptables program(s) work the same, regardless of the Linux; it's just the locations of the binarie(s) and the individual init script locations that may differ.

Sasha

Ok.

So, what the difference between running this:
/etc/init.d/iptables save

and this:
# iptables-save > /root/dsl.fw

To restore rules automatically upon Linux system reboot add following command to your /etc/rc.local (if you are using Fedora or Red Hat Linux):
# vi /etc/rc.local
Append the line:
iptables-restore < /root/dsl.fw

The first one just seems to be an auto command, yet the 2nd you have to save a file and then change a system file.

so I did this:
iptables-save > /etc/firewall.conf

then edited the rc.local file to
Will that work? DO I need to restart the rc.local file somehow or just save it?

You'd need to look on your own system, and see exactly what is the file /etc/init.d/iptables. It's probably a symlink. And without specifying a file or location to save *to*, I have no clue *where* the saved data will go..

It's end result is otherwise exactly the same as the iptables-save > /root/dsl.fw except here, we see the data being saved to the file dsl.fw.

rc.local is a init script, executed as root during boot of the machine. In it, the user (you) can put stuff that is not default system configuration stuff, but which you would like to run at the end of the boot process. I use it to execute my firewall, run hdparm, modprobe a modem driver, and stuff like this. It is technically a 'system file' but it is there for your own custom config options.

There's a similar file you can use, called rc.local.shutdown where you can put stuff that you want executed automatically during shutdown too.

The line you put up there which is iptables-restore < /root/dsl.fw just causes the iptables configuration to be restored during boot.

Sasha

Yep, looks pretty correct to me. Just save the file. You don't need to execute it again, unless you want to execute the commands that are in it.

Otherwise, just save it, and it should be executed automatically upon reboot.

(TIP): I have a line in my init scripts, near the top, which tells me on the console during bootup, which init script is executing. Simple, like:

echo "Executing rc.local..."

at the top of the file. This way, you KNOW your rc.local file is being executed.

Sasha

In Centos (RedHat for the poor) your /etc/init.d/iptables save will
put the config file into /etc/sysconfig/iptables.
If you've run
service iptables on
that is all you need to do. While there's nothing wrong with your
way of doing things it would make sense to stick with the methodology
of the distro you're using.



Cheers,
Tink

service iptables on or service iptables start?
I have run iptables restart a few times to flush after adding new rules so it that the same thing?
So, using this method there is no need to save the settings anywhere?
The same rules will be used even if the server is restarted?

do I need to resave every time I make a change?

Ooops ... that was before my first coffee ;}
service iptables start
chkconfig iptables on

If you add new rules by manually invoking
iptables -A ....
you'd need to do an service iptables save to make them
take after a service restart

No, you still need to save, but not by invoking iptables-save > ...
but rather using the built-in functionality and the system-defined
save mechanism.

See above.



Cheers,
Tink