LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Correctly loading iptables (https://www.linuxquestions.org/questions/linux-security-4/correctly-loading-iptables-4175534534/)

Miati 02-19-2015 10:39 AM
Correctly loading iptables
 
I have a fairly simple iptables script.
I want to load it prior to network connection.

I've put it in /etc/init.d/iptables (+ exec bit set)

However, it seems I need to run update-rc.d on it.

After reading through the man pages of update-rc.d I came up with this command in a attempt to load iptables on run level 2 (which as I understand is the runlevel before the network)

Code:
update-rc.d iptables start 2 .
It gives me this error

Code:
update-rc.d: warning: /etc/init.d/iptables missing LSB information
update-rc.d: see <http://wiki.debian.org/LSBInitScripts>
update-rc.d: error: expected runlevel [0-9S] (did you forget "." ?)
As I understand it, lsb info is for services.. since my script has no need to start or stop like a service, do I really need it?
Also, do I really need to run it on every run level? I don't understand the point of "stopping" a script at shutdown that does nothing but define a ruleset.

sag47 02-22-2015 03:15 PM
If you're creating an init script it has to conform to being able to start/stop. In this case start would be loading the rules and stop would be flushing them. I recommend you make use of iptables-restore to restore rules and iptables -F to flush them.

If you're less interested treating your firewall rules as a service then you'll have to load the rules some other way. Crontab has the @reboot alias (see man 5 crontab). You could also modify the interface startup so that it loads the rules after starting up the networking.

Miati 02-22-2015 06:04 PM
i don't mind doing it another way, my main goal is to load the iptables prior to a network connection.
crontab will run @reboot when it is loaded and I am not sure when it is loaded.

Most likely, this is not a issue, but I would like to do this the "correct" way. As I understand it (for example) placing it in rc.local is not correct, since I believe it loads the network prior to running rc.local commands..

Miati 02-26-2015 09:32 AM
I decided to figure out and identify how to write a init.d script (learn once, use forever right?)
I mostly used the format from other init.d scripts so I can't say I know exactly what I was doing - but it seems to work.
Is there anything "wrong" about the LSB info below?
In any case, it seems to work like this. It may be of use in the future as a reference.
Code:

#!/bin/bash
### BEGIN INIT INFO
# Provides:          iptables
# Required-Start:    $network $remote_fs $syslog
# Required-Stop:    $network $remote_fs $syslog
# Should-Start:      $portmap
# Should-Stop:      $portmap
# X-Start-Before:    nis
# X-Stop-After:      nis
# Default-Start:    2
# Default-Stop:      1
# X-Interactive:    false
# Short-Description: Iptable setup
# Description:      Sets iptable rules
#                   
### END INIT INFO

ipt=/sbin/iptables


loadrules() {
My iptable rules
}

removerules() {
$ipt -P INPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -P OUTPUT ACCEPT
$ipt -F
$ipt -X
}

case "$1" in
        start)
                loadrules
                ;;
        stop)
                removerules
                ;;
        *)
                echo "Usage: $0 start|stop" >&2
                exit 3
                ;;
esac
(END)


All times are GMT -5. The time now is 12:15 PM.