LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   IPTables: config files, scripts, saving etc...confused (https://www.linuxquestions.org/questions/linux-security-4/iptables-config-files-scripts-saving-etc-confused-272042/)

tarballed 12-30-2004 04:30 PM
IPTables: config files, scripts, saving etc...confused
 
Back everyone, with im hoping, a rather simple answer to my question.

Been wrapping my head around IPTables for 2 weeks now, and finally have been able to get a few rules the way I like.

However, I am confused on a few things. let me explain.

Currently working with Fedora Core 3.

Now, adding rules via the command line is simple enough. Saving the rules is just a matter of:

service iptables save

Which, saves the rules to a file: /etc/sysconfig/iptables

Now, where I a bit lost is in the use of variables. For instance, I am going to be setting up a multi-homed firewall with iptables. It will use a DMZ and private lan. WIth that, I need to somehow specify the interfaces and IP address for each one in my rules some how. But im confused.

So how does one actually add variables to my rulesets? Can it be done via the command line? Can I edit /etc/init/iptables? Or maybe edit /etc/sysconfig/iptables?

Im just confused on how to put in my variables for IPTables to use.
If it calls for scripting, boy, I need to break out the books. It's been awhile.

Hopefully, someone can clear this up for me.

I appreciate it.

Tarballed

Butt-Ugly 12-30-2004 06:11 PM
Don't touch the "/etc/sysconfig/iptables" or "/etc/init.d/iptables" files unless you know what you're doing. You can create a simple script, then save the changes to the appropriate files.

The script can be placed anywhere on your system as a standard file, then do "chmod +x scriptname" to make it executeable.
It can be executed by "./scriptname" or "/directory/names/scriptname".. You can't simply type "scriptname" if you're in the same directory.

The variables are used inside the script where you would want to use a certain value more than once, so if you used "eth0" a few times your script might look like:
Code:
# EXAMPLE ONLY

INT_DEV=eth0
iptables -A INPUT -i $INT_DEV -j LOG
iptables -A INPUT -i $INT_DEV -j ACCEPT
This just saves you having to type "eth0" in all of your commands. It doesn't matter which may you do it, however using variables and assigning values allows the script to be adjusted easily if you make any changes to your networing configuration.

Remember, bacis shell scripting is just adding a bunch of commands into a file that you can simply type at the command prompt one after the other, it just automates it.

Miles

amfoster 12-30-2004 06:12 PM
i do all firewall rules from a script.
Then make sure the script executes at boot up time.

first rule is iptables -F
then I can create any variable I want in that script

example:

iface=eth0
xpbox=192.168.0.1

iptables -A INPUT -i $iface -s $xpbox -p tcp -j ACCEPT

Ok, stupid as a first rule, but it is there as an example.

tarballed 12-30-2004 06:32 PM
Got it.

Not only do I need to put in my iptables rules, but I cannot leave out the modules to be loaded as well.
Once the script is executed, should work then.

Thanks guys.

Butt-Ugly 12-30-2004 06:41 PM
If you create your firewall script, then execute it, then save it; the module loading does not get saved in "/etc/sysconfig/iptables".

If you plan on using initscripts to handle your iptables (perfectly ok), then you should manually add the modules you need to "/etc/sysconfig/iptables-config".

Miles.


All times are GMT -5. The time now is 04:18 PM.