Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
03-31-2006, 12:05 PM
|
#1
|
|
LQ Newbie
Registered: Mar 2006
Distribution: Red Hat Enterprise Linux 4, Fedora Core 7
Posts: 26
Rep: 
|
iptables firewall falls back to default after reboot
Hello everybody !!!
I'm somewhere between the novice and intermediate part in Linux. I'm having a bit of trouble with my iptables : I set up a firewall, block some ports I don't need and then when I list my written rules with iptables -L -v everything seems to work perfectly, but once I reboot my computer all the rules are changed to default ones, ports that were closed after I've created my firewall are now open. I would really appreciate some help !!!
P.S.: I suspect there is a command that saves all my iptables rules, but unfortunately I haven't found one yet :-(
Last edited by lx3000; 03-31-2006 at 12:06 PM.
|
|
|
|
|
03-31-2006, 12:46 PM
|
#2
|
|
Senior Member
Registered: Nov 2004
Distribution: Mint, MX, antiX, SystemRescue
Posts: 2,337
|
There are a couple of ways. Here's what I did: Create a file, /etc/init.d/firewall, with the contents below. Do this as root, and make the file mode 700 for security (e.g., chmod 700 /etc/init.d/firewall)
Code:
#!/bin/sh
IPTABLES=/sbin/iptables
case "$1" in
start)
echo -n "Starting IP Firewall ... "
# Clear any existing rules, zero counters
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -t filter -F
$IPTABLES -Z
# Set default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
# Allow loopback
$IPTABLES -A INPUT -i lo -j ACCEPT
# Allow packets from established or related connections
# This rule affects all protocols (tcp, udp, icmp)
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow incoming SSH
$IPTABLES -A INPUT -p tcp --dport ssh -j ACCEPT
echo "done"
;;
stop)
echo -n "Stopping IP Firewall ... "
# Clear any existing rules, zero counters
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -t filter -F
$IPTABLES -Z
# Allow everything
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
echo "done"
;;
restart)
echo -n "Restarting IP Firewall ... "
# Stop, then start
$0 stop > /dev/null
sleep 1
$0 start > /dev/null
echo "done"
;;
lock|lockdown|panic|shutdown|deny|denyall)
echo -n "Locking down IP Firewall (disallow all network traffic) ... "
# Clear any existing rules, zero counters
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -t filter -F
$IPTABLES -Z
# Shut everything down
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
# Allow loopback (LOCALHOST, 127.0.0.1)
$IPTABLES -A INPUT -i lo -j ACCEPT
echo "done"
;;
*)
echo "Usage: $0 {start|stop|restart|panic}"
;;
esac
Then I executed the following commands (as root):
Code:
# ln -s /etc/init.d/firewall /etc/rc2.d/S20firewall
# ln -s /etc/init.d/firewall /etc/rc3.d/S20firewall
# ln -s /etc/init.d/firewall /etc/rc4.d/S20firewall
# ln -s /etc/init.d/firewall /etc/rc5.d/S20firewall
# /etc/init.d/firewall start
|
|
|
|
|
03-31-2006, 12:49 PM
|
#3
|
|
LQ Newbie
Registered: Mar 2006
Distribution: Red Hat Enterprise Linux 4, Fedora Core 7
Posts: 26
Original Poster
Rep:
|
Solution Found
Ok, I found the missing command : it was iptables-save > /etc/sysconfig/iptables. This command really did save all my rules, but if you have a better solution I will always be glad to hear it !!!
|
|
|
|
|
03-31-2006, 12:57 PM
|
#4
|
|
LQ Newbie
Registered: Mar 2006
Distribution: Red Hat Enterprise Linux 4, Fedora Core 7
Posts: 26
Original Poster
Rep:
|
thanks haertig
Thanks, that script really did work !!!  .And One more thing what do you think, should I close the 111 port (it's used by rpcbind) ? I've done a bit of researching on the web on this topic, well some say you have to block it others say you must now - so right now I've left it open and am waiting for some definite advice !!!
P.S.: I know that it has nothing to do with the topic but........:-) |
|
|
|
|
03-31-2006, 01:33 PM
|
#5
|
|
Senior Member
Registered: Nov 2004
Distribution: Mint, MX, antiX, SystemRescue
Posts: 2,337
|
Quote:
|
Originally Posted by lx3000
...should I close the 111 port (it's used by rpcbind) ?
|
portmap uses this port. I think this may be needed by desktop environments like Gnome or KDE (I'm not 100% sure about this though).
I limited mine to only LISTEN on the local adapter, allowing Gnome/KDE to connect if required, but stopping other systems from connecting. On my Debian system this was done by editing /etc/default/portmap and adding:
Code:
OPTIONS="-i 127.0.0.1"
...then running "/etc/init.d/portmap restart". I then verified things were good, like this:
Code:
# netstat -anp | grep 111
tcp 0 0 127.0.0.1:111 0.0.0.0:* LISTEN 4583/portmap
udp 0 0 127.0.0.1:111 0.0.0.0:* 4583/portmap
Last edited by haertig; 03-31-2006 at 01:35 PM.
|
|
|
|
|
03-31-2006, 01:41 PM
|
#6
|
|
Member
Registered: Aug 2004
Location: Windsor Ontario
Distribution: Ubuntu, Debian, Redhat
Posts: 44
Rep:
|
thanks for the script too 
Very usefull, and easy to modify to your own needs. Saves me some legwork. |
|
|
|
|
03-31-2006, 02:17 PM
|
#7
|
|
Member
Registered: May 2004
Location: Hildesheim(Germany)
Distribution: Debian Etch with Kernel 2.6.x (latest vanila)
Posts: 62
Rep:
|
I think it's a good idea, if you ACCEPT all traffic on the loopback device, because many services use that to communicate with other services or just with themself. So doing an
Code:
#LOOPBACK
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
at the head of your script is an very good idea.
If you want to use iptables-save, than you have to use iptables-restore to load that saved table. I have an script with all my rules, where I can experiment with some rules to test some new things (and some old ). Than I added this to my /etc/network/interfaces
Code:
iface ra0 inet dhcp
pre-up iptables-restore < /etc/iptables/only_ssh.iptable
pre-down iptables-restore < /etc/iptables/clear_table.iptable
/etc/iptables/ is made by myself and only_ssh.iptable is the outputfile from iptables-save after I loaded my rulescript. clear_table.iptable is also created by iptables-save with no rules loaded into the iptables. ra0 is my wlan-device. |
|
|
|
|
03-31-2006, 02:54 PM
|
#8
|
|
Senior Member
Registered: Nov 2004
Distribution: Mint, MX, antiX, SystemRescue
Posts: 2,337
|
I just noticed a bug in the "lockdown" section of my script:
Code:
# Shut everything down
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
# Allow loopback (LOCALHOST, 127.0.0.1)
$IPTABLES -A INPUT -i lo -j ACCEPT
...because I set the default policy for OUTPUT to DROP when in lockdown, adding only an INPUT rule to allow loopback probably won't work. You should add an OUTPUT rule as well. I've never actually paniced and attempted firewall lockdown before. Thanks for pointing this out, dopehouse. Everywhere else in the script (the "start" and "stop" sections) the default policy for OUTPUT is ACCEPT, so you don't need a specific OUTPUT rule for loopback.
e.g., (note the addition of the OUTPUT rule just prior to the echo "done" statement)
Code:
lock|lockdown|panic|shutdown|deny|denyall)
echo -n "Locking down IP Firewall (disallow all network traffic) ... "
# Clear any existing rules, zero counters
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -t filter -F
$IPTABLES -Z
# Shut everything down
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
# Allow loopback (LOCALHOST, 127.0.0.1)
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -i lo -j ACCEPT
echo "done"
;;$
|
|
|
|
|
03-31-2006, 04:02 PM
|
#9
|
|
Member
Registered: May 2004
Location: Hildesheim(Germany)
Distribution: Debian Etch with Kernel 2.6.x (latest vanila)
Posts: 62
Rep:
|
Quote:
|
Originally Posted by haertig
Everywhere else in the script (the "start" and "stop" sections) the default policy for OUTPUT is ACCEPT, so you don't need a specific OUTPUT rule for loopback.
|
Better twice than not at all  
|
|
|
|
All times are GMT -5. The time now is 05:13 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
