LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-11-2007, 12:19 AM   #1
fotoITguy
LQ Newbie
 
Registered: Jun 2007
Posts: 7

Rep: Reputation: 0
Question iptables starts with zero rules?


HELP!!??

So I have a situation where upon system boot my iptables rules are not being loaded at all. I am using FC6 and use the default /etc/sysconfig/iptables file to store my rules. I have chkconfig set to load iptables at init 3 (my default run level). Iptables DOES start, however no rules are populated.

This only happens when I include domain names in the /etc/sysconfig/iptables file i.e. :

-A INPUT -s DOMAIN.COM -p tcp -m multiport --dport 22,993 -j ACCEPT

BUT, if instead of domain.com I use an IP address then all the rules are loaded properly verse none at all when I use a domain name.

Does IPTABLES not support using domain names in the ruleset, or is there a way to make this work? Also, I can just do a "service iptables restart" and everything works fine. It just doesn't work on boot!!?!!!
 
Old 08-11-2007, 02:03 AM   #2
sparc86
Member
 
Registered: Jul 2006
Location: Joinville, Brazil
Distribution: Debian, CentOS
Posts: 301

Rep: Reputation: 31
I don't know why this thing with domains is messing it all.

However, I know a solution for your problem. You can build a shell script and put it into your /etc/init.d/


This link might be helpful:

http://wiki.linuxquestions.org/wiki/..._a_gateway/nat


Please let us know if your problem is now solved (or not).
 
Old 08-11-2007, 02:14 AM   #3
fotoITguy
LQ Newbie
 
Registered: Jun 2007
Posts: 7

Original Poster
Rep: Reputation: 0
Thanks for the quick response! Well, I went ahead and placed a line in my /etc/rc.local like such:
/sbin/service iptables restart

This works fine, but it's a hack and shouldn't have to be done. Plus, if my server reboots it is unprotected till this service restart is performed. Not really an issue since it happens so quickly. However, it is a bad security practice to start the network and have all the services listening before applying my firewall.

I think iptables is being loaded before name resolution works and this is causing it to kinda fail. It just doesn't seem like this problem should exist.
 
Old 08-11-2007, 02:47 AM   #4
sparc86
Member
 
Registered: Jul 2006
Location: Joinville, Brazil
Distribution: Debian, CentOS
Posts: 301

Rep: Reputation: 31
rc.local is always the last script to be loaded at the boot.


If you want that your iptables rules starts before the services, you can do exactly what I said, to build a proper script with firewall rules inside. It works very well for me.
 
Old 08-11-2007, 03:38 AM   #5
basileus
Member
 
Registered: Nov 2004
Location: Turku, Finland
Distribution: Debian, Ubuntu, Gentoo
Posts: 388

Rep: Reputation: 30
You could change iptables to start right after the network interface is up. Just browse the /etc/rc3.d directory and create a new iptables link with lower priority (just below the interface-scripts priority). I'm not sure what happens if Fedora updates the iptables-package... you _might_ have to do the relinking again.
 
Old 08-11-2007, 04:31 AM   #6
fotoITguy
LQ Newbie
 
Registered: Jun 2007
Posts: 7

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by basileus
You could change iptables to start right after the network interface is up. Just browse the /etc/rc3.d directory and create a new iptables link with lower priority (just below the interface-scripts priority). I'm not sure what happens if Fedora updates the iptables-package... you _might_ have to do the relinking again.
cool, good call. This worked perfectly, I rebooted and voila. I guess with fqdn's in the ruleset the network script needs to load so they can be resolved. Placing it directly after the network script is as good a solution as virtually possible!

cd /etc/rc.d/rc3.d/
mv S08iptables S11iptables

lrwxrwxrwx 1 root root 17 Apr 24 23:25 S10network -> ../init.d/network
lrwxrwxrwx 1 root root 21 Apr 10 18:48 S10restorecond -> ../init.d/restorecond
lrwxrwxrwx 1 root root 18 May 8 19:52 S11iptables -> ../init.d/iptables
 
Old 08-15-2007, 07:02 AM   #7
archtoad6
Senior Member
 
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
Blog Entries: 15

Rep: Reputation: 234Reputation: 234Reputation: 234
There is a reason that iptables starts before bringing the network up: to allow no chance for your box to be cracked through the network while it's unprotected.

A better plan, if you must add rules after the net interface is bought up, is to split the iptables rules into 2 scripts: one that runs before /init.d/network, & another that runs after. You should at least replace S08iptables w/ a link to a new (very simple) script that locks down the box during the process of getting the network up. Google on "Oskar Andreasson" to find a really good iptables tutorial.
 
Old 08-15-2007, 07:53 AM   #8
odedm
LQ Newbie
 
Registered: May 2007
Posts: 4

Rep: Reputation: 0
Network

Few months ago i bump into this mail:
http://lists.centos.org/pipermail/ce...ly/066819.html

Oded.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables 1.27a still loading rules after installing iptables 1.3.0 yawe_frek Linux - Software 1 06-07-2007 09:50 PM
Help with iptables rules rejeep Linux - Security 3 04-04-2007 05:15 AM
IPTABLES - rules in /etc/sysconfig/iptables The_JinJ Linux - Newbie 6 11-20-2004 01:40 AM
iptables rules Fatz Linux - Security 1 08-05-2004 06:04 AM
iptables rules Hegemon Linux - Networking 0 01-28-2004 02:20 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:44 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration