Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
So I have a situation where upon system boot my iptables rules are not being loaded at all. I am using FC6 and use the default /etc/sysconfig/iptables file to store my rules. I have chkconfig set to load iptables at init 3 (my default run level). Iptables DOES start, however no rules are populated.
This only happens when I include domain names in the /etc/sysconfig/iptables file i.e. :
BUT, if instead of domain.com I use an IP address then all the rules are loaded properly verse none at all when I use a domain name.
Does IPTABLES not support using domain names in the ruleset, or is there a way to make this work? Also, I can just do a "service iptables restart" and everything works fine. It just doesn't work on boot!!?!!!
Thanks for the quick response! Well, I went ahead and placed a line in my /etc/rc.local like such:
/sbin/service iptables restart
This works fine, but it's a hack and shouldn't have to be done. Plus, if my server reboots it is unprotected till this service restart is performed. Not really an issue since it happens so quickly. However, it is a bad security practice to start the network and have all the services listening before applying my firewall.
I think iptables is being loaded before name resolution works and this is causing it to kinda fail. It just doesn't seem like this problem should exist.
rc.local is always the last script to be loaded at the boot.
If you want that your iptables rules starts before the services, you can do exactly what I said, to build a proper script with firewall rules inside. It works very well for me.
You could change iptables to start right after the network interface is up. Just browse the /etc/rc3.d directory and create a new iptables link with lower priority (just below the interface-scripts priority). I'm not sure what happens if Fedora updates the iptables-package... you _might_ have to do the relinking again.
You could change iptables to start right after the network interface is up. Just browse the /etc/rc3.d directory and create a new iptables link with lower priority (just below the interface-scripts priority). I'm not sure what happens if Fedora updates the iptables-package... you _might_ have to do the relinking again.
cool, good call. This worked perfectly, I rebooted and voila. I guess with fqdn's in the ruleset the network script needs to load so they can be resolved. Placing it directly after the network script is as good a solution as virtually possible!
There is a reason that iptables starts before bringing the network up: to allow no chance for your box to be cracked through the network while it's unprotected.
A better plan, if you must add rules after the net interface is bought up, is to split the iptables rules into 2 scripts: one that runs before /init.d/network, & another that runs after. You should at least replace S08iptables w/ a link to a new (very simple) script that locks down the box during the process of getting the network up. Google on "Oskar Andreasson" to find a really good iptables tutorial.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.