Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
08-11-2007, 12:19 AM
|
#1
|
LQ Newbie
Registered: Jun 2007
Posts: 7
Rep:
|
iptables starts with zero rules?
HELP!!??
So I have a situation where upon system boot my iptables rules are not being loaded at all. I am using FC6 and use the default /etc/sysconfig/iptables file to store my rules. I have chkconfig set to load iptables at init 3 (my default run level). Iptables DOES start, however no rules are populated.
This only happens when I include domain names in the /etc/sysconfig/iptables file i.e. :
-A INPUT -s DOMAIN.COM -p tcp -m multiport --dport 22,993 -j ACCEPT
BUT, if instead of domain.com I use an IP address then all the rules are loaded properly verse none at all when I use a domain name.
Does IPTABLES not support using domain names in the ruleset, or is there a way to make this work? Also, I can just do a "service iptables restart" and everything works fine. It just doesn't work on boot!!?!!!
|
|
|
08-11-2007, 02:03 AM
|
#2
|
Member
Registered: Jul 2006
Location: Joinville, Brazil
Distribution: Debian, CentOS
Posts: 301
Rep:
|
I don't know why this thing with domains is messing it all.
However, I know a solution for your problem. You can build a shell script and put it into your /etc/init.d/
This link might be helpful:
http://wiki.linuxquestions.org/wiki/..._a_gateway/nat
Please let us know if your problem is now solved (or not).
|
|
|
08-11-2007, 02:14 AM
|
#3
|
LQ Newbie
Registered: Jun 2007
Posts: 7
Original Poster
Rep:
|
Thanks for the quick response! Well, I went ahead and placed a line in my /etc/rc.local like such:
/sbin/service iptables restart
This works fine, but it's a hack and shouldn't have to be done. Plus, if my server reboots it is unprotected till this service restart is performed. Not really an issue since it happens so quickly. However, it is a bad security practice to start the network and have all the services listening before applying my firewall.
I think iptables is being loaded before name resolution works and this is causing it to kinda fail. It just doesn't seem like this problem should exist.
|
|
|
08-11-2007, 02:47 AM
|
#4
|
Member
Registered: Jul 2006
Location: Joinville, Brazil
Distribution: Debian, CentOS
Posts: 301
Rep:
|
rc.local is always the last script to be loaded at the boot.
If you want that your iptables rules starts before the services, you can do exactly what I said, to build a proper script with firewall rules inside. It works very well for me.
|
|
|
08-11-2007, 03:38 AM
|
#5
|
Member
Registered: Nov 2004
Location: Turku, Finland
Distribution: Debian, Ubuntu, Gentoo
Posts: 388
Rep:
|
You could change iptables to start right after the network interface is up. Just browse the /etc/rc3.d directory and create a new iptables link with lower priority (just below the interface-scripts priority). I'm not sure what happens if Fedora updates the iptables-package... you _might_ have to do the relinking again.
|
|
|
08-11-2007, 04:31 AM
|
#6
|
LQ Newbie
Registered: Jun 2007
Posts: 7
Original Poster
Rep:
|
Quote:
Originally Posted by basileus
You could change iptables to start right after the network interface is up. Just browse the /etc/rc3.d directory and create a new iptables link with lower priority (just below the interface-scripts priority). I'm not sure what happens if Fedora updates the iptables-package... you _might_ have to do the relinking again.
|
cool, good call. This worked perfectly, I rebooted and voila. I guess with fqdn's in the ruleset the network script needs to load so they can be resolved. Placing it directly after the network script is as good a solution as virtually possible!
cd /etc/rc.d/rc3.d/
mv S08iptables S11iptables
lrwxrwxrwx 1 root root 17 Apr 24 23:25 S10network -> ../init.d/network
lrwxrwxrwx 1 root root 21 Apr 10 18:48 S10restorecond -> ../init.d/restorecond
lrwxrwxrwx 1 root root 18 May 8 19:52 S11iptables -> ../init.d/iptables
|
|
|
08-15-2007, 07:02 AM
|
#7
|
Senior Member
Registered: Oct 2004
Location: Houston, TX (usa)
Distribution: MEPIS, Debian, Knoppix,
Posts: 4,727
|
There is a reason that iptables starts before bringing the network up: to allow no chance for your box to be cracked through the network while it's unprotected.
A better plan, if you must add rules after the net interface is bought up, is to split the iptables rules into 2 scripts: one that runs before /init.d/network, & another that runs after. You should at least replace S08iptables w/ a link to a new (very simple) script that locks down the box during the process of getting the network up. Google on "Oskar Andreasson" to find a really good iptables tutorial.
|
|
|
08-15-2007, 07:53 AM
|
#8
|
LQ Newbie
Registered: May 2007
Posts: 4
Rep:
|
Network
|
|
|
All times are GMT -5. The time now is 06:44 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|