Adding an iptables rule to load on boot.

BAcidEvil · 02-18-2022, 03:01 PM

Hello

So, this is a 2-fold question.

#1 Not using any sort of firewall except the 3 lines of iptables, where would I put;

iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t nat -I PREROUTING -p tcp -d 192.168.4.177 --dport 72 -j DNAT --to-destination 192.168.122.123:72
iptables -I FORWARD -m state -d 192.168.122.123 --state NEW,RELATED,ESTABLISHED -j ACCEPT

So that they load on reboot.
I have used rc.local, rc.firewall (executable)and neither work! I have to still manually type them in.

#2 If I were to use rc.firewall generated on the site, where would I place these 3 rules or translate them into a format the generated rc.firewall?
I incorporated them in best my knowledge, doesn't work.

Any help!

Paulo2 · 02-18-2022, 03:13 PM

"/etc/rc.d/rc.firewall" should work.
Maybe with full path to iptables? /usr/sbin/iptables instead just iptables.

BAcidEvil · 02-18-2022, 03:22 PM

Quote:

Originally Posted by Paulo2

"/etc/rc.d/rc.firewall" should work.
Maybe with full path to iptables? /usr/sbin/iptables instead just iptables.

Just bizarre!

I did indeed add the path and same thing. I have exactly what my initial post says, nothing added or taken.

slac-in-the-box · 02-18-2022, 03:31 PM

did iptables load anything at all? can check

Code:

iptables -L

seems like, since the executable bit was set, that both rc.firewall or rc.local should have worked...

perhaps there is some other application or script calling on iptables afterwards, overwriting what your startup call is doing, so "iptables -L" should at least display whether iptables loaded any rules at all.

BAcidEvil · 02-18-2022, 03:35 PM

Quote:

Originally Posted by slac-in-the-box

did iptables load anything at all? can check

Code:

iptables -L

seems like, since the executable bit was set, that both rc.firewall or rc.local should have worked...

perhaps there is some other application or script calling on iptables afterwards, overwriting what your startup call is doing, so "iptables -L" should at least display whether iptables loaded any rules at all.

Actually, I believe they did. But it does not work.. Now when I manually paste each line, it then works.

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ES TABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-p ort-unreachable
REJECT all -- anywhere anywhere reject-with icmp-p ort-unreachable
ACCEPT all -- anywhere 192.168.122.123 state NEW,RELATED, ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootpc

When I manually input it, this is iptables -L which is clearly different.

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.123 state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere 192.168.122.123 state NEW,RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootpc

Paulo2 · 02-18-2022, 04:09 PM

I don't know much about forwarding packets, my Slackware machine isn't a router.
In the root's mail sent by the installer, there is information about setting a router.
Also there is /etc/rc.d/rc.ip_forward (and /etc/rc.d/rc.inet2 that loads both).

BAcidEvil · 02-18-2022, 04:12 PM

Quote:

Originally Posted by Paulo2

I don't know much about forwarding packets, my Slackware machine isn't a router.
In the root's mail sent by the installer, there is information about setting a router.
Also there is /etc/rc.d/rc.ip_forward (and /etc/rc.d/rc.inet2 that loads both).

That FORWARD is for the VM that resides on the box using NAT. I would still assume that I should be able to achieve automatically what I am able to do manually, with 3 lines, that are the same.

BAcidEvil · 02-18-2022, 08:53 PM

Quote:

Originally Posted by Paulo2

I don't know much about forwarding packets, my Slackware machine isn't a router.
In the root's mail sent by the installer, there is information about setting a router.
Also there is /etc/rc.d/rc.ip_forward (and /etc/rc.d/rc.inet2 that loads both).

So I was looking into rc.inet2 and rc.ip_forward and it seems to make a little sense. Just confused as to why the commands are not working in rc.local aside from maybe .local loads before the rc.firewall or even rc.ip_forward thus not applying it?
If this is the case I guess I just don’t know where to out the FORWARD rule ….

Petri Kaukasoina · 02-19-2022, 01:36 AM

Quote:

Originally Posted by BAcidEvil

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ES TABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-p ort-unreachable
REJECT all -- anywhere anywhere reject-with icmp-p ort-unreachable
ACCEPT all -- anywhere 192.168.122.123 state NEW,RELATED, ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootpc

There is a lot of rules there, more than those three lines you wanted to apply.

Quote:

Originally Posted by BAcidEvil

#1 Not using any sort of firewall except the 3 lines of iptables, where would I put;

iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t nat -I PREROUTING -p tcp -d 192.168.4.177 --dport 72 -j DNAT --to-destination 192.168.122.123:72
iptables -I FORWARD -m state -d 192.168.122.123 --state NEW,RELATED,ESTABLISHED -j ACCEPT

So that they load on reboot.
I have used rc.local, rc.firewall (executable)and neither work! I have to still manually type them in.

When you put only those three lines in otherwise empty rc.firewall which is executable, what does iptables -L show after boot?

Quote:

#2 If I were to use rc.firewall generated on the site, where would I place these 3 rules or translate them into a format the generated rc.firewall?
I incorporated them in best my knowledge, doesn't work.

What does 'rc.firewall generated on the site' mean? Why don't you post it here?

GazL · 02-19-2022, 02:14 AM

The way I do it is I load my rules manually using a script full of iptables commands and then use iptables-save to save them. Then I use this as my rc.firewall:

Code:

#!/bin/bash
#
# Restore firewall rules

save_dir=/var/lib/iptables
iptables_save=$save_dir/iptables
ip6tables_save=$save_dir/ip6tables

load_rules()
{
  [ -r "$iptables_save" ] && iptables-restore "$iptables_save"
  [ -r "$ip6tables_save" ] && ip6tables-restore "$ip6tables_save"
}

case "${1:-start}" in
  start)  load_rules    ;;
  stop)   :             ;;
esac

Petri Kaukasoina · 02-19-2022, 02:30 AM

Quote:

Originally Posted by BAcidEvil

Just confused as to why the commands are not working in rc.local aside from maybe .local loads before the rc.firewall or even rc.ip_forward thus not applying it?
If this is the case I guess I just don’t know where to out the FORWARD rule ….

rc.firewall runs early and rc.local runs the last.

allend · 02-19-2022, 07:42 AM

Are you running NetworkManager?
If so, you can add a script in /etc/NetworkManager/dispatcher.d to load iptables rules.
My /etc/NetworkManager/dispatcher.d/25_SetFirewall

Code:

#!/bin/sh

# Script to load appropriate firewall based on interface in use

INTERFACE=$1 # The interface which is brought up or down
STATUS=$2 # The new state of the interface

case "$STATUS" in
  'up') # an interface has been brought up
    case "$INTERFACE" in
      'eth0')
        exec /etc/rc.d/rc.firewall_eth0
      ;;
      'eth1')
        exec /etc/rc.d/rc.firewall_eth1
      ;;
      'wlan0')
        exec /etc/rc.d/rc.firewall_wlan0
      ;;
      'ppp0')
        exec /etc/rc.d/rc.firewall_ppp0
      ;;
      'wwan0')
        exec /etc/rc.d/rc.firewall_wwan0
      ;;
      'br0')
        exec /etc/rc.d/rc.firewall_br0
      ;;
    esac
    ;;
  'down') # an interface has been brought down
    # Load default if there is no active interface
    nm-online -x || exec /etc/rc.d/rc.firewall_lo
  ;;
esac

BAcidEvil · 02-19-2022, 01:39 PM

I am not using NetManager; I am manually just configuring rc.inet1
What I meant by on the site was; http://www.slackware.com/~alien/efg/..Irrelevant at this point as I can not even simply get 3 lines to load automatically

So, after 'chmod +x /etc/rc.d/rc.firewall and inputting simply;

iptables -t nat -A POSTROUTING -j MASQUERADE
iptables -t nat -I PREROUTING -p tcp -d 192.168.4.177 --dport 72 -j DNAT --to-destination 192.168.122.123:72
iptables -I FORWARD -m state -d 192.168.122.123 --state NEW,RELATED,ESTABLISHED -j ACCEPT

Then when doing iptables -L;

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere 192.168.122.123 state NEW,RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootpc

Still, nothing. But when I magically type in;

iptables -I FORWARD -m state -d 192.168.122.123 --state NEW,RELATED,ESTABLISHED -j ACCEPT (just this line)

It works. So during bootup or whatever it does, this line [above] is either not being implemented or is being overwritten /removed after the fact.

So, as said above, the 3 lines alone in rc.firewall out the iptables -L I mentioned... But by manually inputting the 3rd line (a second time) via shell and having it work, iptables now produces this;

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.123 state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
ACCEPT all -- anywhere 192.168.122.123 state NEW,RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootpc

BAcidEvil · 02-20-2022, 07:01 PM

Not sure if this helps any but I have noticed that, even though the command is IN rc.local and rc.local boots, it does not apply the iptables. But after it boots if I run /etc/rc.d/rc.local command it then works.

Being rc.local is last to load I am at a loss as to why it is not being implied via boot, but will apply at #/etc.rc.d/rc.local <enter>