LinuxQuestions.org - How to permanently set iptables rules

- Slackware (https://www.linuxquestions.org/questions/slackware-14/)

- - How to permanently set iptables rules (https://www.linuxquestions.org/questions/slackware-14/how-to-permanently-set-iptables-rules-4175480465/)

How to permanently set iptables rules

How do I save my iptables rules? I used iptables-save but after reboot they were gone. Can I just add everything to my /etc/rc.d/rc.local so it sets on boot?

You just have to write your iptables rules in /etc/rc.d/rc.firewall (create the file if it does not exist) and make it executable.

Paragraph "Setup a Firewall" of http://docs.slackware.com/howtos:sec...basic_security

You can use iptables-save, but you'll have to use iptables-restore after you reboot to put your rules into effect again. I would/do use an /etc/rc.d/rc.firewall script. AlienBob has an excellent script generator here.

Quote:

I would/do use an /etc/rc.d/rc.firewall script. AlienBob has an excellent script generator here.

Pat, Eric, how about in Current adding an "empty" rc.firewall script container and in the script provide a link to Eric's iptables generator? Here, like this:

Code:

#!/bin/sh

# /etc/rc.d/rc.firewall



# Start/Stop/Restart iptables firewall rules.



# Generate a custom rc.firewall script for Slackware:

# http://www.slackware.com/~alien/efg/

Quote:

Originally Posted by Woodsman (Post 5044234)

Pat, Eric, how about in Current adding an "empty" rc.firewall script container and in the script provide a link to Eric's iptables generator? Here, like this:

Code:

#!/bin/sh

# /etc/rc.d/rc.firewall



# Start/Stop/Restart iptables firewall rules.



# Generate a custom rc.firewall script for Slackware:

# http://www.slackware.com/~alien/efg/

Excellent idea. And still in the KISS spirit.

Quote:

Originally Posted by Woodsman (Post 5044234)

Pat, Eric, how about in Current adding an "empty" rc.firewall script container and in the script provide a link to Eric's iptables generator?

Why not build a curses "firewall-config" from Eric's web generator and add it to slack wizards (netconfig, ...) ? The tool is already so good and KISS that such a standalone converted generator would seem natural in a Slack release.

Just to keep Slackware CD/DVD install self sufficient.

I don't need anything complicated, just these 5 rules.

Can I just put this into rc.firewall:

#!/bin/sh

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat PREROUTING -p tcp -i wlan0 --dport 22 -j DNAT --to 192.168.200.100
iptables -t nat PREROUTING -p tcp -i wlan0 --dport 80 -j DNAT --to 192.168.200.100
iptables -A FORWARD -p tcp -d 192.168.200.100 --dport 22 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.200.100 --dport 80 -j ACCEPT

Why not in rc.local?

Quote:

Originally Posted by willysr (Post 5044510)

Why not in rc.local?

Because ...

In "/etc/rc.d/rc.inet2":

Code:

# If there is a firewall script, run it before enabling packet forwarding.

# See the HOWTOs on http://www.netfilter.org/ for documentation on

# setting up a firewall or NAT on Linux.  In some cases this might need to

# be moved past the section below dealing with IP packet forwarding.

if [ -x /etc/rc.d/rc.firewall ]; then

  /etc/rc.d/rc.firewall start

fi

My "/etc/rc.d/rc.firewall":

Code:

#!/bin/sh



firewall_start() {

  if [ -f /etc/iptables.rules ]; then

    /usr/sbin/iptables-restore < /etc/iptables.rules

  fi

}



firewall_stop() {

  /usr/sbin/iptables --flush

}



firewall_restart() {

  /usr/sbin/iptables --flush

  if [ -f /etc/iptables.rules ]; then

    /usr/sbin/iptables-restore < /etc/iptables.rules

  fi

}



case "$1" in

'start')

  firewall_start

  ;;

'stop')

  firewall_stop

  ;;

'restart')

  firewall_restart

  ;;

*)

  echo "usage $0 start|stop|restart"

esac

I used to put all the post configuration script to rc.local, thus i need to see one file only and it will contain all the changes and configuration on my system

But then, it's a matter of preference :)

Quote:

Originally Posted by willysr (Post 5044711)

Here's my rc.local on a public server:

Code:

#!/bin/sh

#

# /etc/rc.d/rc.local:  Local system initialization script.

#

# Put any local startup commands in here.  Also, if you have

# anything that needs to be run at shutdown time you can

# make an /etc/rc.d/rc.local_shutdown script and put those

# commands in there.



# Start Icecast server

if [ -x /etc/rc.d/rc.icecast ]; then

  /etc/rc.d/rc.icecast start

fi



# Start MPD server

if [ -x /etc/rc.d/rc.mpd ]; then

  /etc/rc.d/rc.mpd start

fi



# Start Postgrey mail filter 

if [ -x /etc/rc.d/rc.postgrey ]; then

  /etc/rc.d/rc.postgrey start

fi



# Start Postfix mail server 

if [ -x /etc/rc.d/rc.postfix ]; then

  /etc/rc.d/rc.postfix start

fi



# Start Dovecot mail server 

if [ -x /etc/rc.d/rc.dovecot ]; then

  /etc/rc.d/rc.dovecot start

fi



# Chip drivers

/sbin/modprobe coretemp

/usr/bin/sensors -s

And here's rc.firewall on this same machine:

Code:

#!/bin/sh

#

# /etc/rc.d/rc.firewall



IPT=$(which iptables)

MOD=$(which modprobe)

IFACE_INET=eth0



function start {

  

  # Les connexions entrantes sont bloquées par défaut.

  $IPT -P INPUT DROP



  # Les connexions sortantes sont acceptées par défaut.

  $IPT -P OUTPUT ACCEPT



  # Pas de filtrage sur la boucle locale.

  $IPT -A INPUT -i lo -j ACCEPT



  # Accepter les messages ICMP importants.

  $IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

  $IPT -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT

  $IPT -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT



  # Accepter les paquets entrants relatifs à des connexions déjà établies. Cela

  # va plus vite que de devoir réexaminer toutes les règles pour chaque paquet.

  $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT



  # Accepter SSH avec une limite d'une tentative de connexion par minute

  $IPT -A INPUT -p tcp -i $IFACE_INET --dport 22 -m state --state NEW \

  -m recent --set --name SSH

  $IPT -A INPUT -p tcp -i $IFACE_INET --dport 22 -m state --state NEW \

  -m recent --update --seconds 60 --hitcount 2 --rttl --name SSH -j DROP

  $IPT -A INPUT -p tcp -i $IFACE_INET --dport 22 -j ACCEPT



  # Accepter les requêtes SMTP 

  $IPT -A INPUT -p tcp -i $IFACE_INET --dport 25 -j ACCEPT



  # Accepter les requêtes DNS

  $IPT -A INPUT -p tcp -i $IFACE_INET --dport 53 -j ACCEPT

  $IPT -A INPUT -p udp -i $IFACE_INET --dport 53 -j ACCEPT



  # Autoriser le serveur HTTP 

  $IPT -A INPUT -p tcp -i $IFACE_INET --dport 80 -j ACCEPT



  # Autoriser le serveur HTTPS

  $IPT -A INPUT -p tcp -i $IFACE_INET --dport 443 -j ACCEPT



  # Accepter les requêtes SMTP (Thunderbird)

  $IPT -A INPUT -p tcp -i $IFACE_INET --dport 587 -j ACCEPT



  # Accepter les requêtes IMAPS

  $IPT -A INPUT -p tcp -i $IFACE_INET --dport 993 -j ACCEPT



  # Autoriser le serveur Icecast 

  $IPT -A INPUT -p tcp -i $IFACE_INET --dport 8000 -j ACCEPT



  # Enregistrer la trace des paquets rejetés

  $IPT -A INPUT -j LOG --log-prefix "+++ IPv4 packet rejected +++"

  $IPT -A INPUT -j REJECT

  

}



function stop {

  $IPT -t filter -P INPUT ACCEPT

  $IPT -t filter -P OUTPUT ACCEPT

  $IPT -t filter -P FORWARD ACCEPT

  $IPT -t nat -P POSTROUTING ACCEPT

  $IPT -t nat -P PREROUTING ACCEPT

  $IPT -t nat -P OUTPUT ACCEPT

  $IPT -t filter -F

  $IPT -t nat -F

  $IPT -X

}



# Commandes : rc.firewall { start | restart | stop | status }

case $1 in 

  start)

          echo "Starting firewall."

          stop

          start

  ;;

  stop)

          echo "Stopping firewall."

          stop

  ;;

  restart)

          echo "Stopping firewall."

          stop

          echo "Starting firewall."

          start

  ;;

  status)

          $IPT -L -v -n

  ;;

  *)

  echo "Usage: $0 {start|stop|restart|status}"

esac

Mixing these two up would result in quite an unholy mess. YMMV, of course.

Cheers,

Niki

Quote:

Originally Posted by MadMaverick9 (Post 5044693)

Code:

firewall_stop() {

  /usr/sbin/iptables --flush

}

Note this will work in most cases, but does not reset iptables to its default state, really. In particular, it won't delete non-builtin chains or restore default chain policies. This is my stop() function from rc.firewall, which otherwise is pretty similar to yours.

Code:

function stop()

{

        echo "Resetting all iptables chains."

        /usr/sbin/iptables -t filter -P INPUT ACCEPT

        /usr/sbin/iptables -t filter -P FORWARD ACCEPT

        /usr/sbin/iptables -t filter -P OUTPUT ACCEPT

        /usr/sbin/iptables -t nat -P PREROUTING ACCEPT

        /usr/sbin/iptables -t nat -P POSTROUTING ACCEPT

        /usr/sbin/iptables -t nat -P OUTPUT ACCEPT

        /usr/sbin/iptables -t mangle -P PREROUTING ACCEPT

        /usr/sbin/iptables -t mangle -P INPUT ACCEPT

        /usr/sbin/iptables -t mangle -P FORWARD ACCEPT

        /usr/sbin/iptables -t mangle -P OUTPUT ACCEPT

        /usr/sbin/iptables -t mangle -P POSTROUTING ACCEPT

        /usr/sbin/iptables -t filter -F

        /usr/sbin/iptables -t filter -X

        /usr/sbin/iptables -t nat -F

        /usr/sbin/iptables -t nat -X

        /usr/sbin/iptables -t mangle -F

        /usr/sbin/iptables -t mangle -X

}

if you want to save iptables rules and use ppp or pppoe on the system you want to save the rules, you could do it like me.. i have all my iptables stuff in /etc/ppp/firewall-masq thats a standard file pppoe-setup will ask if you want to use it.