Slackware This Forum is for the discussion of Slackware Linux.
|
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
10-11-2013, 04:22 PM
|
#1
|
|
Member
Registered: Jul 2007
Posts: 277
Rep: 
|
How to permanently set iptables rules
How do I save my iptables rules? I used iptables-save but after reboot they were gone. Can I just add everything to my /etc/rc.d/rc.local so it sets on boot?
|
|
|
|
|
10-11-2013, 04:39 PM
|
#2
|
|
LQ Newbie
Registered: Jun 2013
Location: France
Distribution: Slackware
Posts: 28
Rep: 
|
You just have to write your iptables rules in /etc/rc.d/rc.firewall (create the file if it does not exist) and make it executable.
Paragraph "Setup a Firewall" of http://docs.slackware.com/howtos:sec...basic_security |
|
|
2 members found this post helpful.
|
|
10-11-2013, 06:55 PM
|
#3
|
|
Member
Registered: Aug 2006
Distribution: Slackware
Posts: 804
Rep:
|
You can use iptables-save, but you'll have to use iptables-restore after you reboot to put your rules into effect again. I would/do use an /etc/rc.d/rc.firewall script. AlienBob has an excellent script generator here.
Last edited by manwichmakesameal; 10-11-2013 at 06:56 PM.
Reason: Forgot a space......
|
|
|
1 members found this post helpful.
|
|
10-11-2013, 07:05 PM
|
#4
|
|
Senior Member
Registered: Oct 2005
Distribution: Slackware 14.1
Posts: 3,482
|
Quote:
|
I would/do use an /etc/rc.d/rc.firewall script. AlienBob has an excellent script generator here.
|
Pat, Eric, how about in Current adding an "empty" rc.firewall script container and in the script provide a link to Eric's iptables generator? Here, like this:
Code:
#!/bin/sh
# /etc/rc.d/rc.firewall
# Start/Stop/Restart iptables firewall rules.
# Generate a custom rc.firewall script for Slackware:
# http://www.slackware.com/~alien/efg/
 |
|
|
3 members found this post helpful.
|
|
10-12-2013, 01:28 AM
|
#5
|
|
MLED Founder
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: CentOS, OpenSUSE
Posts: 3,453
|
Quote:
Originally Posted by Woodsman
Pat, Eric, how about in Current adding an "empty" rc.firewall script container and in the script provide a link to Eric's iptables generator? Here, like this:
Code:
#!/bin/sh
# /etc/rc.d/rc.firewall
# Start/Stop/Restart iptables firewall rules.
# Generate a custom rc.firewall script for Slackware:
# http://www.slackware.com/~alien/efg/
|
Excellent idea. And still in the KISS spirit. |
|
|
|
|
10-12-2013, 04:10 AM
|
#6
|
|
LQ Newbie
Registered: Jun 2013
Location: France
Distribution: Slackware
Posts: 28
Rep:
|
Quote:
Originally Posted by Woodsman
Pat, Eric, how about in Current adding an "empty" rc.firewall script container and in the script provide a link to Eric's iptables generator?
|
Why not build a curses "firewall-config" from Eric's web generator and add it to slack wizards (netconfig, ...) ? The tool is already so good and KISS that such a standalone converted generator would seem natural in a Slack release.
Just to keep Slackware CD/DVD install self sufficient. |
|
|
1 members found this post helpful.
|
|
10-12-2013, 11:32 AM
|
#7
|
|
Member
Registered: Jul 2007
Posts: 277
Original Poster
Rep:
|
I don't need anything complicated, just these 5 rules.
Can I just put this into rc.firewall:
#!/bin/sh
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat PREROUTING -p tcp -i wlan0 --dport 22 -j DNAT --to 192.168.200.100
iptables -t nat PREROUTING -p tcp -i wlan0 --dport 80 -j DNAT --to 192.168.200.100
iptables -A FORWARD -p tcp -d 192.168.200.100 --dport 22 -j ACCEPT
iptables -A FORWARD -p tcp -d 192.168.200.100 --dport 80 -j ACCEPT
|
|
|
|
|
10-12-2013, 11:46 AM
|
#8
|
|
Senior Member
Registered: Jul 2004
Location: Jogja, Indonesia
Distribution: Slackware-Current
Posts: 4,849
|
Why not in rc.local?
|
|
|
|
|
10-12-2013, 09:48 PM
|
#9
|
|
Member
Registered: Aug 2010
Posts: 353
Rep:
|
Quote:
Originally Posted by willysr
Why not in rc.local?
|
Because ...
In "/etc/rc.d/rc.inet2":
Code:
# If there is a firewall script, run it before enabling packet forwarding.
# See the HOWTOs on http://www.netfilter.org/ for documentation on
# setting up a firewall or NAT on Linux. In some cases this might need to
# be moved past the section below dealing with IP packet forwarding.
if [ -x /etc/rc.d/rc.firewall ]; then
/etc/rc.d/rc.firewall start
fi
My "/etc/rc.d/rc.firewall":
Code:
#!/bin/sh
firewall_start() {
if [ -f /etc/iptables.rules ]; then
/usr/sbin/iptables-restore < /etc/iptables.rules
fi
}
firewall_stop() {
/usr/sbin/iptables --flush
}
firewall_restart() {
/usr/sbin/iptables --flush
if [ -f /etc/iptables.rules ]; then
/usr/sbin/iptables-restore < /etc/iptables.rules
fi
}
case "$1" in
'start')
firewall_start
;;
'stop')
firewall_stop
;;
'restart')
firewall_restart
;;
*)
echo "usage $0 start|stop|restart"
esac
|
|
|
2 members found this post helpful.
|
|
10-12-2013, 10:44 PM
|
#10
|
|
Senior Member
Registered: Jul 2004
Location: Jogja, Indonesia
Distribution: Slackware-Current
Posts: 4,849
|
I used to put all the post configuration script to rc.local, thus i need to see one file only and it will contain all the changes and configuration on my system
But then, it's a matter of preference |
|
|
|
|
10-13-2013, 02:41 AM
|
#11
|
|
MLED Founder
Registered: Jun 2011
Location: Montpezat (South France)
Distribution: CentOS, OpenSUSE
Posts: 3,453
|
Quote:
Originally Posted by willysr
I used to put all the post configuration script to rc.local, thus i need to see one file only and it will contain all the changes and configuration on my system
But then, it's a matter of preference |
Here's my rc.local on a public server:
Code:
#!/bin/sh
#
# /etc/rc.d/rc.local: Local system initialization script.
#
# Put any local startup commands in here. Also, if you have
# anything that needs to be run at shutdown time you can
# make an /etc/rc.d/rc.local_shutdown script and put those
# commands in there.
# Start Icecast server
if [ -x /etc/rc.d/rc.icecast ]; then
/etc/rc.d/rc.icecast start
fi
# Start MPD server
if [ -x /etc/rc.d/rc.mpd ]; then
/etc/rc.d/rc.mpd start
fi
# Start Postgrey mail filter
if [ -x /etc/rc.d/rc.postgrey ]; then
/etc/rc.d/rc.postgrey start
fi
# Start Postfix mail server
if [ -x /etc/rc.d/rc.postfix ]; then
/etc/rc.d/rc.postfix start
fi
# Start Dovecot mail server
if [ -x /etc/rc.d/rc.dovecot ]; then
/etc/rc.d/rc.dovecot start
fi
# Chip drivers
/sbin/modprobe coretemp
/usr/bin/sensors -s
And here's rc.firewall on this same machine:
Code:
#!/bin/sh
#
# /etc/rc.d/rc.firewall
IPT=$(which iptables)
MOD=$(which modprobe)
IFACE_INET=eth0
function start {
# Les connexions entrantes sont bloquées par défaut.
$IPT -P INPUT DROP
# Les connexions sortantes sont acceptées par défaut.
$IPT -P OUTPUT ACCEPT
# Pas de filtrage sur la boucle locale.
$IPT -A INPUT -i lo -j ACCEPT
# Accepter les messages ICMP importants.
$IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
# Accepter les paquets entrants relatifs à des connexions déjà établies. Cela
# va plus vite que de devoir réexaminer toutes les règles pour chaque paquet.
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Accepter SSH avec une limite d'une tentative de connexion par minute
$IPT -A INPUT -p tcp -i $IFACE_INET --dport 22 -m state --state NEW \
-m recent --set --name SSH
$IPT -A INPUT -p tcp -i $IFACE_INET --dport 22 -m state --state NEW \
-m recent --update --seconds 60 --hitcount 2 --rttl --name SSH -j DROP
$IPT -A INPUT -p tcp -i $IFACE_INET --dport 22 -j ACCEPT
# Accepter les requêtes SMTP
$IPT -A INPUT -p tcp -i $IFACE_INET --dport 25 -j ACCEPT
# Accepter les requêtes DNS
$IPT -A INPUT -p tcp -i $IFACE_INET --dport 53 -j ACCEPT
$IPT -A INPUT -p udp -i $IFACE_INET --dport 53 -j ACCEPT
# Autoriser le serveur HTTP
$IPT -A INPUT -p tcp -i $IFACE_INET --dport 80 -j ACCEPT
# Autoriser le serveur HTTPS
$IPT -A INPUT -p tcp -i $IFACE_INET --dport 443 -j ACCEPT
# Accepter les requêtes SMTP (Thunderbird)
$IPT -A INPUT -p tcp -i $IFACE_INET --dport 587 -j ACCEPT
# Accepter les requêtes IMAPS
$IPT -A INPUT -p tcp -i $IFACE_INET --dport 993 -j ACCEPT
# Autoriser le serveur Icecast
$IPT -A INPUT -p tcp -i $IFACE_INET --dport 8000 -j ACCEPT
# Enregistrer la trace des paquets rejetés
$IPT -A INPUT -j LOG --log-prefix "+++ IPv4 packet rejected +++"
$IPT -A INPUT -j REJECT
}
function stop {
$IPT -t filter -P INPUT ACCEPT
$IPT -t filter -P OUTPUT ACCEPT
$IPT -t filter -P FORWARD ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t filter -F
$IPT -t nat -F
$IPT -X
}
# Commandes : rc.firewall { start | restart | stop | status }
case $1 in
start)
echo "Starting firewall."
stop
start
;;
stop)
echo "Stopping firewall."
stop
;;
restart)
echo "Stopping firewall."
stop
echo "Starting firewall."
start
;;
status)
$IPT -L -v -n
;;
*)
echo "Usage: $0 {start|stop|restart|status}"
esac
Mixing these two up would result in quite an unholy mess. YMMV, of course.
Cheers,
Niki |
|
|
1 members found this post helpful.
|
|
10-13-2013, 11:18 AM
|
#12
|
|
Member
Registered: Jul 2007
Distribution: Fedora
Posts: 527
Rep:
|
Quote:
Originally Posted by MadMaverick9
Code:
firewall_stop() {
/usr/sbin/iptables --flush
}
|
Note this will work in most cases, but does not reset iptables to its default state, really. In particular, it won't delete non-builtin chains or restore default chain policies. This is my stop() function from rc.firewall, which otherwise is pretty similar to yours.
Code:
function stop()
{
echo "Resetting all iptables chains."
/usr/sbin/iptables -t filter -P INPUT ACCEPT
/usr/sbin/iptables -t filter -P FORWARD ACCEPT
/usr/sbin/iptables -t filter -P OUTPUT ACCEPT
/usr/sbin/iptables -t nat -P PREROUTING ACCEPT
/usr/sbin/iptables -t nat -P POSTROUTING ACCEPT
/usr/sbin/iptables -t nat -P OUTPUT ACCEPT
/usr/sbin/iptables -t mangle -P PREROUTING ACCEPT
/usr/sbin/iptables -t mangle -P INPUT ACCEPT
/usr/sbin/iptables -t mangle -P FORWARD ACCEPT
/usr/sbin/iptables -t mangle -P OUTPUT ACCEPT
/usr/sbin/iptables -t mangle -P POSTROUTING ACCEPT
/usr/sbin/iptables -t filter -F
/usr/sbin/iptables -t filter -X
/usr/sbin/iptables -t nat -F
/usr/sbin/iptables -t nat -X
/usr/sbin/iptables -t mangle -F
/usr/sbin/iptables -t mangle -X
}
|
|
|
1 members found this post helpful.
|
|
10-13-2013, 11:29 AM
|
#13
|
|
Member
Registered: Jun 2013
Location: Germany
Distribution: Slackware
Posts: 174
Rep:
|
if you want to save iptables rules and use ppp or pppoe on the system you want to save the rules, you could do it like me.. i have all my iptables stuff in /etc/ppp/firewall-masq thats a standard file pppoe-setup will ask if you want to use it.
|
|
|
|
All times are GMT -5. The time now is 08:25 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
