Jump to content

iptables dilemma

DoctorKaos

By DoctorKaos
in Security

 Share

Recommended Posts

DoctorKaos New Here

DoctorKaos

Posted
Posted

When iptables gets installed, a shell script called "iptables" is installed in /etc/rc.d/init.d/

 

Now, I know squat about shell scripting, but I know enough to know that that shell script is responsible for re-setting your iptables (netfilter) firewall to "non-existant" mode every time you reboot;

INPUT - ACCEPT

FORWARD - ACCEPT

OUTPUT - ACCEPT

that means I might as well have no firewall.

 

So, I've been struggling to find ways to make iptables fully active at reboot.

I have followed howtos instructions step by step. Done it all by the book, but typically enough for me, the more documentation I read, the more confused I get.

 

I've messed around with that damn script to make it initialize another iptables script (the actual set of rules which are supposed to sit in /etc/sysconfig/), but to no avail.

 

So I got tired of it, and wrote a really nice set of iptables rules (now that I know about!).

I put the ol' bin/sh at the top of the page, made the file executable, put it in a folder and double-clicked it whenever I had to. That worked, but it left an open gap of a few seconds (an eternity!) during and after boot.

So finally I got tired of that as well, and yanked that original iptables shell script out of /etc/rc.d/init.d/ and replaced it with my own iptables set of rules.

 

Now, whenever I reboot, iptables is up and ready when Linux fires up my eth's.

My problem is that now I'm wondering if this was the right thing to do.

Doing "iptables -L" shows my set of rules in all their glory, but still, nagging doubts persist.

 

There was a lot of stuff in that original "iptables" shell script, and I wonder if, by removing it, I haven't created other problems???

 

So, IS that original iptables shell script absolutely necessary?

Link to comment
Share on other sites
aru Mandriva Guru

aru

Posted
Posted
So, IS that original iptables shell script absolutely necessary?
Ofcourse not, If you have wrote another that will do it better, then you don't need the original one. For example, I'm used to replace the iptables script with my own set of rules

 

I can't tell you about the script but you can run nmap to scan your machine. See man nmap for the appropriate switches.
That test will work only if you use nmap from a foreign machine placed in the "outside" world of the firewall (ie from internet). Notice that if you run nmap from your LAN or even from your localhost, many rules of the firewall aren't working, so a local nmap test is unuseful.

 

If you have no chance to do your own that test, you can always try a security test from sites like http://grc.com (there are many, but I can't remember their names right now, so to be sure test as many as you find)

Link to comment
Share on other sites
DoctorKaos New Here

DoctorKaos

Posted
  • Author
Posted

Thanks Couterspy and aru.

I will get a friend to do an nmap scan.

 

aru, about the script;

The thing is that my own script contains only rules; no shell script stuff other than the bin/sh at the top of the file.

The original iptables script had a lot of shell script stuff.

That is what bothers me. Is all that shell script stuff necessary

for the proper workings of iptables?

Link to comment
Share on other sites
aru Mandriva Guru

aru

Posted
Posted
aru, about the script; 

The thing is that my own script contains only rules; no shell script stuff other than the bin/sh at the top of the file.

The original iptables script had a lot of shell script stuff.

That is what bothers me. Is all that shell script stuff necessary

for the proper workings of iptables?

 

IMHO that stuff is not really important but is very useful to interact with iptables as if it was an other daemon in order to start it , stop it, check its status, and so on...

 

So my advice to you is to study the original script and edit your own rules. Normally you'll only need to edit/create some variables, and surely you'll need to hack the start() function.

 

You can safely leave all the other functions and the case statement as they are.

Link to comment
Share on other sites
ezroller MUB Addict

ezroller

Posted
Posted

You can also use a good front-end, and save editing config files by hand to projects that are a little more cutting edge [read : fun]

 

http://www.simonzone.com/software/guarddog/

 

There are many good firewall programs that are highly configurable. Aru is right though,

IMHO that stuff is not really important but is very useful to interact with iptables as if it was an other daemon in order to start it , stop it, check its status, and so on...

 

So my advice to you is to study the original script and edit your own rules. Normally you'll only need to edit/create some variables, and surely you'll need to hack the start() function.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Go to topic listing
×
×
  • Create New...