DoctorKaos Posted January 19, 2003 Report Share Posted January 19, 2003 When iptables gets installed, a shell script called "iptables" is installed in /etc/rc.d/init.d/ Now, I know squat about shell scripting, but I know enough to know that that shell script is responsible for re-setting your iptables (netfilter) firewall to "non-existant" mode every time you reboot; INPUT - ACCEPT FORWARD - ACCEPT OUTPUT - ACCEPT that means I might as well have no firewall. So, I've been struggling to find ways to make iptables fully active at reboot. I have followed howtos instructions step by step. Done it all by the book, but typically enough for me, the more documentation I read, the more confused I get. I've messed around with that damn script to make it initialize another iptables script (the actual set of rules which are supposed to sit in /etc/sysconfig/), but to no avail. So I got tired of it, and wrote a really nice set of iptables rules (now that I know about!). I put the ol' bin/sh at the top of the page, made the file executable, put it in a folder and double-clicked it whenever I had to. That worked, but it left an open gap of a few seconds (an eternity!) during and after boot. So finally I got tired of that as well, and yanked that original iptables shell script out of /etc/rc.d/init.d/ and replaced it with my own iptables set of rules. Now, whenever I reboot, iptables is up and ready when Linux fires up my eth's. My problem is that now I'm wondering if this was the right thing to do. Doing "iptables -L" shows my set of rules in all their glory, but still, nagging doubts persist. There was a lot of stuff in that original "iptables" shell script, and I wonder if, by removing it, I haven't created other problems??? So, IS that original iptables shell script absolutely necessary? Quote Link to comment Share on other sites More sharing options...
Counterspy Posted January 19, 2003 Report Share Posted January 19, 2003 I can't tell you about the script but you can run nmap to scan your machine. See man nmap for the appropriate switches. Counterspy Quote Link to comment Share on other sites More sharing options...
aru Posted January 19, 2003 Report Share Posted January 19, 2003 So, IS that original iptables shell script absolutely necessary? Ofcourse not, If you have wrote another that will do it better, then you don't need the original one. For example, I'm used to replace the iptables script with my own set of rules I can't tell you about the script but you can run nmap to scan your machine. See man nmap for the appropriate switches. That test will work only if you use nmap from a foreign machine placed in the "outside" world of the firewall (ie from internet). Notice that if you run nmap from your LAN or even from your localhost, many rules of the firewall aren't working, so a local nmap test is unuseful. If you have no chance to do your own that test, you can always try a security test from sites like http://grc.com (there are many, but I can't remember their names right now, so to be sure test as many as you find) Quote Link to comment Share on other sites More sharing options...
DoctorKaos Posted January 19, 2003 Author Report Share Posted January 19, 2003 Thanks Couterspy and aru. I will get a friend to do an nmap scan. aru, about the script; The thing is that my own script contains only rules; no shell script stuff other than the bin/sh at the top of the file. The original iptables script had a lot of shell script stuff. That is what bothers me. Is all that shell script stuff necessary for the proper workings of iptables? Quote Link to comment Share on other sites More sharing options...
aru Posted January 19, 2003 Report Share Posted January 19, 2003 aru, about the script; The thing is that my own script contains only rules; no shell script stuff other than the bin/sh at the top of the file. The original iptables script had a lot of shell script stuff. That is what bothers me. Is all that shell script stuff necessary for the proper workings of iptables? IMHO that stuff is not really important but is very useful to interact with iptables as if it was an other daemon in order to start it , stop it, check its status, and so on... So my advice to you is to study the original script and edit your own rules. Normally you'll only need to edit/create some variables, and surely you'll need to hack the start() function. You can safely leave all the other functions and the case statement as they are. Quote Link to comment Share on other sites More sharing options...
DoctorKaos Posted January 19, 2003 Author Report Share Posted January 19, 2003 Thanks for your advice. One more question if I may impose; where would i find the documentation about "...edit/create some variables, and ...to hack the start() function"? 'Coz that's martian to me. I'm not bad at writing iptables rules, but 'variables & functions" is way over my head. Quote Link to comment Share on other sites More sharing options...
aru Posted January 19, 2003 Report Share Posted January 19, 2003 hehehe, it's not that much ;) you can start with: Bash programing howto ; then go to this valuable Advanced Bash-Scripting Guide ; and finally master all this stuff with the Bash Reference Manual :D Quote Link to comment Share on other sites More sharing options...
DoctorKaos Posted January 20, 2003 Author Report Share Posted January 20, 2003 Thanks a lot aru. All is good now! Quote Link to comment Share on other sites More sharing options...
ezroller Posted January 20, 2003 Report Share Posted January 20, 2003 You can also use a good front-end, and save editing config files by hand to projects that are a little more cutting edge [read : fun] http://www.simonzone.com/software/guarddog/ There are many good firewall programs that are highly configurable. Aru is right though, IMHO that stuff is not really important but is very useful to interact with iptables as if it was an other daemon in order to start it , stop it, check its status, and so on... So my advice to you is to study the original script and edit your own rules. Normally you'll only need to edit/create some variables, and surely you'll need to hack the start() function. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.