Results 1 to 9 of 9

Thread: how to load iptables configuration on boot?

  1. #1

    Default how to load iptables configuration on boot?

    Hi there!

    I have a question regarding loading iptables configuration at boot.

    I have made some changes to the iptables on my suse 10.3, and I'm trying to have those changes reloaded automatically every time I reboot.

    So what I did was that I saved the changes to a file called iptables.1 and then I put this command in /etc/rc.d/boot.local

    iptables-restore -c < /etc/sysconfig/iptables.1

    But after the restart when I type this command:

    iptables -L INPUT

    I should see the changes I've made to iptables, but they don't seem to have loaded.

    I tried putting these two lines in /etc/rc.d/boot.local:

    iptables-restore -c < /etc/sysconfig/iptables.1
    iptables -L INPUT

    And during the bootup I can see the output from iptables -L INPUT, and it shows that the changes that I made to iptables are restored. But for some reason iptables seems to load some default configuration sometime during the boot, and after that I use the iptables-restore command.

    Now I tried making a script and putting it in /etc./rc.d/, then enabling it in "system services(runlevel)" in yeast, set to run on runlevel 5. This had no effect and iptables just loaded some default settings again.

    Anyone know how I can properly save and reload the iptables configuration on each reboot? Or even how I can overwrite the default settings which it seems to load everytime?


    p.s. my first post here, so hi there folks!

    regards
    Frmann Kjerlf
    lazytown.com

  2. #2
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,941
    Blog Entries
    4

    Default Re: how to load iptables configuration on boot?

    Probably your changes are being overwritten by SuSEfirewall2 which is started later. You should try to work within that firewall framework, or disable it.

  3. #3
    Join Date
    Jul 2008
    Location
    ah...on earth certainly !
    Posts
    52

    Thumbs up Re: how to load iptables configuration on boot?

    have you tried guarddog ?

    its available in the network utilities repository.

    it should be easier to configure a profile with that.
    ...keep thinking...

  4. #4

    Default Re: how to load iptables configuration on boot?

    I'm planning to use SSHBLOCK or SSHDFILTER to automatically block ip's that are hammering my ssh port trying to bruteforce their way in (by guessing the username/password).

    I believe that both these programs use iptables to block the ip.

    I'm wondering, would it be safe to turn off the firewall? I'm running a home network where I trust all my users. The only ports that are forewarded to the outside are port 22 and port 80. Sounds to me that the firewall isn't serving any purpose?

    regards
    Frmann

  5. #5
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,941
    Blog Entries
    4

    Default Re: how to load iptables configuration on boot?

    You can avoid such hits by moving the ssh port to some other value. This can be done with the portforwarding rule at your perimeter firewall so that you can continue to use port 22 on your LAN. Even better still if you can switch to public key authentication but this requires you to have the public key whenever you want to connect from the outside.

    You're probably ok to use the perimeter firewall only. Just keep an eye on the webserver for app weaknesses.

  6. #6
    Join Date
    Jun 2008
    Location
    Germany
    Posts
    301

    Default Re: how to load iptables configuration on boot?

    Hi

    There is an option in the /etc/sysconfig/SuSEfirewall2 (FW_CUSTOMRULES) which allows you to specify a file which contains custom firewall rules. it is recommend to edit /etc/sysconfig/scripts/SuSEfirewall2-custom and add your custom rules there.

    As an alternative to the mentioned methods above (public key authentication, use a different port) you can use port knocking but maybe this makes the use in the local network more uncomfortable

  7. #7
    amroczkowski NNTP User

    Default Re: how to load iptables configuration on boot?

    - write bash scirpt with your iptables rules
    (don't forget to add rules for lo interface),
    - cp <yourscriptname> /etc/init.d,
    - inssrv <yourscriptname>.

    chkconfig --list | grep <yourscriptname>

  8. #8

    Default Re: how to load iptables configuration on boot?

    hi,
    I just spent a day try to get openSUSE11.0 to load some custom iptables settings in conjunction with the SUSEfirewall at boot. I've got it working now so I thought I'd share:

    1. forget about trying to set up a script to run like a service with chkconfig. It just won't work (even with S99!). I suspect the firewall flushes the settings later, after these rc.d scripts are executed, it's not clear how or why the settings get ignored but trust me - they will be ignored.

    2. You'll need to edit /etc/sysconfig/scripts/SuSEfirewall2-custom. Put the custom iptables commands where appropriate, details are given in the file itself. Do read what is in the file because there is no man page for this.

    3. Edit
    Code:
     /etc/sysconfig/SuSEfirewall2
    change
    Code:
    FW_CUSTOMRULES=""
    to
    Code:
    FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
    What I wanted this for was to get postfix to listen on another port as well as 25. Fiddling with postfix itself can produce an open relay and so is not advised. A more elegant solution is to use iptables with the following command:
    Code:
    iptables -t nat -A PREROUTING -p tcp --dport 1025 -j REDIRECT --to-ports 25
    The three steps above show how I got the custom port mapping rule to auto load at boot. If you don't follow the steps then the settings are lost on reboot - a common complaint.

    regards
    Matteus Blanc
    Matteus
    openSUSE 10.0 - 11.1

  9. #9

    Default Re: how to load iptables configuration on boot?

    I actually did manage to restrict login attempts here, and described it a little bit here.

    It is a little disjointed but contains the fundamentals. Perhaps this will help someone. Do think something like this should be in the wiki. Also needs updating but I suspect little has really changed.

    How To Add Additional Ip Rules To Suse Firewall - openSUSE Forums
    Man first, have a try at Info, have a look at Wiki, if all that fails Scroogle!!!!!
    If I've helped click on the Rep button I don't know what it does but it sounds cool.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •