Results 1 to 4 of 4

Thread: how to make iptables rules permanent?

  1. #1

    Default how to make iptables rules permanent?

    Hi there,

    I set up a squid transparent proxy and I have a problem with an iptable rules. I have a rule to redirect all request to port 80 to go on port 3128.

    To do so, I'm using this iptables command :

    Code:
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
    This command is working like a charm. The only problem is, for some unknown reasons, this rule will be dropped at some point.

    I did not manage to identify what is causing this to happen. It usually occurs during night, but I have nothing about that in my log files. (messages / firewall / ...)

    The only way I managed to reproduce this 'dropping' is this one:

    I type the command like as root. The command is effective and working fine.

    I open yast, I go to the firewall module, the I do a simple "save changes and restart firewall" (without changing anything).

    As soon as this process is finished, the iptables rule is gone.

    So the question is :

    -How can I make this rule permanent ?
    -Is there a place where I can launch a script executing this rule, after the yast firewall module is 'touched' or something ?

    thanks a lot in advance for your answers and sorry for my english

    Cheers,
    licks0re

  2. #2

    Default Re: how to make iptables rules permanent?

    Read /etc/sysconfig/SuSEfirewall2, especially on REDIRECT rules and use SuSEfirewall2 itself for that task.
    Never attribute to malice that which can be adequately explained by stupidity. (R.J. Hanlon)

  3. #3
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,941
    Blog Entries
    4

    Default Re: how to make iptables rules permanent?

    You must understand that iptables rules are only stored temporarily in the running kernel and disappear when the OS is shutdown. Any rules you want to be activated at boot must be specified in the initialisation. When you restart the firewall service, it flushes all the rules in the kernel and reloads the ones in the initialisation script, which will not have your rule. Therefore you should add your rule to the standard set rather than insert a rule manually and expect it to persist.

    You can edit the firewall rules using YaST. If that does not cater for you needs, you can edit /etc/sysconfig/SuSEfirewall2. It is well commented. After editing, restart the firewall from YaST.

    PS: The firewall rules probably got flushed and reloaded when your network interface address changed, e.g. you are using DSL. There are other situations where this reload happens. It doesn't cause a problem if your rule is added to the configuration.

  4. #4

    Default Re: how to make iptables rules permanent?

    Quote Originally Posted by Akoellh View Post
    Read /etc/sysconfig/SuSEfirewall2, especially on REDIRECT rules and use SuSEfirewall2 itself for that task.
    Of course. To be honnest, I've been 'browsing' a *lot* of files, but not this one. I wasn't aware this was the one to edit. Anyway, I found the redirection section, set my rule there and.. *it works*. Thank you for the tips!



    Quote Originally Posted by ken_yap View Post
    You must understand that iptables rules are only stored temporarily in the running kernel and disappear when the OS is shutdown. Any rules you want to be activated at boot must be specified in the initialisation. When you restart the firewall service, it flushes all the rules in the kernel and reloads the ones in the initialisation script, which will not have your rule. Therefore you should add your rule to the standard set rather than insert a rule manually and expect it to persist.

    You can edit the firewall rules using YaST. If that does not cater for you needs, you can edit /etc/sysconfig/SuSEfirewall2. It is well commented. After editing, restart the firewall from YaST.

    PS: The firewall rules probably got flushed and reloaded when your network interface address changed, e.g. you are using DSL. There are other situations where this reload happens. It doesn't cause a problem if your rule is added to the configuration.
    Indeed, that was the file to look into. This is done and the rule is now working, thanks also for your suggestion. I understood the rule was loaded into memory, then flushed somehow. I was thinking there was some kind of place to put a script to read custom iptable rules, after the firewall is launched or sth, but.. yeah, that was pretty.. an ugly thing to do. I'm using a fixed ip, I really have no clue about what was happenning, but I don't need to know now.

    A BIG thank you both of you for your precious suggestions and very prompt replies.

    Cheers,
    licks0re

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •