Re: Iptables not saving...



Be advised that top posting, and using HTML, is a sure-fire way to avoid
getting help on a mailing list. There may well be someone out there who
might have the answer to all your woes, but dumps any messages posted
that way.




On Sun, 2006-04-23 at 09:34 -0400, Devon Harding wrote:
The reason I want the chains saved, is because I'm uning sshdblackd
(http://www.sshblack.com) to block failed ssh attempts on my box

Considering this snippet from the website (below), I'm not sure that
saving the tables is a necessary step, nor perhaps even a good one.

"The blacklist is simply a list of source IP addresses that are
prohibited from making ssh connections to the protected host. Once a
predetermined amount of time has passed, the offending IP address is
removed from the blacklist."

Here is everything that I did manually...

[root@mars ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
BLACKLIST tcp -- anywhere anywhere tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain BLACKLIST (1 references)
target prot opt source destination
DROP all -- uo82.internetdsl.tpnet.pl anywhere

If you're trying to keep a tight rein on SSH, I'd expect you to only
allow it through a range of predetermined IPs, even if you are taking
this approach of automatically blackbanning some IPs.


[root@mars ~]# cat /etc/cron.hourly/iptables.cron
#!/bin/sh
/sbin/iptables-save >/dev/null 2>&1

As you should see from your next sample output, iptables-save dumps to
standard out. You want to direct its output to where iptables normally
keeps its rules, otherwise you'll be "saving" nothing.

If FC5 still uses the same place as FC4, I think you'll want to use the
iptables-save command more like how I mentioned it near the bottom of my
prior posting.

e.g. #!/bin/sh
/sbin/iptables-save > /etc/sysconfig/iptables

Though, I think you could avoid having to do that just by having
iptables save its configuration at shutdown. At next bootup, it'll pick
up from there, without needing a regular save.

[root@mars ~]# /sbin/iptables-save
# Generated by iptables-save v1.3.5 on Sun Apr 23 09:24:51 2006
*filter
:INPUT ACCEPT [19025:2595521]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [691823:184550717]
:BLACKLIST - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j BLACKLIST
-A BLACKLIST -s 80.55.144.82 -j DROP
COMMIT
# Completed on Sun Apr 23 09:24:51 2006

*Showing* you what it *would* save. You have to direct its output to a
file to really save it.

[root@mars ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.3.5 on Sun Apr 23 09:01:15 2006
*filter
:INPUT ACCEPT [18650:2543690]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [690115:184341112]
:BLACKLIST - [0:0]
[664430:180357913] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[3365:200808] -A INPUT -i lo -j ACCEPT
[6:360] -A INPUT -p tcp -m tcp --dport 22 -j BLACKLIST
[3:180] -A BLACKLIST -s 80.55.144.82 -j DROP
COMMIT
# Completed on Sun Apr 23 09:01:15 2006

At this point you should notice that the saved configuration is not the
same as your example above it. The saved configuration is something
that was saved beforehand.

But here (below) you're striking another problem:

[root@mars ~]# reboot

Last login: Sun Apr 23 09:20:19 2006 from pluto.domain.com
[root@mars ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Are you running more than one firewall program? Some can fight with
each other.

It might be worth trying turning that IPTABLES_SAVE_ON_RESTART="yes"
back to "no", in case there's fault where a "start" gets treated the
same as a "restart", and saves empty tables.

--
(Currently running FC4, occasionally trying FC5.)

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list