Re: [opensuse] iptables config file and reboot

Onsdag 30 maj 2007 17:42 skrev Stephan Schöffel:
hi there,

in 10.2 i switched off the firewall using yast. when i run iptables -L
now it shows the following (as i wanted):

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

if make change manually now it will work but only until i reboot the
computer. how can i save the configuration and make suse use it
automatically? i tried iptables-save > /etc/sysconfig/iptables but it
wont work either.

any hints?

gtx
stephan

Hi

I suggest that you use a standard template, put it into /etc/init.d/ and link
to it from /etc/init.d/rc3.d and /etc/init.d/rc5.d

I once made a thing like that, it allowed me to "start/stop/status/ it...

Here goes:

#!/bin/sh
#
# Shell functions sourced from /etc/rc.status:
# rc_check check and set local and overall rc status
# rc_status check and set local and overall rc status
# rc_status -v be verbose in local rc status and clear it afterwards
# rc_status -v -r ditto and clear both the local and overall rc status
# rc_status -s display "skipped" and exit with status 3
# rc_status -u display "unused" and exit with status 3
# rc_failed set local and overall rc status to failed
# rc_failed <num> set local and overall rc status to <num>
# rc_reset clear both the local and overall rc status
# rc_exit exit appropriate to overall rc status
# rc_active checks whether a service is activated by symlinks
. /etc/rc.status

# Reset status of this service
rc_reset


### General variables
EXT_IF=eth1
EXT_IP=10.11.12.106
INT_IF=
INT_IP=




case "$1" in
start|restart|reload)
echo -n "Starting Firewall "
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
for f in /proc/sys/net/ipv4/conf/*/accept_redirects
do
echo 0 > $f
done
#Block source routed packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route
do
echo 0 > $f
done

### default policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

### flush existing rules
iptables -F
iptables -t nat -F
iptables -X

### Allow to and from loopback
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT

### Drop all invalid packets
### INPUT chain first
iptables -A INPUT -m state --state INVALID -j DROP
### OUTPUT chain next
iptables -A OUTPUT -m state --state INVALID -j DROP

### INPUT chain
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
### OUTPUT chain
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### SSH input, state checking
iptables -A INPUT -i $EXT_IF -p TCP --dport 22 -m state --state NEW -j
ACCEPT

### SSH output, state checking
iptables -A OUTPUT -p TCP -o $EXT_IF --dport 22 -m state --state NEW -j
ACCEPT




### Allow PING IN/OUT
iptables -A INPUT -p ICMP -i $EXT_IF -j ACCEPT
iptables -A OUTPUT -p ICMP -o $EXT_IF -j ACCEPT

### Allow query to DNS
iptables -A OUTPUT -p UDP -o $EXT_IF --dport 53 -j ACCEPT
iptables -A INPUT -p UDP -i $EXT_IF --sport 53 -j ACCEPT

### Allow SSH to me
#iptables -A INPUT -p TCP -i $EXT_IF --dport 22 -j ACCEPT
#iptables -A OUTPUT -p TCP -o $EXT_IF --sport 22 -j ACCEPT

### Allow outgoing SSH
#iptables -A INPUT -p TCP -i $EXT_IF ! --syn --sport 22 -j ACCEPT
#iptables -A OUTPUT -p TCP -o $EXT_IF --dport 22 -j ACCEPT

### Allow browsing the web
iptables -A INPUT -p TCP -i $EXT_IF ! --syn --sport 80 -j ACCEPT
iptables -A OUTPUT -p TCP -o $EXT_IF --dport 80 -j ACCEPT

### Do some logging of dropped packages
iptables -A INPUT -j LOG --log-prefix "VK INPUT-DROP "

### Reject packets instead of dropping...
iptables -A INPUT -p TCP -j REJECT --reject-with tcp-reset

### Allow TCP packet to go out from our computer
iptables -A OUTPUT -p TCP -o $EXT_IF --tcp-flags ALL ack,rst -j ACCEPT


# Remember status and be verbose
rc_status -v
;;
stop)
echo -n "Shutting down Firewall "
iptables -F
iptables -t nat -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

# Remember status and be verbose
rc_status -v
;;
status)
echo "Current Firewall Rules "
echo "---------------------- "
iptables -v -L -n
echo ""
echo "Current iptables rules in NAT table"
echo "-----------------------------------"
iptables -v -n -t nat -L
echo ""
rc_status -v
;;
*)
echo "Usage: $0 {start|restart|reload|stop|status}"
exit 1
;;
esac
rc_exit


--
-------------------------------------------------------------------------
Med venlig hilsen/Best regards
Verner Kjærsgaard
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

Relevant Pages