[solved][iptables] startup script error

[ayu]

kk so i have finally started to read about iptables, and i setup some rules. But then i found out that they will be gone when i restart my computer.

So i found a good example script that i edited to startup and add my rules (/etc/init.d/iptables)

Well.....the error i am getting is this...

Code: Select all

root@clare:/etc/init.d# /etc/init.d/iptables start
bash: /etc/init.d/iptables: /bin/sh^M: bad interpreter: No such file or directory

And indeed the folder does not exist, but the other startup scripts in init.d has the same line at the top =/ well, some have "bash" instead of "sh", but i tried that as well, same problem.

And here is the script

Code: Select all

#! /bin/sh

IPTABLES=/usr/local/sbin/iptables



case "$1" in 

start)

	echo -n "Starting IP Firewall and NAT..."

	echo "1" > /proc/sys/net/ipv4/ip_forward

	echo "1" > /proc/sys/net/ipv4/tcp_syncookies



	# Clear old rules

	$IPTABLES -X

	$IPTABLES -F

	$IPTABLES -Z



	$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT  

	$IPTABLES -A INPUT -j REJECT

	

	echo "done."

	;;

stop)

	echo -n "Stopping IP Firewall and NAT..."

	$IPTABLES -X

	$IPTABLES -F

	$IPTABLES -Z

	

	# Input Rules

	$IPTABLES -A INPUT -j REJECT
        $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

	echo "done."

	;;



restart)

	echo -n "Restarting IP Firewall and NAT..."

	$0 stop > /dev/null

	sleep 1

	$0 start > /dev/null

	;;



*)

	echo "Usage: $0 {start|stop|restart}"

	;;

esac

[bad_brain]

hm...first there is no space in line 1, it should be:

Code: Select all

#!/bin/bash

second there is no need for that line:

Code: Select all

IPTABLES=/usr/local/sbin/iptables

so remove it or comment it out.
but imo this script is kinda weird, there are even total nonsense lines like:

Code: Select all

IPTABLES -A INPUT -j REJECT 

I guess it is supposed to block all traffic except the one one you allowed by the rules, but this is done with the policy settings ( -P switch) and not by a rule. also REJECT is stupid because it "notifies" the sender that the packets are not accepted...using DROP is much better because it simply drops the packets without giving any feedback, so it looks like there is no system available at all.

but I would do it different anyway, no need to use a script....
open /proc/sys/net/ipv4/tcp_syncookies and replace the 0 with a 1.
flush all iptables rules by:

Code: Select all

iptables -F

then enter the rule:

Code: Select all

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

set the policy:

Code: Select all

iptables -P INPUT DROP

now you have to set the rules for the incoming requests you want to allow, like apache:

Code: Select all

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

or SSH:

Code: Select all

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

when you are done save the rules into a file:

Code: Select all

iptables-save > filename

now the rules are also loaded on startup.
when you have flushed the rules and want to restore them without wanting to reboot use the iptables-restore command:

Code: Select all

iptables-restore < filename

[ayu]

Thanks for clarifying =)

hmmm....so they aren't really flushed when i restart or what? =o

[bad_brain]

the rules are flushed when you restart, but when you have saved the rules by using the iptables-save command the rules are loaded from that file automatically. if you don't want this simply rename the file...

[ayu]

So.... what does iptables-restore do then? ^^ if the iptables-save saves them and then loads them automaticly =/

[bad_brain]

with the iptables-restore command you can load the rules from a file manually...for example if you want to use the rules on another Linux box, or when you experimented a little with the rules and want to restore them again without rebooting the box...

[ayu]

Ok! thanks for the help ;P

[ayu]

Ok so it works with iptables-save and restore, but it doesn't work when i restart. It's empty when i do.

I guess it's because of "/proc/sys/net/ipv4/tcp_syncookies", it was empty. Any ideas? =/

[bad_brain]

I tried it on Debian Lenny and it also don't work there, seems this was a Sarge-specific thing.
ok, open the file:

Code: Select all

/etc/network/interfaces

you'll see sth like this:

Code: Select all

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

iface eth0 inet dhcp
name Ethernet LAN-Karte

auto eth0



iface eth1 inet static
name Ethernet LAN-Karte
address 169.254.246.62
netmask 255.255.0.0
broadcast 169.254.255.255
network 169.254.0.0

auto eth1

this is my config and I use 2 NICs, so yours look most likely a little different....you simply have to add the following line(s) to load the iptables rules when the NICs are initialized:

Code: Select all

pre-up iptables-restore < /path/to/iptables-save-file

it looks like this for example:

Code: Select all

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

iface eth0 inet dhcp
name Ethernet LAN-Karte
pre-up iptables-restore < /root/tables_save
auto eth0



iface eth1 inet static
name Ethernet LAN-Karte
address 169.254.246.62
netmask 255.255.0.0
broadcast 169.254.255.255
network 169.254.0.0
pre-up iptables-restore < /root/tables_save
auto eth1

make sure you put the line(s) in the right place as shown above, and remember you have to use it for each NIC.

reboot, and enjoy....

p.s. here is the save-file of my home server, maybe you find it interesting:

Code: Select all

# Generated by iptables-save v1.2.7a on Wed Jun 14 21:15:10 2006
*mangle
:PREROUTING ACCEPT [639586:148735663]
:INPUT ACCEPT [639586:148735663]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [676850:434064387]
:POSTROUTING ACCEPT [676850:434064387]
COMMIT
# Completed on Wed Jun 14 21:15:10 2006
# Generated by iptables-save v1.2.7a on Wed Jun 14 21:15:10 2006
*filter
:INPUT DROP [13448:792266]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [676850:434064387]
-A INPUT -m state --state ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 25 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
-A INPUT -d 127.0.0.1 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 20 --tcp-flags SYN,RST,ACK SYN -j ACCEPT 
-A INPUT -p udp -m udp --dport 53 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
COMMIT
# Completed on Wed Jun 14 21:15:10 2006

[ayu]

You save me once again ^^

Thanks mate =) works great now ^^