1. Home
  2. Networking Firewalls
  3. How to sensibly start IPtables ?

How to sensibly start IPtables ?

What you could have is a script with uses basename to get the name which was used to call it. Example: fn=$(basename $0)

You then make two links in the same directories as the S10network link.

Example: cd /etc/rc.d/rc3.d/ ls -s /etc/rc.d/init.d/my_iptable_rules S10before_net ls -s /etc/rc.d/init.d/my_iptable_rules S10network_up

Now a ls S* we see something like S10before_net S10network S10network_up which indicates the order they will execute when the system boots.

Now my_iptable_rules could have a test like

if [ $fn = S10before_net ] ; then (load iptable with a restriced set of rules here) fi

if [ $fn = S10network_up ] ; then (load iptable with some more rules here) fi

Reply to
Bit Twister
Loading thread data ...

Your are correct, should have been ln.

Frap, there goes all my gold stars for the week. :(

I had already disconected fingers from brain while forming the next paragraph in head.

Thank you for the correction.

Reply to
Bit Twister

I have an RH9 Linux system running as Router/FW. IPTables 1.2.9 on it and running happily.

Would the following be a sound idea, as to maintainablility of the IPTables rules and the effectiveness and security of the FW:

Immediately after the running of a script in /etc/rc3.d a partial IPTables script must run, to open up the FW for any necessary ports/protocols/etc. related to that /etc/rc3.d script.

example and problem:

just after running the /etc/rc.d/init.d/named script, the FW must be opened for protocol UDP/port 53. If it is not opened, the subsequent ntpd script would not work, for it opens the FW for a few timeservers, not given by IP number, but by FQN. And it would log a few packet refusals, if not opened immediately.

same goes for other servers, that need specific ports open. (Or, more general, need specific IPTables rules effective): samba, apache, sendmail...

For this, I would make a parallel directory for the partial IPTables scripts (eg. /etc/rc.d/iptables/S08named), which would be controlled by a mechanism incorporated in the /etc/rc.d mechanism (S08named things)

Question is, how would I incorporate this parallel mechanism in the startup scripts and where ?

fr gr Erik

Reply to
Erik

ls = ln ?

thnx Erik

Reply to
Erik

details...

wanted to make sure. Such is the cross we have to carry: colons and semicolons...

thnx for the suggestions. worth a few stars to me :-)

Erik

Reply to
Erik

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.