Re: Help in IPTABLES

[Joel Newkirk <netfilter@newkirk.us>]

On Sunday 12 January 2003 03:01 am, Arnt Karlsen wrote:

> ..the wee point I was trying to make, is an iptables firewall is
> vulnerable while it is being set up, so echo "0" first to stop
> forwarding, set up the firewall, and echo "1" at the end of the
> script to start forwarding again, a wee nit into your helpful
> responses to him.

I do this myself in my script, but believe there is an additional 
solution, at least for some distros:

I'm running RedHat 7.3, and so everything runs off SysV-Init.  I was 
greatly bothered by the fact that the S07iptables startup link would get 
run quite a bit (well, a few seconds at least :^) before my firewall 
would.  Changing my firewall to a lower number in the sequence wouldn't 
work easily, since I'm on a Dynamic IP at the moment and had to start up 
ADSL to get the IP, since I use it 'statically' in SNAT.  It also would 
need (or at least want) syslog up and running.  Couldn't easily move 
ADSL up in the sequence, since it depended on networking in general.  
Everything is pretty much fixed in the sequence it already starts in.

Then it occurred to me:  Modify the /etc/init.d/iptables script to set 
DROP policies, instead of the horribly shortsighted ACCEPT default it 
uses.  As soon as this occurred to me I changed it, and I feel much more 
comfortable now, knowing that if the whole startup collapses right after 
iptables and network scripts, I'm still not wide open.

My sequence now is 
iptables->ip6tables->network->syslog->ADSL->firewall->ip6firewall->freenet
(freenet is the startup for the IPv6inIPv4 tunnel)

I modified the /etc/init.d/iptables script to set DROP policies in both 
the 'start' and 'stop' functions.

Despite being more comfortable with this, I'd like to hear if anyone sees 
a hole in my reasoning.

j