rc.local

rc.local

[Visham Ramsurrun]

Hi to all,

Can anyone tell me about the additional configurations that have to be
done after i paste of my the contents of my iptables script in
rc.local. What things do I have to do for it to take the iptables
rules in it? I did an iptables -L but no rules were present.

Thx in advance..

Warm regards,
Visham

Re: rc.local

[/dev/rob0]

Visham Ramsurrun wrote:
> Can anyone tell me about the additional configurations that have to 
> be done after i paste of my the contents of my iptables script in

Distro questions belong in a distro forum. I can guarantee that what 
you're doing is the wrong way to set up a firewall at boot time, in any 
distro with which I am familiar. Check your distro's documentation about 
"firewall" or "iptables" and find out the right way to do it.

> rc.local. What things do I have to do for it to take the iptables
> rules in it? I did an iptables -L but no rules were present.

rc.local, like other startup scripts, is a shell script. Do learn what 
that means; I cannot help you unless you know what can/should be in a 
script. Perhaps your time would be best spent at this point in finding 
some basic bash and shell tutorials.

I will throw in a WAG, however: your "script" might have been a set of 
rules for iptables-restore(8).
-- 
     mail to this address is discarded unless "/dev/rob0"
     or "not-spam" is in Subject: header

Re: rc.local

[Visham Ramsurrun]

Here is my rc.local file:

#!/bin/bash
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local

IPT="/sbin/iptables"

$IPT -F
$IPT -Z

if [ ! -r x ]; then

# No value from previous run - initialize x
  x=1
else
  x=$((`cat x`))
  echo "Value of x from previous run = $x"
fi

if [ $x -eq 1 ]; then
  #FW1 IP: 192.168.10.2
  $IPT -A FORWARD -i eth0 -o eth0 -s 192.168.10.0/24 -d
192.168.10.0/24 -p icmp --icmp-type echo-request -j ACCEPT
  $IPT -A FORWARD -i eth0 -o eth0 -s 192.168.10.0/24 -d
192.168.10.0/24 -p icmp --icmp-type echo-reply -j ACCEPT
  x=0;
else
  #FW2 IP: 192.168.10.3
  $IPT -A FORWARD -i eth0 -o eth1 -s 192.168.10.0/24 -d
192.168.10.0/24 -p icmp --icmp-type echo-request -j ACCEPT
  $IPT -A FORWARD -i eth0 -o eth1 -s 192.168.10.0/24 -d
192.168.10.0/24 -p icmp --icmp-type echo-reply -j ACCEPT
  x=1;
fi

# Save variable to file
echo $x >x

executing a firewall script!!

[Visham Ramsurrun]

Hi to all,

I would like to know how to execute a firewall script that contains an
if-else statement on a per-packet basis. The if and else part each
contain iptables rules that need to be executed on a packet basis? How
can I do that?

Any input will be most appreciated..

Warm regards,
Visham

Re: executing a firewall script!!

[Carl Holtje ;021;vcsg6;]

On Tue, 26 Jul 2005, Visham Ramsurrun wrote:

> Hi to all,
>
> I would like to know how to execute a firewall script that contains an
> if-else statement on a per-packet basis. The if and else part each
> contain iptables rules that need to be executed on a packet basis? How
> can I do that?
>
> Any input will be most appreciated..

First guess is with two chains.. it's clear you have a test for the
'if (test) then X' sequence, so write a rule to check that test. Instead
of REJECTing or ACCEPTing the packet immediately, send it over to
different chain for additional testing, and ACCEPT or REJECT it there.

Does that make sense?

Perhaps a more detailed explaination of what you're trying to do would be
helpful...

HTH...

- --

"There are 10 types of people in the world: Those who understand binary
and those that don't."

Re: executing a firewall script!!

[Carl Holtje ;021;vcsg6;]

On Tue, 26 Jul 2005, Visham Ramsurrun wrote:

> Dear Carl,
>
> many thx for the reply...i too thought abt that..but i don't know how
> to do it. Here is my firewall script.
>
> #!/bin/bash
>
> IPT="/sbin/iptables"
>
> $IPT -F
> $IPT -Z
>
> if [ ! -r x ]; then
>
> # No value from previous run - initialize x
>  x=1
> else
>  x=$((`cat x`))
>  echo "Value of x from previous run = $x"
> fi
>
> if [ $x -eq 1 ]; then
>  #FW1 IP: 192.168.10.2
>  $IPT -A FORWARD -i eth0 -o eth0 -s 192.168.10.0/24 -d
> 192.168.10.0/24 -p icmp --icmp-type echo-request -j ACCEPT
>  $IPT -A FORWARD -i eth0 -o eth0 -s 192.168.10.0/24 -d
> 192.168.10.0/24 -p icmp --icmp-type echo-reply -j ACCEPT
>  x=0;
> else
>  #FW2 IP: 192.168.10.3
>  $IPT -A FORWARD -i eth0 -o eth1 -s 192.168.10.0/24 -d
> 192.168.10.0/24 -p icmp --icmp-type echo-request -j ACCEPT
>  $IPT -A FORWARD -i eth0 -o eth1 -s 192.168.10.0/24 -d
> 192.168.10.0/24 -p icmp --icmp-type echo-reply -j ACCEPT
>  x=1;
> fi

So you want FW1 to reply to allow every other ping, and FW2 to allow those
that FW1 ignores?

I'm sure there's a way, but I'm certainly not the authority on load
balancing. Others here I'm sure are more adept at fielding this sort of
question.

HTH.

Carl

- --

"There are 10 types of people in the world: Those who understand binary
and those that don't."

Re: rc.local

[curby .]

On 7/26/05, Visham Ramsurrun <vishamr2000@gmail.com> wrote:
> Here is my rc.local file:
[snip]

I think this is a shell scripting problem, not an iptables problem. 
You seem to be forwarding pings to different interfaces per script
invocation (usually during boot time)?  What are you trying to
accomplish?  If you state your goal, the list might be able to come up
with a solution using iptables.

Other things:

Usually if you accept pings in one direction (say -i eth0 -o eth1) you
want pongs to go in the other direction (-i eth1 -o eth0).

I'm not exactly sure why you are forwarding from an interface to
itself, though I don't have much experience with this kind of thing.

Re: rc.local

[curby .]

On 7/26/05, Visham Ramsurrun <vishamr2000@gmail.com> wrote:
> you are right..i'm having a scripting problem..i don't know how to
> make a script execute every time a packet is sent by my PC. how can i
> do that?

You don't want to execute a script for each packet... you could be
easily DoSed. Try:

http://netfilter.org/patch-o-matic/pom-base.html#pom-base-nth

Please reply to the list, so everyone can help and learn. =)

Re: rc.local

[Visham Ramsurrun]

On 7/27/05, curby . <curby.public@gmail.com> wrote:
> On 7/26/05, Visham Ramsurrun <vishamr2000@gmail.com> wrote:
> > you are right..i'm having a scripting problem..i don't know how to
> > make a script execute every time a packet is sent by my PC. how can i
> > do that?
> 
> You don't want to execute a script for each packet... you could be
> easily DoSed. Try:
> 
> http://netfilter.org/patch-o-matic/pom-base.html#pom-base-nth
> 
> Please reply to the list, so everyone can help and learn. =)
> 

No I only want to execute a script for all packets that are packets
that are going to be sent out of the NIC (after the packets have been
accepted as valid by a firewall). I don't know how to do that. Do you
know what is the last function in the iptables code or the first
function in the NIC driver, that a packet that has been accepted by
the firewall passes before it is sent on the wire? I would then write
some code so that when a call is made to that function, a signal is
raised and it will cause a shell script to execute.
I don't know abt the DoSed command. Do you have any example?

If there is an easier way, please let me know...

MAny thx for the reply.

Warm regards,
Visham

Re: rc.local

[Jan Engelhardt]

>> > you are right..i'm having a scripting problem..i don't know how to
>> > make a script execute every time a packet is sent by my PC. how can i
>> > do that?
>> 
>> You don't want to execute a script for each packet... you could be
>> easily DoSed. Try:
>> 
>> http://netfilter.org/patch-o-matic/pom-base.html#pom-base-nth
>> Please reply to the list, so everyone can help and learn. =)
>
>No I only want to execute a script for all packets that are packets
>that are going to be sent out of the NIC (after the packets have been

That's still a DOS. If I pingflood you, your machine will most likely respond 
with "pongflood".

I have iptraf running for like 4 or 5 days now and it shows almost 11 GB 
which approximates to ~ 34 KB/sec (inet radio ;). Let's assume that every 
packet was 1500 bytes long - then this would mean that I would be starting 23 
processes per second, which really is inefficient.

And, you're looking for -j QUEUE.

>accepted as valid by a firewall). I don't know how to do that. Do you
>know what is the last function in the iptables code or the first
>function in the NIC driver, that a packet that has been accepted by
>the firewall passes before it is sent on the wire? I would then write
>some code so that when a call is made to that function, a signal is
>raised and it will cause a shell script to execute.
>I don't know abt the DoSed command. Do you have any example?
>
>If there is an easier way, please let me know...
>
>MAny thx for the reply.
>
>Warm regards,
>Visham
>
>

Jan Engelhardt
-- 
| Alphagate Systems, http://alphagate.hopto.org/

Re: rc.local

[Visham Ramsurrun]

I am running the same script for all the packets. After it finishes
execution, it waits for the next signal (i.e the next packet to pass)

Regards,
Visham 

On 7/28/05, Jan Engelhardt <jengelh@linux01.gwdg.de> wrote:
> >> > you are right..i'm having a scripting problem..i don't know how to
> >> > make a script execute every time a packet is sent by my PC. how can i
> >> > do that?
> >>
> >> You don't want to execute a script for each packet... you could be
> >> easily DoSed. Try:
> >>
> >> http://netfilter.org/patch-o-matic/pom-base.html#pom-base-nth
> >> Please reply to the list, so everyone can help and learn. =)
> >
> >No I only want to execute a script for all packets that are packets
> >that are going to be sent out of the NIC (after the packets have been
> 
> That's still a DOS. If I pingflood you, your machine will most likely respond
> with "pongflood".
> 
> I have iptraf running for like 4 or 5 days now and it shows almost 11 GB
> which approximates to ~ 34 KB/sec (inet radio ;). Let's assume that every
> packet was 1500 bytes long - then this would mean that I would be starting 23
> processes per second, which really is inefficient.
> 
> And, you're looking for -j QUEUE.
> 
> >accepted as valid by a firewall). I don't know how to do that. Do you
> >know what is the last function in the iptables code or the first
> >function in the NIC driver, that a packet that has been accepted by
> >the firewall passes before it is sent on the wire? I would then write
> >some code so that when a call is made to that function, a signal is
> >raised and it will cause a shell script to execute.
> >I don't know abt the DoSed command. Do you have any example?
> >
> >If there is an easier way, please let me know...
> >
> >MAny thx for the reply.
> >
> >Warm regards,
> >Visham
> >
> >
> 
> Jan Engelhardt
> --
> | Alphagate Systems, http://alphagate.hopto.org/
>

Re: rc.local

[Visham Ramsurrun]

Sorry got confused with the DoSed and the sed shell command..i want to
execute the same script for each packet. After execution, it wits for
the next signal (i.e another valid packet that is passing by before
going on the wire) to execute again.

Pls help me..

Regards,
Visham

Re: rc.local

[Visham Ramsurrun]

Hi Rob,

i took note of the different propositions for iptables. I actually
don't have these facilities in ebtables. I want to find the iptables
function that will be analogous to the one in ebtables.The script is
very small. I think i can afford the overhead.

Regards,
Visham

Re: rc.local

[Jan Engelhardt]

>Sorry got confused with the DoSed and the sed shell command..i want to
>execute the same script for each packet.
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

You mean to have the same shell _process_ analyze each packet..
Check the QUEUE target.



Jan Engelhardt
-- 
| Alphagate Systems, http://alphagate.hopto.org/