Placement of Iptable Scripts

Placement of Iptable Scripts

[Mark_Vuong]

I'm relatively new to iptables and have the following question.

where is the best place to place my iptable bash script so that it loads my
iptable chains and rules when my server reboots?

Thanks!

Mark

Re: Placement of Iptable Scripts

[Jack Bowling]

** Reply to message from Mark_Vuong@Dell.com on Thu, 04 Jul 2002 21:57:16 -0500


> I'm relatively new to iptables and have the following question.
> 
> where is the best place to place my iptable bash script so that it loads my
> iptable chains and rules when my server reboots?

If I'm not mistaken, one of the distinguishing features of iptables viz. ipchains is that iptables is able to define rules for various interfaces (except for ppp?) before those interfaces are brought up on the network. So for maximum security, the best place to put your script is somewhere before the network interfaces are initialized. Some would say that since the time between bringing up the network and loading of the iptables rules (dead last would be if you put your script in rc.local) is small anyway, this issue about loading the iptables rules before the network interfaces comes up is a moot point. However, I bring my ruleset up first and it functions well. I guess I'm just paranoid.

jb

Re: Placement of Iptable Scripts

[Patrick Schaaf]

On Thu, Jul 04, 2002 at 09:57:16PM -0500, Mark_Vuong@Dell.com wrote:
> I'm relatively new to iptables and have the following question.
> 
> where is the best place to place my iptable bash script so that it loads my
> iptable chains and rules when my server reboots?

The best place depends on the distribution you use. Look for a directory
/etc/init.d/ (or /sbin/init.d for old SuSE systems), and for a README
file, there.

If you are still lost, please consult general new user Linux mailing
lists or newsgroups. This is a system integration question, completely
independant of iptables itself; it's the same for any piece of software.

best regards
  Patrick

Re: Placement of Iptable Scripts

[Bob Hillegas]

The best place I have found to place such script is immediately after bringing 
up the interface. Especially on interfaces that get their ip address changes by 
the ISP.

Redhat looks for (in /etc/sysconfig/network-scripts/ifup) and executes if found, 
/sbin/ifup-local. Define it and put into it a reference to the script that 
builds your rules. If you face the dhcp problem, pass the interface name to the 
script as an argument and parse the ip address from an invocation of 
/sbin/inconfig.

If your interface ip is non-changing, run the script, execute 
/etc/rc.d/init.d/iptables save

You will get those same rules back every time your system does an 
/etc/rc.d/init.d/iptables start

One note: an iptables start only invokes the actual iptables rules. Other 
commands commonly embedded in such "define scripts", such as, echo 1 > 
/proc/../../etc/etc, don't get issued.

-- 
----------------------------------
Bob Hillegas
bobhillegas@houston.rr.com

On Thu, 4 Jul 2002 Mark_Vuong@Dell.com wrote:

  > 
  > From: Mark_Vuong@Dell.com
  > To: netfilter@lists.samba.org
  > Subject: Placement of Iptable Scripts
  > Date: Thu, 4 Jul 2002 21:57:16 -0500
  > 
  > I'm relatively new to iptables and have the following question.
  > 
  > where is the best place to place my iptable bash script so that it loads my
  > iptable chains and rules when my server reboots?
  > 
  > Thanks!
  > 
  > Mark