thanks for the hint. i'll think about that approach. yet there has to be
a file somewhere, where the yast firewall settings are stored. i figured
there is a file /etc/sysconfig/Susefirewall2 but it does not like
iptable entries to me. aint there a file where configuration is saved
except in a start script?
gtx
stephan
Verner Kjærsgaard schrieb:
Onsdag 30 maj 2007 17:42 skrev Stephan Schöffel:
hi there,
in 10.2 i switched off the firewall using yast. when i run iptables -L
now it shows the following (as i wanted):
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
if make change manually now it will work but only until i reboot the
computer. how can i save the configuration and make suse use it
automatically? i tried iptables-save > /etc/sysconfig/iptables but it
wont work either.
any hints?
gtx
stephan
Hi
I suggest that you use a standard template, put it into /etc/init.d/ and link
to it from /etc/init.d/rc3.d and /etc/init.d/rc5.d
I once made a thing like that, it allowed me to "start/stop/status/ it...
Here goes:
#!/bin/sh
#
# Shell functions sourced from /etc/rc.status:
# rc_check check and set local and overall rc status
# rc_status check and set local and overall rc status
# rc_status -v be verbose in local rc status and clear it afterwards
# rc_status -v -r ditto and clear both the local and overall rc status
# rc_status -s display "skipped" and exit with status 3
# rc_status -u display "unused" and exit with status 3
# rc_failed set local and overall rc status to failed
# rc_failed <num> set local and overall rc status to <num>
# rc_reset clear both the local and overall rc status
# rc_exit exit appropriate to overall rc status
# rc_active checks whether a service is activated by symlinks
. /etc/rc.status
# Reset status of this service
rc_reset
### General variables
EXT_IF=eth1
EXT_IP=10.11.12.106
INT_IF=
INT_IP=
case "$1" in
start|restart|reload)
echo -n "Starting Firewall "
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
for f in /proc/sys/net/ipv4/conf/*/accept_redirects
do
echo 0 > $f
done
#Block source routed packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route
do
echo 0 > $f
done
### default policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
### flush existing rules
iptables -F
iptables -t nat -F
iptables -X
### Allow to and from loopback
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
### Drop all invalid packets
### INPUT chain first
iptables -A INPUT -m state --state INVALID -j DROP
### OUTPUT chain next
iptables -A OUTPUT -m state --state INVALID -j DROP
### INPUT chain
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
### OUTPUT chain
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
### SSH input, state checking
iptables -A INPUT -i $EXT_IF -p TCP --dport 22 -m state --state NEW -j
ACCEPT
### SSH output, state checking
iptables -A OUTPUT -p TCP -o $EXT_IF --dport 22 -m state --state NEW -j
ACCEPT
### Allow PING IN/OUT
iptables -A INPUT -p ICMP -i $EXT_IF -j ACCEPT
iptables -A OUTPUT -p ICMP -o $EXT_IF -j ACCEPT
### Allow query to DNS
iptables -A OUTPUT -p UDP -o $EXT_IF --dport 53 -j ACCEPT
iptables -A INPUT -p UDP -i $EXT_IF --sport 53 -j ACCEPT
### Allow SSH to me
#iptables -A INPUT -p TCP -i $EXT_IF --dport 22 -j ACCEPT
#iptables -A OUTPUT -p TCP -o $EXT_IF --sport 22 -j ACCEPT
### Allow outgoing SSH
#iptables -A INPUT -p TCP -i $EXT_IF ! --syn --sport 22 -j ACCEPT
#iptables -A OUTPUT -p TCP -o $EXT_IF --dport 22 -j ACCEPT
### Allow browsing the web
iptables -A INPUT -p TCP -i $EXT_IF ! --syn --sport 80 -j ACCEPT
iptables -A OUTPUT -p TCP -o $EXT_IF --dport 80 -j ACCEPT
### Do some logging of dropped packages
iptables -A INPUT -j LOG --log-prefix "VK INPUT-DROP "
### Reject packets instead of dropping...
iptables -A INPUT -p TCP -j REJECT --reject-with tcp-reset
### Allow TCP packet to go out from our computer
iptables -A OUTPUT -p TCP -o $EXT_IF --tcp-flags ALL ack,rst -j ACCEPT
# Remember status and be verbose
rc_status -v
;;
stop)
echo -n "Shutting down Firewall "
iptables -F
iptables -t nat -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# Remember status and be verbose
rc_status -v
;;
status)
echo "Current Firewall Rules "
echo "---------------------- "
iptables -v -L -n
echo ""
echo "Current iptables rules in NAT table"
echo "-----------------------------------"
iptables -v -n -t nat -L
echo ""
rc_status -v
;;
*)
echo "Usage: $0 {start|restart|reload|stop|status}"
exit 1
;;
esac
rc_exit
--
Dipl.-Inf. (FH) Stephan Schöffel
c/o Fachhochschhule Bingen / University of applied sciences Bingen
Fachbereich 2 - Technik, Informatik und Wirtschaft
Berlinstraße 109
55411 Bingen
Tel: +49 (0) 6721 / 409-250
Fax: +49 (0) 6721 / 409-158
email: [EMAIL PROTECTED]
Internet: www.fh-bingen.de
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
