Re: init.d script for iptables ruleset
On Wed, Sep 21, 2005 at 06:33:47AM +0200, Klaus Ethgen wrote: Hello Samuel, Am Mi den 21. Sep 2005 um 3:12 schrieb Samuel Jean: Here it goes. I wondered about a clever way to load my iptables ruleset via init.d's script. Surprisingly, I didn't find any with Debian. I didn't search that much though. Well, there was one some times ago. Now they was moved to /usr/share/doc/iptables/examples/oldinitdscript.gz I do not know why it was removed by Laurence J. Lane on 7 Dec 2002. But I think that is what you search for. If I recally correctly, it was removed because it was decided that iptables rules should be being configured through ifconfig's /etc/network/interfaces and /etc/network/if-*{up,down}.d mechanisms, and pppd's /etc/ppp/ip*-{up,down}.d mechanism. Otherwise, you can't load only the relevant parts of the ruleset to match the interfaces currently enabled, and you have to reload the entire ruleset if you bring up interfaces later that /etc/init.d/iptables time. And it keeps network configuration nicely together, in the one file, the same way resolv-conf keeps static DNS configuration nicely centralised in /etc/network/interfaces. -- --- Paul TBBle Hampson, MCSE 8th year CompSci/Asian Studies student, ANU The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] No survivors? Then where do the stories come from I wonder? -- Capt. Jack Sparrow, Pirates of the Caribbean License: http://creativecommons.org/licenses/by/2.1/au/ --- pgpZCEox8VUgA.pgp Description: PGP signature
Re: init.d script for iptables ruleset
On Wed, Sep 21, 2005 at 04:04:29PM +1000, Paul TBBle Hampson wrote: Am Mi den 21. Sep 2005 um 3:12 schrieb Samuel Jean: Here it goes. I wondered about a clever way to load my iptables ruleset via init.d's script. Surprisingly, I didn't find any with Debian. I didn't search that much though. Well, there was one some times ago. Now they was moved to /usr/share/doc/iptables/examples/oldinitdscript.gz I do not know why it was removed by Laurence J. Lane on 7 Dec 2002. But I think that is what you search for. If I recally correctly, it was removed because it was decided that iptables rules should be being configured through ifconfig's /etc/network/interfaces and /etc/network/if-*{up,down}.d mechanisms, and pppd's /etc/ppp/ip*-{up,down}.d mechanism. I don't remember any such rationale ever being given; IIRC, ljlane changed it in response to pressure from users, who may have objected for any number of reasons. The presence of an optional startup script for iptables doesn't preclude having per-interface rules, anyway; and one may have a need for both per-interface rules *and* static rules that should always be loaded... Anyway, this is still in the pre-proposal stage and needs plenty more work, but since the topic has come up: http://wiki.debian.org/FirewallByDefault. Feel free to add comments. :) -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ signature.asc Description: Digital signature
Re: init.d script for iptables ruleset
@ 21/09/2005 02:25 : wrote Matthew Palmer : On Wed, Sep 21, 2005 at 01:12:38AM -, Samuel Jean wrote: Here it goes. I wondered about a clever way to load my iptables ruleset via init.d's script. Surprisingly, I didn't find any with Debian. I didn't search that much though. Have a look at Shorewall -- it does similar things to what you're proposing, and is already written. There's probably also a lot of other firewall maintenance systems with similar methods. - Matt I, personally, use FireHOL and I'm more satisfied with it (=simpler) than I was with Shorewall. YMMV. -- HTH, Massa -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: init.d script for iptables ruleset
On Wed, Sep 21, 2005 at 04:34:49AM -0700, Steve Langasek wrote: I don't remember any such rationale ever being given; IIRC, ljlane changed it in response to pressure from users, who may have objected for any number of reasons. The presence of an optional startup script for iptables doesn't That's not what happened IMHO. ljlane removed them because he didn't want to have any built-in firewall functionality in iptables. He wanted the package to provide just the software itself. You might want to consider checking out the maintainer response to #212692. preclude having per-interface rules, anyway; and one may have a need for both per-interface rules *and* static rules that should always be loaded... IIRC the startup scripts were removed because the maintainer believed them to be a kludge and actively encouraged users to use firewall packages instead of the built-in functionality initially added in the iptables package. Notice that iptables' current README.Debian file has changed since I filed bug #307934. Now the maintainer does not mention firewall packages at all there. Anyway, this is still in the pre-proposal stage and needs plenty more work, but since the topic has come up: http://wiki.debian.org/FirewallByDefault. Feel free to add comments. :) How about pointing to the Adding firewall capabilities section of the Securing Manual? Available at http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html#s-firewall-setup Also fixing #324593 might be relevant here as some network security features are configered at the kernel level. I tried to describe this in the Securing network access section of the Securing Manual: http://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html#s-network-secure Regards Javier signature.asc Description: Digital signature
init.d script for iptables ruleset
Hello -- I guess this is the right place to dump an idea, right ? Here it goes. I wondered about a clever way to load my iptables ruleset via init.d's script. Surprisingly, I didn't find any with Debian. I didn't search that much though. I just wrote one that please me and will dump it here so that it might please others too. Basically, /etc/init.d/iptables parses the ruleset defined in /etc/network/ruleset. Into that ruleset, you can define variables, configure some sysctl values, load kernel modules, and, obviously, declare some filtering rules using defined variables.. Not tested with other shells than bash. Script and sample ruleset file are attached. Hope this can be usefull. Cheers, Samuel iptables Description: Binary data ruleset Description: Binary data
Re: init.d script for iptables ruleset
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Samuel, Am Mi den 21. Sep 2005 um 3:12 schrieb Samuel Jean: Here it goes. I wondered about a clever way to load my iptables ruleset via init.d's script. Surprisingly, I didn't find any with Debian. I didn't search that much though. Well, there was one some times ago. Now they was moved to /usr/share/doc/iptables/examples/oldinitdscript.gz I do not know why it was removed by Laurence J. Lane on 7 Dec 2002. But I think that is what you search for. Not to make your solution bad but the old initscript is more flexible, and more complete as it use the provided tools iptables-save and iptables-load to save all available rules. Cheers Klaus - -- Klaus Ethgenhttp://www.ethgen.de/ pub 2048R/D1A4EDE5 2000-02-26 Klaus Ethgen [EMAIL PROTECTED] Fingerprint: D7 67 71 C4 99 A6 D4 FE EA 40 30 57 3C 88 26 2B -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (GNU/Linux) iQEVAwUBQzDiq5+OKpjRpO3lAQI1NQgAo4H9nazMF4G/jvuRP056LlQHKUwSWIME Gl2Y1SD3NT87YoSw2ImK03XjP8Insacvo67+IMCyb89qAta4TaL1hEIjJvd5MlC5 cbc3AilqnrerYmqI7lov+6ybkF4IKRVAGZANwats72g9c6rm/e1bgD68QPHeR8eI SqOE8pCdSWfUkBgYwXae79Fs0z3mtIfE/xA5ZF6FwW4QUlnGo5cZqmIU2VlhA0n8 mv9TI4JMtlFRuUBJpFCDxfRMC+kMXt2qOnhjJqHSzKtSDxBD9XP/E1EAERTIpRr/ OsbQBGS4l4yRGav4DzVGcoK++BU+XGnWrHTUJPwnRIYO5j6OVs0E3g== =qUXz -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: init.d script for iptables ruleset
On Wed, Sep 21, 2005 at 01:12:38AM -, Samuel Jean wrote: Here it goes. I wondered about a clever way to load my iptables ruleset via init.d's script. Surprisingly, I didn't find any with Debian. I didn't search that much though. Have a look at Shorewall -- it does similar things to what you're proposing, and is already written. There's probably also a lot of other firewall maintenance systems with similar methods. - Matt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]