Re: Iptables at boot, was fail2ban for apache2

[Gene Heskett]

On Monday 02 December 2019 07:46:22 Alessandro Vesely wrote:

> On Mon 02/Dec/2019 10:35:26 +0100 Andrei POPESCU wrote:
> > You might want to install iptables-persistent, otherwise you'll have
> > to roll-out your own solution.
>
> I'm not using iptables-persistent, but just looked at it out of
> curiosity.
>
> Its LSB:
>
> ### BEGIN INIT INFO
> # Provides:  netfilter-persistent
> # Required-Start:mountkernfs $remote_fs
> # Required-Stop: $remote_fs
> # Default-Start: S
> # Default-Stop:  0 1 6
> # Short-Description: Load boot-time netfilter configuration
> # Description:   Loads boot-time netfilter configuration
> ### END INIT INFO
>
> S also starts in single-user mode, i.e. without network?
>
> $remote_fs requires ip links to be already set up?
>
> Stop, for good measure, does nothing.  The comment in the script is
> crisply nice:
>
> stop)
> # Why? because if stop is used, the firewall gets flushed for a
> variable # amount of time during package upgrades, leaving the machine
> vulnerable # It's also not always desirable to flush during purge
> echo "Automatic flushing disabled, use \"flush\" instead of
> \"stop\"" ;;
>
> > In the particular case of iptables instead of writing a script you
> > should probably just reuse your existing rules file and load that
> > with an 'iptables-restore' from the .service unit.
>
> That's somewhat questionable in some cases.  I'd recommend to write a
> script with iptables commands rather than interactively issue iptables
> command until you are satisfied with the current setup.  That's
> natural, since iptables doesn't give a visual feedback, so reasoning
> is your best friend.  IOW, a commented script is more readable than an
> interactive setup.
>
> Then, since you have a script, why not run it directly, rather than
> saving/restoring its results?

Since I had spent a week battling the bots, and doing a new save for 
every addition, I find the iptables-restore both starts it and restores 
it. Good enough till I get a new machine built, by the weekend I hope.

> > We are quite far from the original topic so I would suggest you
> > start a new thread in case you need assistance with this.
>
> I try, but don't reset References:/In-Reply-To: header fields.

And kmail doesn't make that easy.

>
> Best
> Ale
Thanks Alessandro.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page 

Re: Iptables at boot, was fail2ban for apache2

[Greg Wooledge]

On Mon, Dec 02, 2019 at 01:46:22PM +0100, Alessandro Vesely wrote:
> ### BEGIN INIT INFO
> # Provides:  netfilter-persistent
> # Required-Start:mountkernfs $remote_fs
> # Required-Stop: $remote_fs
> # Default-Start: S
> # Default-Stop:  0 1 6
> # Short-Description: Load boot-time netfilter configuration
> # Description:   Loads boot-time netfilter configuration
> ### END INIT INFO
> 
> S also starts in single-user mode, i.e. without network?

I believe single-user mode starts the network.  It may not start all
of the network services, of course.

Re: Iptables at boot, was fail2ban for apache2

[Reco]

On Mon, Dec 02, 2019 at 01:46:22PM +0100, Alessandro Vesely wrote:
> On Mon 02/Dec/2019 10:35:26 +0100 Andrei POPESCU wrote:
> > 
> > You might want to install iptables-persistent, otherwise you'll have to 
> > roll-out your own solution.
> 
> I'm not using iptables-persistent, but just looked at it out of curiosity.
> 
> Its LSB:
> 
> ### BEGIN INIT INFO
> # Provides:  netfilter-persistent
> # Required-Start:mountkernfs $remote_fs
> # Required-Stop: $remote_fs
> # Default-Start: S
> # Default-Stop:  0 1 6
> # Short-Description: Load boot-time netfilter configuration
> # Description:   Loads boot-time netfilter configuration
> ### END INIT INFO
> 
> S also starts in single-user mode, i.e. without network?

And Default-Stop value prevents it from running in single-user.
Besides, unless one does something really stupid (like using hostnames
in netfilter rules) - what's wrong with netfilter rules loaded at
runlevel 1?
You can load a rule that processes packet on non-existent interface, for
instance.


> $remote_fs requires ip links to be already set up?

mountkernfs is more problematic here. Presumably it's for NFS-root
configuration.


> > In the particular case of iptables instead of writing a script you 
> > should probably just reuse your existing rules file and load that with 
> > an 'iptables-restore' from the .service unit.
> 
> 
> That's somewhat questionable in some cases.  I'd recommend to write a script
> with iptables commands rather than interactively issue iptables command until
> you are satisfied with the current setup.  That's natural, since iptables
> doesn't give a visual feedback, so reasoning is your best friend.  IOW, a
> commented script is more readable than an interactive setup.

"-m comment" anyone?


Personally I see little value in this package. There are cases that
require modifying netfilter rules ad-hoc, saving those at system reboot
can lead to undesirable side-effects. My solution to those is the (ab)use
of /etc/network/interfaces:

auto lo
iface lo inet loopback
up /sbin/iptables-restore < /etc/network/iptables.rules
up /sbin/ip6tables-restore < /etc/network/ip6tables.rules

Because I have no problem in running "iptables-save >
/etc/network/iptables.rules" then the need arises.

Reco

Iptables at boot, was fail2ban for apache2

[Alessandro Vesely]

On Mon 02/Dec/2019 10:35:26 +0100 Andrei POPESCU wrote:
> 
> You might want to install iptables-persistent, otherwise you'll have to 
> roll-out your own solution.


I'm not using iptables-persistent, but just looked at it out of curiosity.

Its LSB:

### BEGIN INIT INFO
# Provides:  netfilter-persistent
# Required-Start:mountkernfs $remote_fs
# Required-Stop: $remote_fs
# Default-Start: S
# Default-Stop:  0 1 6
# Short-Description: Load boot-time netfilter configuration
# Description:   Loads boot-time netfilter configuration
### END INIT INFO

S also starts in single-user mode, i.e. without network?

$remote_fs requires ip links to be already set up?

Stop, for good measure, does nothing.  The comment in the script is crisply 
nice:

stop)
# Why? because if stop is used, the firewall gets flushed for a variable
# amount of time during package upgrades, leaving the machine vulnerable
# It's also not always desirable to flush during purge
echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
;;


> In the particular case of iptables instead of writing a script you 
> should probably just reuse your existing rules file and load that with 
> an 'iptables-restore' from the .service unit.


That's somewhat questionable in some cases.  I'd recommend to write a script
with iptables commands rather than interactively issue iptables command until
you are satisfied with the current setup.  That's natural, since iptables
doesn't give a visual feedback, so reasoning is your best friend.  IOW, a
commented script is more readable than an interactive setup.

Then, since you have a script, why not run it directly, rather than
saving/restoring its results?


> We are quite far from the original topic so I would suggest you start a 
> new thread in case you need assistance with this.


I try, but don't reset References:/In-Reply-To: header fields.


Best
Ale




signature.asc
Description: OpenPGP digital signature

Re: regras iptables no boot

[P. J.]

apt install iptables-persistent

Em 14/05/2019, Vitor Hugo escreveu:
> A fim de segurar que somente a maquina de desenvolvimento ira acessar o
> servidor Postgres eu criei um script sh com as seguintes regras
> iptables, como eu faço para que estas regras sejam ativadas a cada
> inicialização do sistema Debian?
>
> IP servidor PostgreSQL: 192.168.0.27
>
> IP Cliente PGAdmin: 192.168.0.66
>
> applein@debian:~$ cat iptables_postgreql.sh
> #!/bin/sh
> iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 192.168.0.27
> --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p tcp -s 192.168.0.27 --sport 5432 -d 0/0 --dport
> 1024:65535 -m state --state ESTABLISHED -j ACCEPT
> iptables -A INPUT -p tcp -s 192.168.0.66 --sport 1024:65535 -d
> 192.168.0.27 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p tcp -s 192.168.0.27 --sport 5432 -d 192.168.0.66
> --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p tcp -s 192.168.0.27 --sport 1024:65535 -d 0/0
> --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A INPUT -p tcp -s 0/0 --sport 5432 -d 192.168.0.27 --dport
> 1024:65535 -m state --state ESTABLISHED -j ACCEPT
> applein@debian:~$
>
>


-- 
|  .''`.   A fé não dá respostas. Só impede perguntas.
| : :'  :
| `. `'`
|   `-   Je vois tout

Re: regras iptables no boot

[Alcione Ferreira]

Boa tarde!

Eu geralmente coloco elas no /etc/rc.local

At.te

Em 14/05/2019 12:36, Vitor Hugo escreveu:
> A fim de segurar que somente a maquina de desenvolvimento ira acessar o 
> servidor Postgres eu criei um script sh com as seguintes regras 
> iptables, como eu faço para que estas regras sejam ativadas a cada 
> inicialização do sistema Debian?
>
> IP servidor PostgreSQL: 192.168.0.27
>
> IP Cliente PGAdmin: 192.168.0.66
>
> applein@debian:~$ cat iptables_postgreql.sh
> #!/bin/sh
> iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 192.168.0.27 
> --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p tcp -s 192.168.0.27 --sport 5432 -d 0/0 --dport 
> 1024:65535 -m state --state ESTABLISHED -j ACCEPT
> iptables -A INPUT -p tcp -s 192.168.0.66 --sport 1024:65535 -d 
> 192.168.0.27 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p tcp -s 192.168.0.27 --sport 5432 -d 192.168.0.66 
> --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p tcp -s 192.168.0.27 --sport 1024:65535 -d 0/0 
> --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A INPUT -p tcp -s 0/0 --sport 5432 -d 192.168.0.27 --dport 
> 1024:65535 -m state --state ESTABLISHED -j ACCEPT
> applein@debian:~$
>
-- 
Paz e Bem!
Alcione Ferreira
Sombra®
101080
[http://www.alcionesytes.net/]
---
Liberdade e conhecimento ao alcance de todos.

Office Escritório - http://www.openoffice.org.br/
Navegador Firefox - http://www.mozilla.org.br/
Email Thunderbird - http://www.mozilla.org.br/
---
Linux user number 432030 of http://counter.li.org/
---
ICQ: 377035698
Jabber: ksomb...@jabber.org
MSN: sombra_mes...@hotmail.com
---
Curriculum: http://lattes.cnpq.br/0545256741852110
"Em paz me deito e logo adormeço, por que só tu, DEUS, me fazes viver 
tranquilo" Salmo 4,9




signature.asc
Description: OpenPGP digital signature

regras iptables no boot

[Vitor Hugo]

A fim de segurar que somente a maquina de desenvolvimento ira acessar o 
servidor Postgres eu criei um script sh com as seguintes regras 
iptables, como eu faço para que estas regras sejam ativadas a cada 
inicialização do sistema Debian?

IP servidor PostgreSQL: 192.168.0.27

IP Cliente PGAdmin: 192.168.0.66

applein@debian:~$ cat iptables_postgreql.sh
#!/bin/sh
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 192.168.0.27 
--dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.0.27 --sport 5432 -d 0/0 --dport 
1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 192.168.0.66 --sport 1024:65535 -d 
192.168.0.27 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.0.27 --sport 5432 -d 192.168.0.66 
--dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.0.27 --sport 1024:65535 -d 0/0 
--dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 5432 -d 192.168.0.27 --dport 
1024:65535 -m state --state ESTABLISHED -j ACCEPT
applein@debian:~$

Re: Iptables at boot

[Bob Weber]

On 2/14/18 4:51 PM, Rodary Jacques wrote:

I was just going to give up , and I even installed shorewall, when my last 
attempt with my very old iptables config (from redhat 7.2) did work. I of 
course to still get rid of stupid systemd config, but I don't really care since 
my server is allways up!. Thank you anyway for your hints.
Jacques

If this server is connected directly to the internet make sure the older config 
is really working run Steve Gibson's shields up (https://www.grc.com/shieldsup) 
and scan at least the lower 1024 ports.  They should all be green unless you are 
serving up data like a web page (port 80 and/or 443).


--


*...Bob*

Re: Iptables at boot

[Rodary Jacques]

I was just going to give up , and I even installed shorewall, when my last 
attempt with my very old iptables config (from redhat 7.2) did work. I of 
course to still get rid of stupid systemd config, but I don't really care since 
my server is allways up!. Thank you anyway for your hints.
Jacques

Re: Re: Iptables at boot

[rodaryj]

Thank you.As soon as I can I will try it

Re: Iptables at boot

[Bob Weber]

On 1/31/18 12:28 PM, Jacques Rodary wrote:


Hi

Many things happened since my first message: I first had to get rid of connman 
(connection manager), which insisted to preset iptables rules without any 
notice. My Debian box is uset as a DNS chrooted server (also I had to modify 
bind9.service behaviour), and I use iptables to do NAT, since I have one 
routable address for several clients. With Jessie I managed to have all this 
working. When upgrading to stretch, because of a stupid error with grub on my 
RAID system, and of an insufficient backup, I lost most of my config. Thanks 
for your help. When everything will be OK, I surely will have the use for your 
answers.


Jacques

Have you looked at shorewall?  I use it on all my debian linux installs.  
Basically its a front end to the kernel iptables network filters.  It sets up 
the iptables entries and then goes away so that there is no additional program 
running after it does its job.   It starts up on boot after you have set up the 
rules the way you want.  You have to set a parameter in the 
/etc/default/shorewall file to have it start since you don't want to loose 
connection to your machine if you are logging in through a network port.  That 
way you can test it before you actually use it.  It is driven by several text 
config files in /etc/shorewall. For instance NAT is set up easily by this 
command in the  snat file (my internet connection is on eth1 and local 172 net 
is on eth0):


MASQUERADE  172.16.0.1/16   eth1

I redirect all the dns and time requests to my router machine even if the client 
has requested these services from an outside address.  I use opendns for its 
malware filters so bind is set to forward all non local dns querys to opendns 
servers.  I also use dnscrypt-proxy to get a secure connection to opendns so 
that I can be assured that the data coming back from opendns hasn't been 
tampered with.  These 2 lines in the rules file accomplish the redirection:


REDIRECT    Loc 53   tcp,udp   53 -
REDIRECT    Loc 123 tcp,udp  123    -

There is plenty of documentation and examples for simple setups available on the 
shorewall web site.


--


*...Bob*

Re: Re: Iptables at boot

[Jacques Rodary]

Hi
Many things happened since my  first message: I first had 
to get rid of connman (connection manager), which insisted to preset 
iptables rules without any notice. My  Debian box is uset as  a DNS  
chrooted server (also I had to modify bind9.service behaviour), and I 
use iptables to do NAT, since I have one routable address for several 
clients. With Jessie I managed to have all this working. When 
upgrading to stretch, because of a stupid error with grub on my RAID 
system, and of an insufficient backup, I lost most of my config. Thanks 
for your help. When everything will be OK, I surely will  have the use 
for your answers.
Jacques 

Re: Iptables at boot

[Alessandro Vesely]

On Sun 21/Jan/2018 20:53:43 +0100 Ben Caradoc-Davies wrote:
> On 21/01/18 16:05, Mark Fletcher wrote:
>> To get you started [addressing the OP], here is the service file I use:
> 
> Mine is slightly different and has the commands inline:
> 
> 
> $ cat /etc/iptables/iptables.service
> [Unit]
> Description=iptables rules
> After=network.target

Shouldn't that be /network-pre.target/?  I'm not familiar with systemd (I use
sysvinit) but I read "It's primary purpose is for usage with firewall services
that want to establish a firewall before any network interface is up" in:
https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/

Best
Ale

Re: Iptables at boot

[Karol Augustin]

On 2018-01-21 1:02, Dejan Jocic wrote:
> On 20-01-18, Jacques Rodary wrote:
>> Hi
>> How can I start iptables at boot. I don't find  an equivalent to  " service
>> iptables start" with systemd and does'nt know how to create a new
>> iptables.service. The manpages aren't quite clear for me. Thanks for any
>> help.
>>   Jacques
>>
> 
> There are two options. One would be to learn to write systemd service
> units. There are many tutorials on net for how to write those with
> examples. Other would be to install iptables-persistent package. You can
> find more about using iptables-persistent package if you google it, you
> will surly run on few quick howtos.


If you don't want to learn systemd at this stage you can put your
iptables lines in /etc/rc.local (before exit 0 line). It will be run
during boot and add your iptables config. I know it's not elegant
solution by any means but it works if you don't want to play with
services at this stage.


-- 
Karol Augustin
ka...@augustin.pl
http://karolaugustin.pl/
+353 85 775 5312

Re: Iptables at boot

[Ben Caradoc-Davies]

On 21/01/18 16:05, Mark Fletcher wrote:

To get you started [addressing the OP], here is the service file I use:


Mine is slightly different and has the commands inline:


$ cat /etc/iptables/iptables.service
[Unit]
Description=iptables rules
After=network.target

[Service]
Type=oneshot
ExecStart=/bin/bash -c "/sbin/iptables-restore < 
/etc/iptables/iptables.rules"
ExecStart=/bin/bash -c "/sbin/ip6tables-restore < 
/etc/iptables/ip6tables.rules"

RemainAfterExit=yes
ExecStop=/sbin/iptables -F
ExecStop=/sbin/ip6tables -F

[Install]
WantedBy=multi-user.target


You can make your initial rules file with iptables-save.

Kind regards,

--
Ben Caradoc-Davies 
Director
Transient Software Limited 
New Zealand

Re: Iptables at boot

[Dejan Jocic]

On 21-01-18, Mark Fletcher wrote:
> On Sun, Jan 21, 2018 at 02:02:07AM +0100, Dejan Jocic wrote:
> > On 20-01-18, Jacques Rodary wrote:
> > > Hi
> > > How can I start iptables at boot. I don't find  an equivalent to  " 
> > > service
> > > iptables start" with systemd and does'nt know how to create a new
> > > iptables.service. The manpages aren't quite clear for me. Thanks for any
> > > help.
> > >   Jacques
> > > 
> > 
> > There are two options. One would be to learn to write systemd service
> > units. There are many tutorials on net for how to write those with
> > examples. Other would be to install iptables-persistent package. You can
> > find more about using iptables-persistent package if you google it, you
> > will surly run on few quick howtos.
> > 
> > 
> 
> To get you started [addressing the OP], here is the service file I use:
> 
> [Unit]
> Description=Load Iptables Rules
> ConditionFileIsExecutable=/etc/systemd/scripts/iptables
> After=network.target
> 
> [Service]
> Type=forking
> ExecStart=/etc/systemd/scripts/iptables
> TimeoutSec=0
> RemainAfterExit=yes
> 
> [Install]
> WantedBy=multi-user.target
> 
> This goes in /lib/systemd/system/iptables.service and assumes your 
> iptables commands are in a script which is called iptables, is 
> executable, and is located in /etc/systemd/scripts
> 
> I must point out there may be Debian policies of which I am not aware 
> about where the files should ideally go; I lifted this configuration 
> from a non-Debian box. There is nothing about it that will _not work_ on 
> Debian, but there may be a preferred Debian location for such files, 
> which hopefully my contribution will encourage someone knowledgable to 
> add.
> 
> then to run it once, as root:
> systemctl start iptables
> 
> and to set it up so it runs at boot, as root:
> systemctl enable iptables
> 
> HTH
> 
> Mark
> 

Location for local custom unit files should be /etc/systemd/system but
it can be on several more places, if you desire so. It is just that
those in /etc/systemd/system take precedence over others.

Re: Iptables at boot

[Mark Fletcher]

On Sun, Jan 21, 2018 at 02:02:07AM +0100, Dejan Jocic wrote:
> On 20-01-18, Jacques Rodary wrote:
> > Hi
> > How can I start iptables at boot. I don't find  an equivalent to  " service
> > iptables start" with systemd and does'nt know how to create a new
> > iptables.service. The manpages aren't quite clear for me. Thanks for any
> > help.
> >   Jacques
> > 
> 
> There are two options. One would be to learn to write systemd service
> units. There are many tutorials on net for how to write those with
> examples. Other would be to install iptables-persistent package. You can
> find more about using iptables-persistent package if you google it, you
> will surly run on few quick howtos.
> 
> 

To get you started [addressing the OP], here is the service file I use:

[Unit]
Description=Load Iptables Rules
ConditionFileIsExecutable=/etc/systemd/scripts/iptables
After=network.target

[Service]
Type=forking
ExecStart=/etc/systemd/scripts/iptables
TimeoutSec=0
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

This goes in /lib/systemd/system/iptables.service and assumes your 
iptables commands are in a script which is called iptables, is 
executable, and is located in /etc/systemd/scripts

I must point out there may be Debian policies of which I am not aware 
about where the files should ideally go; I lifted this configuration 
from a non-Debian box. There is nothing about it that will _not work_ on 
Debian, but there may be a preferred Debian location for such files, 
which hopefully my contribution will encourage someone knowledgable to 
add.

then to run it once, as root:
systemctl start iptables

and to set it up so it runs at boot, as root:
systemctl enable iptables

HTH

Mark

Re: Iptables at boot

[Dejan Jocic]

On 20-01-18, Jacques Rodary wrote:
> Hi
> How can I start iptables at boot. I don't find  an equivalent to  " service
> iptables start" with systemd and does'nt know how to create a new
> iptables.service. The manpages aren't quite clear for me. Thanks for any
> help.
>   Jacques
> 

There are two options. One would be to learn to write systemd service
units. There are many tutorials on net for how to write those with
examples. Other would be to install iptables-persistent package. You can
find more about using iptables-persistent package if you google it, you
will surly run on few quick howtos.

Iptables at boot

[Jacques Rodary]

Hi
How can I start iptables at boot. I don't find  an equivalent to  " 
service iptables start" with systemd and does'nt know how to create a 
new iptables.service. The manpages aren't quite clear for me. Thanks for 
any help.

  Jacques

Carregamento das regras do IPTABLES no boot

[João Henrique Viana]

Galera,

Antes usando o Etch usava o script abaixo para carregar minhas regras
no Iptables diretamente no boot, agora no Lenny ao utilizar este script
as regras so carregadas mas a navegao no  possvel.
J descomentei a linha referente ao forward de ipv4 no arquivo
/etc/sysctl.conf, mas a cada reboot tenho de chamar o script com as
regras do firewall (/etc/firewall/fire1) novamente para liberar a
navegao.
Se algum puder me dar uma ajuda ou indicar outra melhor forma de
carregar estas regras no boot eu agradeo.

Sds,

Joo Henrique

/etc/init.d# cat init.d/firewall
#!/bin/bash
#
# firewall This shell script takes care of starting and
stopping
# your firewall
#
# chkconfig: 3 56 11
# description: This service starts/stops your firewall. Starts by
calling \
# the /etc/rc.d/fire1 scritp and stops by flushing all the tables and
setting \
# their default policies to ACCEPT.
# Source function library.

. /etc/init.d/functions

[ -f /etc/firewall/fire1 ] || exit 0
[ -f /sbin/iptables ] || exit 0

IPTABLES="/sbin/iptables"

start() {
 /etc/firewall/fire1
 return $?
}
stop() {
 $IPTABLES -P INPUT ACCEPT
 $IPTABLES -P OUTPUT ACCEPT
 $IPTABLES -P FORWARD ACCEPT
 # os comandos abaixo deletam todas as regras nas tables Filter
e Nat
 $IPTABLES -F
 $IPTABLES -t nat -F
 # Delete all User-specified chains
 $IPTABLES -X
 $IPTABLES -t nat -X
 return $?
}
restart() {
 stop
 start
}

# See how we were called.
case "$1" in
 start)
 start
 ;;
 stop)
 stop
 ;;
 restart)
 restart
 ;;
 reload)
 start
 ;;
 *)
 echo $"Usage: $0 {start|stop|restart|reload}"
 exit 1
esac

exit $?






-- 
To UNSUBSCRIBE, email to debian-user-portuguese-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Re: Carregamento das regras do IPTABLES no boot

[Sinval Júnior]

João para podermos ajuda-lo será necessário ver o conteúdo do arquivo
/etc/firewall/fire1 e neste arquivo que estão as regras propriamente
ditas.

2009/7/7 João Henrique Viana j...@engepel.com.br

  Galera,

 Antes usando o Etch usava o script abaixo para carregar minhas regras no
 Iptables diretamente no boot, agora no Lenny ao utilizar este script as
 regras são carregadas mas a navegação não é possível.
 Já descomentei a linha referente ao forward de ipv4 no arquivo
 /etc/sysctl.conf, mas a cada reboot tenho de chamar o script com as regras
 do firewall (/etc/firewall/fire1) novamente para liberar a navegação.
 Se alguém puder me dar uma ajuda ou indicar outra melhor forma de carregar
 estas regras no boot eu agradeço.

 Sds,

 João Henrique

 /etc/init.d# cat init.d/firewall
 #!/bin/bash
 #
 # firewall  This shell script takes care of starting and stopping
 #   your firewall
 #
 # chkconfig: 3 56 11
 # description: This service starts/stops your firewall. Starts by calling \
 # the /etc/rc.d/fire1 scritp and stops by flushing all the tables and
 setting \
 # their default policies to ACCEPT.
 # Source function library.

 . /etc/init.d/functions

 [ -f /etc/firewall/fire1 ] || exit 0
 [ -f /sbin/iptables ] || exit 0

 IPTABLES=/sbin/iptables

 start() {
 /etc/firewall/fire1
 return $?
 }
 stop() {
 $IPTABLES -P INPUT ACCEPT
 $IPTABLES -P OUTPUT ACCEPT
 $IPTABLES -P FORWARD ACCEPT
 # os comandos abaixo deletam todas as regras nas tables Filter e
 Nat
 $IPTABLES -F
 $IPTABLES -t nat -F
 # Delete all User-specified chains
 $IPTABLES -X
 $IPTABLES -t nat -X
 return $?
 }
 restart() {
 stop
 start
 }

 # See how we were called.
 case $1 in
 start)
 start
 ;;
 stop)
 stop
 ;;
 restart)
 restart
 ;;
 reload)
 start
 ;;
 *)
 echo $Usage: $0 {start|stop|restart|reload}
 exit 1
 esac

 exit $?

  -- To UNSUBSCRIBE, email to
 debian-user-portuguese-requ...@lists.debian.org with a subject of
 unsubscribe. Trouble? Contact listmas...@lists.debian.org




-- 
+=+
#!/usr/bin/env python
print Sinval Júnior
print sinva...@gmail.com
+==+
Saiba o que é Software Livre!
Veja http://www.gnu.org/philosophy/free-sw.pt-br.html
+==+

Re: Carregamento das regras do IPTABLES no boot

[henry]

 Galera,

  Antes usando o Etch usava o script abaixo para carregar minhas regras no
 Iptables diretamente no boot, agora no Lenny ao utilizar este script as
 regras são carregadas mas a navegação não é possível. Já descomentei a
 linha referente ao forward de ipv4 no arquivo /etc/sysctl.conf, mas a cada
 reboot tenho de chamar o script com as regras do firewall
 (/etc/firewall/fire1) novamente para liberar a navegação. Se alguém puder
 me dar uma ajuda ou indicar outra melhor forma de carregar estas regras no
 boot eu agradeço.

  Sds,

  João Henrique

  /etc/init.d# cat init.d/firewall
  #!/bin/bash

Olá!! 
por acaso não seria o caso de colocar o arquivo firewall em /etc/init.d ao 
invés de /etc/init.d/init.d  (cp firewall .. ; chmod +x ../firewall ) 

[ ]s, Henry





--
To UNSUBSCRIBE, email to debian-user-portuguese-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

NFS + iptables: (re)boot sequence

[Joseph Le-Phan]

Hello,
   
I'm trying to implement some iptables rules for my
system. Unfortunately, (on etch) it appears that the boot sequence
doesn't allow for nfs mounts to be located (as nfs+portmap appear to
get started _before_ I've established an internet connection with my
network interface which relies on dhcp.)

Is there a way to specify the boot-order so that nfs-mounts are only
possible once the network is up and running?

Also, related somewhat to reboot sequence, I have an 'inactive' ruleset
for iptables that pretty much denies all internet access when I go for a
shutdown. Unfortunately, it appears that nfs mounts aren't unmounted
before then, and so i portmap complains when it's time for it to unmount
the nfs shares (as there's no more internet connection) and stalls the
shutdown process indefinitely.

Is it possible to prevent this from happening?

Thank you.
-- 
Joseph Le-Phan five0.oss at gmail.com [GPG key: 292E09A0]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: NFS + iptables: (re)boot sequence

[Roberto C. Sanchez]

On Fri, Jul 28, 2006 at 03:08:33AM +1000, Joseph Le-Phan wrote:
 Hello,

 I'm trying to implement some iptables rules for my
 system. Unfortunately, (on etch) it appears that the boot sequence
 doesn't allow for nfs mounts to be located (as nfs+portmap appear to
 get started _before_ I've established an internet connection with my
 network interface which relies on dhcp.)
 
 Is there a way to specify the boot-order so that nfs-mounts are only
 possible once the network is up and running?
 
You can change the order in which things are started at boot by
rearranging the symlinks in /etc/rc2.d/ (assuming you boot run level 2
by default).

 Also, related somewhat to reboot sequence, I have an 'inactive' ruleset
 for iptables that pretty much denies all internet access when I go for a
 shutdown. Unfortunately, it appears that nfs mounts aren't unmounted
 before then, and so i portmap complains when it's time for it to unmount
 the nfs shares (as there's no more internet connection) and stalls the
 shutdown process indefinitely.
 
 Is it possible to prevent this from happening?
 
Not sure.

-Roberto
-- 
Roberto C. Sanchez
http://familiasanchez.net/~roberto


signature.asc
Description: Digital signature

Re: NFS + iptables: (re)boot sequence

[Brad Brock]

Try to use the old way. In /etc directory you'll find
subdirectories rcx.d where x is number between 0 to 6.
These directories (rcx.d) contain symlinks to related
startup scripts in /etc/init.d. If you use window
manager, please pay attention to rc5.d. In rc5.d,
you'll see something like S22sshd or K22sshd (just an
example, may be you see different thing in your
system). Analyze these symlink files, you'll notice
that the number is a sequence number and the first
letter is used to determined which one to execute when
start (S) or kill (K). You can re-arrange the sequence
by renaming these symlinks, changing the number and
notice the first letter.

I hope it'll help. May be somebody can give a better
idea. I work with X rarely, that's why I suggest this
way. 

--- Joseph Le-Phan [EMAIL PROTECTED] wrote:

 Hello,

 I'm trying to implement some iptables rules for my
 system. Unfortunately, (on etch) it appears that the
 boot sequence
 doesn't allow for nfs mounts to be located (as
 nfs+portmap appear to
 get started _before_ I've established an internet
 connection with my
 network interface which relies on dhcp.)
 
 Is there a way to specify the boot-order so that
 nfs-mounts are only
 possible once the network is up and running?
 
 Also, related somewhat to reboot sequence, I have an
 'inactive' ruleset
 for iptables that pretty much denies all internet
 access when I go for a
 shutdown. Unfortunately, it appears that nfs mounts
 aren't unmounted
 before then, and so i portmap complains when it's
 time for it to unmount
 the nfs shares (as there's no more internet
 connection) and stalls the
 shutdown process indefinitely.
 
 Is it possible to prevent this from happening?
 
 Thank you.
 -- 
 Joseph Le-Phan five0.oss at gmail.com [GPG key:
 292E09A0]
 
 
 -- 
 To UNSUBSCRIBE, email to
 [EMAIL PROTECTED] 
 with a subject of unsubscribe. Trouble? Contact
 [EMAIL PROTECTED]
 
 

Regards,


Brad Brock.

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: iptables at boot

[Matthijs]

On Sun, 02 Apr 2006 03:30:15 +0200, BTP [EMAIL PROTECTED] wrote:

 I was wondering if someone would be able to give me the correct way of
 disabling all network activity (iptables commands/script) during the
 boot process so that my network is inoperable during bootup until I
 activate it manually.
 
 I'm unsure in which startup script I would place this on debian.

I'm not sure either (so someone with knowledge please comment!), but
I've placed it in /etc/network/interfaces:

---
# The loopback interface
auto lo
iface lo inet loopback

# The first network card
auto eth0
iface eth0 inet static
pre-up /etc/iptables.scr
address 192.168.1.3
netmask 255.255.255.0
gateway 192.168.1.1
broadcast 192.168.1.255
---

This way, I expect the iptables script to be run just before the
network is activated.

-- 
Matthijs
[EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: iptables at boot

[Gabriele Pongelli]

From: Matthijs [EMAIL PROTECTED]
To: debian-user@lists.debian.org
Subject: Re: iptables at boot
Date: Sun, 02 Apr 2006 11:28:16 +0200

On Sun, 02 Apr 2006 03:30:15 +0200, BTP [EMAIL PROTECTED] wrote:

 I was wondering if someone would be able to give me the correct way of
 disabling all network activity (iptables commands/script) during the
 boot process so that my network is inoperable during bootup until I
 activate it manually.

 I'm unsure in which startup script I would place this on debian.

I'm not sure either (so someone with knowledge please comment!), but
I've placed it in /etc/network/interfaces:

---
# The loopback interface
auto lo
iface lo inet loopback

# The first network card
auto eth0
iface eth0 inet static
pre-up /etc/iptables.scr
address 192.168.1.3
netmask 255.255.255.0
gateway 192.168.1.1
broadcast 192.168.1.255
---

This way, I expect the iptables script to be run just before the
network is activated.


to disable the network during boot you've to comment the auto eth0  so 
your interface doesn't have any ip address until you do ifup eth0 with 
root priviledge (once logged in your machine)


_
Personalizza MSN Messenger con sfondi e fotografie! 
http://www.ilovemessenger.msn.it/



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

iptables at boot

[BTP]

Hi,

I was wondering if someone would be able to give me the correct way of
disabling all network activity (iptables commands/script) during the
boot process so that my network is inoperable during bootup until I
activate it manually.

I'm unsure in which startup script I would place this on debian.

Thanks

Bart

Re: iptables at boot

[Luis R Finotti]

BTP wrote:

Hi,

I was wondering if someone would be able to give me the correct way of
disabling all network activity (iptables commands/script) during the
boot process so that my network is inoperable during bootup until I
activate it manually.

I'm unsure in which startup script I would place this on debian.

Thanks

Bart



I'm not sure this will help, but couldn't you simply disable the the 
interface, e.g., comment out eth0 auto from /etc/network/interfaces? 
Then when you want connect you can use ifup.  (You run the iptable 
script with pre-up.)


HTH,

Luis


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Application des regles iptables au boot ?

[KorHeve]

Bonjour à tous,

J'utilise un petit script pour initialiser un firewall à l'aide de regle 
iptables, 
cela fonctionne parfaitement et je voudrais maintenant que ces règles soient 
appliquer dès le démarrage de mon pc.
Pour cela j'ai essayé d'utiliser iptables save_active avec la méthode 
proposée ici : http://www.debian-fr.org/article/articleview/15/1/11
mais rien à faire au boot lorsque je fait un iptables -L, je me retrouve avec 
des règles qui ne sont pas bonnes et ma machine devient une vraie passoire !!

Qqu'un a t'il une solution à me proposer ?

Merci

Re: Application des regles iptables au boot ?

[jean-michel OLTRA]

Le mardi 29 avril 2003, KorHeve a écrit...
bonjour,


 Pour cela j'ai essayé d'utiliser iptables save_active avec la méthode 
 proposée ici : http://www.debian-fr.org/article/articleview/15/1/11
 mais rien à faire au boot lorsque je fait un iptables -L, je me retrouve 
 avec des règles qui ne sont pas bonnes et ma machine devient une vraie 
 passoire !!

Faire tes règles iptables et les lancer
Faire des règles 'inactives' éventuellement
Puis: 
/etc/init.d/iptables save active
sur les règles du parefeu
et remplacer active par inactive pour sauvegarder tes règles de pare feu
désactivé.

Vérifier qu'au runlevel où tu lances la machine il y ait bien un lien
SXX vers /etc/init.d/iptables. Sinon le faire. (man update-rc.d)

-- 
Jean-Michel

N'oubliez pas la faq: http://savannah.nongnu.org/download/debfr-faq/html

Re: Application des regles iptables au boot ?

[Mimile]

Le Tue, 29 Apr 2003 12:56:15 +0200
KorHeve [EMAIL PROTECTED] a écrit:

 Bonjour à tous,
Bonjour,

 J'utilise un petit script pour initialiser un firewall à l'aide de
 regle iptables, cela fonctionne parfaitement et je voudrais maintenant
 que ces règles soient appliquer dès le démarrage de mon pc. Pour cela
 j'ai essayé d'utiliser iptables save_active avec la méthode proposée
 ici : http://www.debian-fr.org/article/articleview/15/1/11 mais rien à
 faire au boot lorsque je fait un iptables -L, je me retrouve avec
 des règles qui ne sont pas bonnes et ma machine devient une vraie
 passoire !!
 
 Qqu'un a t'il une solution à me proposer ?
 
 Merci
 
Placer le script dans /etc/init.d/ et jouer avec update-rc.d ?? 


mil
-- 
Lisez la FAQ !
http://savannah.nongnu.org/download/debfr-faq/html/

Re: Application des regles iptables au boot ?

[Olivier Blin]

Le Tue, 29 Apr 2003 12:56:15 +0200
KorHeve [EMAIL PROTECTED] a écrit :

 Bonjour à tous,

Bonjour,
 
 J'utilise un petit script pour initialiser un firewall à l'aide de
 regle iptables, cela fonctionne parfaitement et je voudrais maintenant
 que ces règles soient appliquer dès le démarrage de mon pc. Pour cela
 j'ai essayé d'utiliser iptables save_active avec la méthode proposée
 ici : http://www.debian-fr.org/article/articleview/15/1/11

Dans ma mémoire, c'était plutôt « iptables save active »... vous pouvez
essayer de cette façon.

 Qqu'un a t'il une solution à me proposer ?

Deuxième possibilité : créer vous-même un script pour le démarrage (à
placer dans /etc/init.d puis créer les liens symboliques vers les rcX.d
avec la commande update-rc.d nom_du_script options. Je procède de la
sorte (avec un script firewall-up et l'autre firewall-down, le premier
étant lancé au démarrage) et ça fonctionne très bien!


-olivier
--
http://anagrama.dyndns.org/blog
np : Super Furry Animals - Phantom Power - Sex War And Robots

Re: Application des regles iptables au boot ?

[Edhiltir]

On Tue, Apr 29, 2003 at 12:56:15PM +0200, KorHeve wrote :
 Bonjour à tous,
 
Bonjour,

 J'utilise un petit script pour initialiser un firewall à l'aide de regle 
 iptables, 
 cela fonctionne parfaitement et je voudrais maintenant que ces règles soient 
 appliquer dès le démarrage de mon pc.
 Pour cela j'ai essayé d'utiliser iptables save_active avec la méthode 
 proposée ici : http://www.debian-fr.org/article/articleview/15/1/11
 mais rien à faire au boot lorsque je fait un iptables -L, je me retrouve 
 avec des règles qui ne sont pas bonnes et ma machine devient une vraie 
 passoire !!
 
 Qqu'un a t'il une solution à me proposer ?

Moi aussi je mets a jour mes regles iptables grâce à un script, puis je
les sauvegarde avec /etc/init.d/iptables save active

pour configurer le démarrage automatique de iptable :

dpkg-reconfigure iptables

et repondre Yes à la question : Enable the iptables init.d script ?

Ca créé un lien vers /etc/init.d/iptables dans /etc/rcS.d/

info trouvée sur la doc de Alexis De Lattre :
http://www.via.ecp.fr/~alexis/formation-linux/

 
 Merci
 

Mais de rien
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
 

iptables au boot

[Robin]

bonsoir,

sur une debian woody / unstable je ne vois pas ou ajouter la ligne iptables
pour activer le nat au démarrage :

iptables --verbose -A POSTROUTING -t nat -o ppp0 -j MASQUERADE

de manière plus générale, existe t-il un équivalent de rc.local existant sur 
les distribs RedHat et dérivées ?

merci.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: iptables au boot

[Jean-Michel Besnard]

tres simple :

tape ta commande iptable une fois
ensuite sauve la en faisant /etc/init.d/iptables save active
et hop le tour est joue

JM


Quoting Robin [EMAIL PROTECTED]:

 
 bonsoir,
 
 sur une debian woody / unstable je ne vois pas ou ajouter la ligne iptables
 pour activer le nat au démarrage :
 
 iptables --verbose -A POSTROUTING -t nat -o ppp0 -j MASQUERADE
 
 de manière plus générale, existe t-il un équivalent de rc.local existant sur
 
 les distribs RedHat et dérivées ?
 
 merci.
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact
 [EMAIL PROTECTED]
 
 


-- 
Q: What is the difference betwee open-source and commercial software? 
A: If you have a problem with commercial software you can call a phone 
   number and they will tell you it might be solved in a future version. 
   For open-source sofware there isn't a phone number to call, but you 
   get the solution within a day. 



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: iptables au boot

[Arthur]

On Wed, Jun 12, 2002 at 10:14:34PM +0200, Robin wrote:
 
 bonsoir,

Bonsoir,
 
 sur une debian woody / unstable je ne vois pas ou ajouter la ligne iptables
 pour activer le nat au démarrage :
 
 iptables --verbose -A POSTROUTING -t nat -o ppp0 -j MASQUERADE

Si c'est pour faire du masquerading il y a un paquet qui l'active au
démarrage. Je crois qu'il s'appelle ipmasq, apt-cache search ipmasq
devrait pouvoir te renseigner.
 
 de manière plus générale, existe t-il un équivalent de rc.local existant sur 
 les distribs RedHat et dérivées ?
 
 merci.

De rien
 
 
 -- 
 To UNSUBSCRIBE, email to [EMAIL PROTECTED]
 with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: iptables au boot

[Robin]

ça marche :)
merci !
Je regarderai de plus près les scripts à l'avenir :)

Le Mercredi 12 Juin 2002 22:18, tu as tapoté :
 tres simple :

 tape ta commande iptable une fois
 ensuite sauve la en faisant /etc/init.d/iptables save active
 et hop le tour est joue

 JM

 Quoting Robin [EMAIL PROTECTED]:
  bonsoir,
 
  sur une debian woody / unstable je ne vois pas ou ajouter la ligne
  iptables pour activer le nat au démarrage :
 
  iptables --verbose -A POSTROUTING -t nat -o ppp0 -j MASQUERADE
 
  de manière plus générale, existe t-il un équivalent de rc.local existant
  sur
 
  les distribs RedHat et dérivées ?
 
  merci.
 
 
  --
  To UNSUBSCRIBE, email to [EMAIL PROTECTED]
  with a subject of unsubscribe. Trouble? Contact
  [EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: iptables au boot

[Christian Marillat]

 a == arthur  [EMAIL PROTECTED] writes:


[...]

 Si c'est pour faire du masquerading il y a un paquet qui l'active au
 démarrage. Je crois qu'il s'appelle ipmasq, apt-cache search ipmasq
 devrait pouvoir te renseigner.

Mais non, iptables a déjà son script dans /etc/init.d/

Christian


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Re: iptables au boot

[Fabrice Renault]

  Si c'est pour faire du masquerading il y a un paquet qui l'active au
  démarrage. Je crois qu'il s'appelle ipmasq, apt-cache search ipmasq
  devrait pouvoir te renseigner.
 
 Mais non, iptables a déjà son script dans /etc/init.d/

l'un n' empeche pas l'autre

un extrait de /etc/defaults/iptables

#   Create your own custom
#init.d script -- no need to even name it iptables.  Use ferm,
#ipmasq, ipmenu, guarddog, firestarter, or one of the many other
#firewall configuration tools available. Do not use the init.d
#script.



-- 
 fab


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]