Re: [gentoo-user] Re: iptables wiki page questions

[tastytea]

On 2020-08-15 00:22- Grant Edwards 
wrote:

> On 2020-08-14, tastytea  wrote:
> 
> > rc-service runs the same service scripts that are in /etc/init.d/,
> > so it's the same. However the manpage of rc-service(8) mentions that
> > “Service scripts could be in different places on different
> > systems”, so the most compatible way would be to use rc-service.  
> 
> Oddly, the two usages are both within one example.  It appears that
> the author uses "/etc/init.d/iptables" for the "save" command and
> "rc-service iptables" for the "start" command.

In some places “rc-service iptables save”¹ is used, in some places
“/etc/init.d/iptables save”². I think it was 2 or more authors with
different preferences.

> Also interesting: the openrc wiki page doesn't mention rc-service at
> all and the examples all use "/etc/init.d/ ".
> [That's what I tend to use because it allows tab-completion.]

Gentoo installs completions for rc-service for both Zsh and Bash.

¹ 
² 

[gentoo-user] Re: iptables wiki page questions

[Grant Edwards]

On 2020-08-14, tastytea  wrote:

> rc-service runs the same service scripts that are in /etc/init.d/, so
> it's the same. However the manpage of rc-service(8) mentions that
> “Service scripts could be in different places on different systems”, so
> the most compatible way would be to use rc-service.

Oddly, the two usages are both within one example.  It appears that
the author uses "/etc/init.d/iptables" for the "save" command and
"rc-service iptables" for the "start" command.

Also interesting: the openrc wiki page doesn't mention rc-service at
all and the examples all use "/etc/init.d/ ".
[That's what I tend to use because it allows tab-completion.]

--
Grant

Re: [gentoo-user] Re: iptables wiki

[Dale]

Neil Bothwick wrote:
 On Wed, 05 Jul 2006 20:59:09 -0500, Dale wrote:

   
 Have you tried kmyfirewall ?
   

   
 I didn't know it existed actually.  It would be so nice if there was
 somewhere we could go to find out about all this stuff.  There is no
 telling how many programs are out there that we have no clue exists.
 

 http://packages.gentoo.org/packages/?category=net-firewall

 or

 eix -C firewall

   
 It may be a while.  I'm getting married tomorrow
 and I'll be gone for a while, honeymoon ya know.  ;-)
 

 Congratulations!


   

OK.  I'm back.  I have a new peice of jewelry now.  ;-) 

I never could figure out that eix command.  Man page may as well be
Greek.  I'm starting to get a !little! used to equery though.  Guess
they'll pull it next.  O_O

Dale
:-)  :-)
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: iptables wiki

[Neil Bothwick]

On Wed, 05 Jul 2006 20:59:09 -0500, Dale wrote:

  Have you tried kmyfirewall ?

 I didn't know it existed actually.  It would be so nice if there was
 somewhere we could go to find out about all this stuff.  There is no
 telling how many programs are out there that we have no clue exists.

http://packages.gentoo.org/packages/?category=net-firewall

or

eix -C firewall

 It may be a while.  I'm getting married tomorrow
 and I'll be gone for a while, honeymoon ya know.  ;-)

Congratulations!


-- 
Neil Bothwick

Why marry a virgin? If she wasn't good enough for the rest of them,
she isn't good enough for you.


signature.asc
Description: PGP signature

[gentoo-user] Re: iptables wiki

[James]

Daniel danny at ilievnet.com writes:



  When I go to /etc/init to write my rules into firewall.sh
  as specified in the aforementioned wiki I automatically get
  this shoved into the script:
  
  #!/sbin/runscript
  # Copyright 1999-2006 Gentoo Foundation
  # Distributed under the terms of the GNU General Public License v2
  # $Header: $
  depend() {
  }
  start() {
  }
  stop() {
  }
  restart() {
  }

  curiously none of the example talk about this.

  Is this the correct place to put my script(/etc/init.d/, 
  which is somewhat similar to the one suggested in the
  wiki?

  None of the examples I found googling discuss the details of where to put
  the script, how to launch it and other such details. Any suggestion
  are welcome. I have found lots of  example scripts similar to my 3 nic
  net/lan/dmz setup though.

  Any suggestions are very welcome.

  James

 Actually IMHO gentoo has internal mechanism for dealing with iptables rules.

 After you are ready and sure the rules work OK, you do:

 1) /etc/init.d/iptables save

agreed, but only if I load the rules manually; i.e.
entering the rules via  the command line such as
in D. Robbins doc: 
http://gentoo-wiki.com/HOWTO_Iptables_and_stateful_firewalls#Should_I_take_this_tutorial
 This would record your rules in /var/lib/iptables/rules-save as you


 issued the command iptables-save  /var/lib/iptables/rules-save ]

This will work if one loads the rules manually at the command line.
Where do I put a scirpt of iptables command, so it is read the
rule sets generated and then saved into /var/lib/iptables/rules-save?



 Then you put iptables in the init sequence so the rules are restored at
 every system start:

Details on were to put the script and how best to 'loaded' into the boot 
sequence via my script, is what is illusive. 

[A]  The best I can figure is
I put a script in /etc/, run it manually at the command line. The
ruleset will then be generated and saved into 
/var/lib/iptables/rules-save. Upon reboot, the /etc/init.d/iptables
script reads the /var/lib/iptables/rules-save file.

After that if I want to modify the rules, I edit my script, run
my script manually, then issue:
iptables-save  /var/lib/iptables/rules-save 
and my modifications are in the file that gentoo checks natively.

If I want to then test the rules, without rebooting, I issue:

/etc/init.d/iptables stop
/etc/init.d/iptables start


 
 2) rc-update add iptables default

 This would do iptablebs-restore  /var/lib/iptables/rules-save at
 every boot.

yes, understood.

 3) Additionally you can set some parameters in /etc/conf.d/iptables
understood.


What I'm looking for is the series of steps to 
1. Where best to locate my script?
2. Insert (new) commands into the script.
3. convert new scrited commands into rulesets 
4. Load rulesets into the /var/lib/iptables/rules-save
5.  Restart the iptables/netfilter firewall
6. Test the (new) rulesset
7. Go to step 2 and repeat until a wonderful firewall results.

If what I work above [A] is correct then I just need some suggestions
as to where the scipt should be located under /etc/, for 
consistentcy with gentoo mindsets.

If what I have written is incorrect, please correct with some detail?

PS: I'm not trying to be a pain, I just need to fully understand the
process on Gentoo.


James






-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: iptables wiki

[Richard Fish]

On 7/5/06, James [EMAIL PROTECTED] wrote:


 1) /etc/init.d/iptables save



This will work if one loads the rules manually at the command line.
Where do I put a scirpt of iptables command, so it is read the
rule sets generated and then saved into /var/lib/iptables/rules-save?


Anywhere you like.  All that matters is that you run it so your
iptables are setup like you want, then run /etc/init.d/iptables save
followed by rc-update -a iptables default.


After that if I want to modify the rules, I edit my script, run
my script manually, then issue:
iptables-save  /var/lib/iptables/rules-save


No, /etc/init.d/iptables save is the better choice.  The file might
move, or the format change, or something similar.


If I want to then test the rules, without rebooting, I issue:

/etc/init.d/iptables stop
/etc/init.d/iptables start


Not necessary.  After running your script, the tables will be setup
according to the script, and you can test away.  You probably want
your script to have the following at the top:

iptables -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

This flushes all rules, and resets the default policies, so that only
the rules that you specify later take effect.  Very useful for
clearing out old artifacts of stuff...


What I'm looking for is the series of steps to
1. Where best to locate my script?


Mine is in ~/bin/.


2. Insert (new) commands into the script.


$EDITOR


3. convert new scrited commands into rulesets
4. Load rulesets into the /var/lib/iptables/rules-save


Don't do this. Run your script, and let /etc/init.d/iptables save do
the work for you.


5.  Restart the iptables/netfilter firewall


If you flush/reset like I describe above, this is not necessary, just
run your script.


If what I work above [A] is correct then I just need some suggestions
as to where the scipt should be located under /etc/, for
consistentcy with gentoo mindsets.


You can put it anywhere you like.  I prefer ~/bin/ since there I know
it is *not* something that Gentoo created.

-Richard
--
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: iptables wiki

[Dale]

James wrote:

 What I'm looking for is the series of steps to 
 1. Where best to locate my script?
 2. Insert (new) commands into the script.
 3. convert new scrited commands into rulesets 
 4. Load rulesets into the /var/lib/iptables/rules-save
 5.  Restart the iptables/netfilter firewall
 6. Test the (new) rulesset
 7. Go to step 2 and repeat until a wonderful firewall results.

 If what I work above [A] is correct then I just need some suggestions
 as to where the scipt should be located under /etc/, for 
 consistentcy with gentoo mindsets.

 If what I have written is incorrect, please correct with some detail?

 PS: I'm not trying to be a pain, I just need to fully understand the
 process on Gentoo.


 James

   

You can search around for a script to run.  I found one here:

http://openchemist.net/linux/howto/files/theWall

You can find others though that are more to your liking of course.  What
I did a long time ago is this.  I found a script that did what I needed
and downloaded it.  I then put it in /sbin and made it executable.  I
ran the command to make sure it would work.  After that I did a
/etc/init.d/iptables save and from then on it has worked.  I did have to
change a setting when I started using samba then save it again but it is
not to hard. 

Now figuring out the iptables command is another matter.  It never has
really made much sense to me.  I just searched for a good script and ran it.

Dale

:-)  :-)
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: iptables wiki

[James]

Dale teendale at vista-express.com writes:


 Now figuring out the iptables command is another matter.  It never has
 really made much sense to me.  I just searched for a good script and ran it.


Well that I can help with.

Get the book LINUX FIREWALLS 
Third Edition
by Steve Suehring and Riboer L. Ziegler

http://www.braingia.org/books/linuxfirewalls/ has some modern scripts



Thanks for the information!

James






-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: iptables wiki

[Dale]

James wrote:
 Dale teendale at vista-express.com writes:


   
 Now figuring out the iptables command is another matter.  It never has
 really made much sense to me.  I just searched for a good script and ran it.
 


 Well that I can help with.

 Get the book LINUX FIREWALLS 
 Third Edition
 by Steve Suehring and Riboer L. Ziegler

 http://www.braingia.org/books/linuxfirewalls/ has some modern scripts



 Thanks for the information!

 James
   

Yea, but I'm disabled and plus the bookstores around here don't carry
anything Linux.  So between me not having the money and nothing
available locally, I have to depend on the net for stuff.  I don't like
to buy books online because I like to thumb through them first.

Besides, I prefer finding someone's handy work and checking it out.  One
day, my light bulb will go off.

Dale
:-)  :-)
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: iptables wiki

[Steve Wilson]

Have you tried kmyfirewall ?
Steve
On Wednesday 05 July 2006 12:27, Dale wrote:
 James wrote:
  Dale teendale at vista-express.com writes:
  Now figuring out the iptables command is another matter.  It never has
  really made much sense to me.  I just searched for a good script and ran
  it.
 
  Well that I can help with.
 
  Get the book LINUX FIREWALLS
  Third Edition
  by Steve Suehring and Riboer L. Ziegler
 
  http://www.braingia.org/books/linuxfirewalls/ has some modern scripts
 
 
 
  Thanks for the information!
 
  James

 Yea, but I'm disabled and plus the bookstores around here don't carry
 anything Linux.  So between me not having the money and nothing
 available locally, I have to depend on the net for stuff.  I don't like
 to buy books online because I like to thumb through them first.

 Besides, I prefer finding someone's handy work and checking it out.  One
 day, my light bulb will go off.

 Dale

 :-)  :-)

-- 
Steve Wilson
HOBI International, Inc.
7601 Ambassador Row, suite 101
Dallas, TX 75247
ph 214.951.0143
fx 214.951.0144

This email is intended solely for the person or entity to which it is 
addressed and may contain confidential and/or privileged information. 
Copying, forwarding or distributing this message by persons or entities other 
than the addressee is prohibited. If you have received this email in error, 
please contact the sender immediately and delete the material from any 
computer.
-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: iptables wiki

[James]

Richard Fish bigfish at asmallpond.org writes:


  Where do I put a scirpt of iptables command, so it is read the
  rule sets generated and then saved into /var/lib/iptables/rules-save?

 Anywhere you like.  All that matters is that you run it so your
 iptables are setup like you want, then run /etc/init.d/iptables save
 followed by rc-update -a iptables default.

  After that if I want to modify the rules, I edit my script, run
  my script manually, then issue:
  iptables-save  /var/lib/iptables/rules-save

 No, /etc/init.d/iptables save is the better choice.  The file might
 move, or the format change, or something similar.

 You probably want
 your script to have the following at the top:

 iptables -F
 iptables -P INPUT ACCEPT
 iptables -P OUTPUT ACCEPT
 iptables -P FORWARD DROP

Yes I've seen these.

Should I start the script with the typical shebang?
#! /bin/sh

or I've seen this:
#!/sbin/runscript

???

 This flushes all rules, and resets the default policies, so that only
 the rules that you specify later take effect.  Very useful for
 clearing out old artifacts of stuff...

  What I'm looking for is the series of steps to
  1. Where best to locate my script?

 Mine is in ~/bin/.
not /bin/ ? 
interesting choice, under a user's dir.
/usr/local/bin/ might be appropriate too?

  2. Insert (new) commands into the script.
 $EDITOR

  3. convert new scrited commands into rulesets
  4. Load rulesets into the /var/lib/iptables/rules-save

 Don't do this. Run your script, and let /etc/init.d/iptables save do
 the work for you.

So my (edited) scipt  issues new iptables commands
and the gentoo script converts these commands
into rulesets and stores them in /var/lib/iptables/rules-save?

  5.  Restart the iptables/netfilter firewall

 If you flush/reset like I describe above, this is not necessary, just
 run your script.

Yes those (4) lines go into my scipt, at the beginning.

Modified  series of steps to use my own script
1. Put the my-firewall.sh scipt in /usr/local/bin/ with '700' permissions.
2. rc-update -a iptables default (issue once )
3. Insert (new) commands into the script then run  my-firewall.sh.
4. run /etc/init.d/iptables save convert (new) script based
   commands into rulesets and load .   
5. Test the (new) scipt {rulesets}.
6. Go to step 3 and repeat until a wonderful firewall results.

Note, step 4 can be added to the end of my-firewall.sh to 
combine steps 3 and 4?


correct if I missing anyting?


thanks,

James




-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: iptables wiki

[Richard Fish]

On 7/5/06, James [EMAIL PROTECTED] wrote:

or I've seen this:
#!/sbin/runscript


This is only for init scripts in /etc/init.d/.  So no, don't use
this...use #!/bin/bash instead.


/usr/local/bin/ might be appropriate too?


Yeah, that would work also...



So my (edited) scipt  issues new iptables commands
and the gentoo script converts these commands
into rulesets and stores them in /var/lib/iptables/rules-save?


Yep.


4. run /etc/init.d/iptables save convert (new) script based
   commands into rulesets and load .
5. Test the (new) scipt {rulesets}.
6. Go to step 3 and repeat until a wonderful firewall results.

Note, step 4 can be added to the end of my-firewall.sh to
combine steps 3 and 4?


If you like.  But in fact step 4 can be moved to step 7 (er, step 6
once you renumber stuff), since you don't really need to save anything
until you are happy with the results.

-Richard
--
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: iptables wiki

[Dale]

Steve Wilson wrote:
 Have you tried kmyfirewall ?
 Steve
 On Wednesday 05 July 2006 12:27, Dale wrote:
   

   

I didn't know it existed actually.  It would be so nice if there was
somewhere we could go to find out about all this stuff.  There is no
telling how many programs are out there that we have no clue exists.

That said, I use iptables and as long as it works . . . . . . .  I'll
check into it though.  It may be a while.  I'm getting married tomorrow
and I'll be gone for a while, honeymoon ya know.  ;-)

Thanks

Dale
:-)  :-)

-- 
gentoo-user@gentoo.org mailing list