Start firewall script at boot or iptables

[Decibels]

I see a lot of questions on firewall scripts and starting them at boot.

I am trying to figure if I am missing something here.

1) If you have iptables configured and some firewall rules written in the
tables and added it to /etc/init.d for starting at bootup. Then that should
be loading any firewall rules you have written when you bootup.

2) If #1 is true then there is no need to install another firewall program
and add it to default runlevel too. Cause the rules are being loaded
and implimented at bootup.

3) You would only need another firewall program installed if you didn't
want to or couldn't write your own rules. Then still, after it is ran once,
it should have the rules written to iptables and as long as iptables is
default runlevel, the firewall program you installed doesn't need to
run at boot cause it has done it's job.

4) Then you should only need to run the firewall program again if you
wanted to changed some rules.

Are these assumptions correct or am I missing something? Cause I have iptables setup with some rules. Recently read Daniel Robbins Stateful IPTables tutorial at Intel and really like what he had to say on them. I took his script and modified it to meet several needs (I don't need forwarding, but a friend does).
I was going to put the script in /etc/init.d and set it to run at boot. But realized that I already have the rules in place now and unless I want to change it or stop the firewall. I don't need to run the script again cause iptables starts at boot.

[xpunkrockryanx]

when iptables loads, it doesnt automatically load the rules that you had set in place previously, it relies on you running the script to add the rules. for example, you have your firewall set up currently, but if you rebooted, it would no longer be in place. you should set the script you have there to run on each boot. to answer your individual questions specifically:

1.) only if what added to /etc/init.d to run on boot was actually the rules themselves, not just the iptables module.

2.) correct, if #1 was correct.

3.) some confusion here as to what you refer when you say "another firewall program." if by "firewall program" you mean shell script to add iptables rules, then no, in fact the "program" would need to be run on boot each time. i guess it would need to be run on boot each time regardless. to be clear, everything that was entered into iptables is lost on reboot.

4.) correct, unless you reboot, in which case you'd need to run the firewall program again.

-ryan

[Decibels]

Hence the confusion. See, they are saved if you want them saved.
Iptables userspace when emerged doesn't make the directory /var/lib/iptables or the file /var/lib/iptables/rules-save.
But, /etc/conf.d/iptables states:

[Decibels]

I must take part of the back. In essence you do load the firewall rules up upon each reboot from the /var/lib/rules-save. But it isn't I guess what you would really call a script, it is just the rules that you already wrote saved.

[Printhead]

Instead of running iptables from init.d and having the rules as they stand saved on shutdown, you can just add your script to /etc/conf.d/local.start and the ruleset will load from there on each boot.

That way, the script stays just as you set it up with comments and layout retained, which makes things easier to tweak and understand in my inexperienced opinion.

[Decibels]

Oh, I don't want to be misunderstood. You can do it either way!!!

It just seems that some people think you need to run iptables from init.d and also install a firewall program like fwbuilder or guarddog,... and also start it from init.d (unless I am wrong, and could be).

All I am trying to say is that you can write your own rules or use a program like fwbuilder to help you write one. But you don't have to 'also' have both programs start from init.d. Just starting iptables is good enough. If you made the folder /var/lib/iptables and touched the file /var/lib/iptables/rules-save, then the iptables rules ARE SAVED and will be reloaded upon reboot.


So as long as you didn't just type the rules in at the prompt in a terminal, but wrote a small script to do it for you like I did. Then you still have
(to quote): "the script stays just as you set it up with comments and layout retained"

For example I wrote a script to encompass two setups: I don't have forwarding enabled or a LAN that I want to masquerade for ICS, my Dad does. So the script looks for the forwarding enabled in /etc/conf.d/iptables, if set then inserts the ip_forwarding and masquerade rules. The script is also setup with start (write the rules and save them) and stop (flush the rules). SO you could run start, stop, change the rules, add comments,... BUT, the script doesn't have to be restarted at boot each time, iptables rules are already saved and loaded upon next reboot.

Most of this is copied from 'Daniel Robbins': Stateful IPTables tutorial at Intel.com. Then changed to work with the tutorial I wrote to Masquerade on a LAN with Two Computers, or a standalone with no LAN. BUT, it only has to be ran once to implement the rules, unless you want to change them.

[doug-x07]

I have another approach that you may find easier to manage. Firslty modify you /etc/init.d/firwall script as described in the Gentoo security guide to automatically check on start up if you have a given firewall rules file or load default rules.

You can then create a second shell script to handle the on the fly changes and firewall configuration as in the stateful IP Tables tutorial. No need to run it from start up as it doesn't handle the actual daemon directly. This allows you to call the start, stop and reset functions of /etc/init.d/firewall as needed whilst maintaining the service dependcies and sanity checks of Gentoo init.

The example in the security guide only allows me to call the start stop and reset functions. I looked in the runscript.sh source and that is apparently all it accepts as arguments (??). So I then stuck a panic, save (to the same file as referenced in /etc/init.d/firewall that way you save a rule set for next startup) and showstatus functions in my shell script and defined other dynamic rules that I occasionally require. Now you have two firewall scripts, the basic init.d one for service start ups and a general shell script that you run on top of it as needed for managing the dynamic rule configuration, adding or saving configurations.

Drobbins tutorial can be a bit misleading for use with geentoo as it appears to be deliberately aimed for compatibility with all the different start up mechanisms that you can find in Linux. Great tutorial though and check out the dynfw ebuild in portage if you don't want to hack your own scripts.

Just my 2 cents on the subject.
_________________
#! /usr/bin/perl
if( @first != $succeed ) {
post { $question->forum && eval '$answers' };
try { $again } catch { $problem && $resolve };
bless $posters; }

[tomaw]

[ventricle]

I don't know how to explain this, but when I run your script (changing CABLEE to PPPE because I have a modem) it starts OK, but I am unable to 'ping www.google.com'.
In fact, even if I run stop on your script, it doesn't fix it. I actually have to /etc/init.d/iptables stop in order to let me ping google again!
_________________
[LRU]