[vox-tech] re: iptables questions

Jan W jcwynholds at yahoo.com
Tue May 16 10:10:54 PDT 2006 


--- Cylar Z <cylarz at yahoo.com> wrote:

> I wrote a bash script as you suggested, one that
> inserts the rows into iptables. However, I still have
> to re-run that script every time the system reboots.
> 
> To get around the problem and make the rules
> permanent, I followed this advice:
> 
> "Use iptables-save and iptables-restore. You need to
> redirect the input/output, e.g. 'iptables-save >
> /root/iptables.conf', and put 'iptables-restore <
> /root/iptables.conf' in your rc.local."
> 
> Unfortunately, when I inserted the line
> "iptables-restore" in the rc.local file, the system
> hung during startup, and wouldn't start properly on
> its next reboot. I finally figured out that restoring
> rc.local to its original state would fix the problem,
> but now I'm back to square one. Ideas?
> 
> Also, is there any reason to think inserting that line
> would cause the system to mysteriously reboot on its
> own without my intervention? Because that is exactly
> what happened a few minutes after I edited rc.local.

There could be a few reasons why your machine hangs when you add these
lines to your /etc/rc.d/rc.local.  One reason is that maybe on bootup,
there is only a minimal environment, so there might be things missing
like things from $PATH or some other environment variables.

Did you try editing the /etc/sysconfig/iptables-config?

My suggestion is to try the /etc/sysconfig/iptables-config route
instead of putting scripts into /etc/rc.d/rc.local.

There are a couple of lines worth looking at:

IPTABLES_SAVE_ON_STOP="no"
IPTABLES_SAVE_ON_RESTART="no"

Change these values to "yes", and things should be saved when you stop
iptables, or when you reboot (respectively).

And I always read ip addresses/network numbers from text files like
such:

#!/bin/bash

iptables -F
iptables -t nat -F

for i in `cat /root/allow_inbound`; do iptables -A INPUT -s $i -j
ACCEPT

for i in `cat /root/allow_forward`; do iptables -A FORWARD -s $i -j
ACCEPT

<etc>

Where /root/allow_inbound (and allow_forward) is a whitespace separated
list of ip addresses or networks.

Hope this helps out.  Post back if you need more help :)

--cheers

jan



<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
I believe that unarmed truth and unconditional love will have the final word in reality. That is why right, temporarily defeated, is stronger than evil triumphant.
    Martin Luther King Jr., Accepting Nobel Peace Prize, Dec. 10, 1964
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the vox-tech mailing list