Recipe 2.20 Loading a Firewall Configuration

Previous page
Table of content
Next page

2.20.1 Problem

You want to load your firewall rules, e.g., at boot time.

2.20.2 Solution

Use ipchains-restore or iptables-restore. Assuming you've saved your firewall configuration in /etc/sysconfig: [Recipe 2.19]

For iptables:

#!/bin/sh echo 1 > /proc/sys/net/ipv4/ip_forward       (optional) iptables-restore < /etc/sysconfig/iptables

For ipchains:

#!/bin/sh echo 1 > /proc/sys/net/ipv4/ip_forward       (optional) ipchains-restore < /etc/sysconfig/ipchains

To tell Red Hat Linux that firewall rules should be loaded at boot time:

# chkconfig iptables on # chkconfig ipchains on

2.20.3 Discussion

Place the load commands in one of your system rc files. Red Hat Linux already has rc files "iptables" and "ipchains" in /etc/init.d that you can simply enable using chkconfig. SuSE Linux, in contrast, has a script /sbin/SuSEpersonal-firewall that invokes iptables or ipchains rules, and it's optionally started by /etc/init.d/personal-firewall.initial and /etc/init.d/personal-firewall.final at boot time.

To roll your own solution, you can write a script like the following and invoke it from an rc file of your choice:

#!/bin/sh # Uncomment either iptables or ipchains PROGRAM=/usr/sbin/iptables #PROGRAM=/sbin/ipchains FIREWALL=`/bin/basename $PROGRAM` RULES_FILE=/etc/sysconfig/${FIREWALL} LOADER=${PROGRAM}-restore FORWARD_BIT=/proc/sys/net/ipv4/ip_forward if [ ! -f ${RULES_FILE} ] then         echo "$0: Cannot find ${RULES_FILE}" 1>&2         exit 1 fi case "$1" in         start)                 echo 1 > ${FORWARD_BIT}                 ${LOADER} < ${RULES_FILE} || exit 1                 ;;         stop)                 ${PROGRAM} -F                   # Flush all rules                 ${PROGRAM} -X                   # Delete user-defined chains                 echo 0 > ${FORWARD_BIT}                 ;;         *)                 echo "Usage: $0 start|stop" 1>&2                 exit 1                 ;; esac

Make sure you load your firewall rules for all appropriate runlevels where networking is enabled. On most systems this includes runlevels 2 (multiuser without NFS), 3 (full multiuser), and 5 (X11). Check /etc/inittab to confirm this, and use chkconfig to list the status of the networking service at each runlevel:

$ chkconfig --list network network         0:off   1:off   2:on    3:on    4:on    5:on    6:off

2.20.4 See Also

iptables-load(8), ipchains-load(8), iptables(8), ipchains(8).

Previous page
Table of content
Next page
Linux Security Cookbook
Linux Security Cookbook
ISBN: 0596003919
EAN: 2147483647
Year: 2006
Pages: 247
Authors: Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes
BUY ON AMAZON
Java I/O
Interprocess Communications in Linux: The Nooks and Crannies
The New Solution Selling: The Revolutionary Sales Process That Is Changing the Way People Sell [NEW SOLUTION SELLING 2/E]
Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment
Mapping Hacks: Tips & Tools for Electronic Cartography
Persuasive Technology: Using Computers to Change What We Think and Do (Interactive Technologies)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy