Category list

Storing iptables Information

Rules created with the iptables command are stored in RAM only. If you restart your system after setting up iptables rules, they will be lost. So in order for netfilter rules to persist through system reboot, you need to save them to the /etc/sysconfig/iptables file.

To do this, type the /sbin/service iptables save command as the root user . This causes the iptables init script to run the /sbin/iptables-save program and write the current iptables configuration to the /etc/sysconfig/iptables file. This file should be readable by root only, so that your packet filtering rules are not viewable by average users. The next time the system boots, the iptables init script will reapply the rules saved in /etc/sysconfig/iptables by using the /sbin/iptables-restore command.

While it is always a good idea to test a new iptables rule before committing it to the /etc/sysconfig/iptables file, it is possible to copy iptables rules into this file from another system’s version of this file. This allows you to quickly distribute sets of iptables rules to many different machines.

Note

If you distribute the /etc/sysconfig/iptables file to other machines, you must type /sbin/service iptables restart for the new rules take effect.

Additional Resources

See the sources below for additional information on packet filtering with iptables.

Installed Documentation

The iptables man page contains a comprehensive description of various commands, parameters, and other options.

Useful Websites

http://netfilter.samba.org — Contains assorted information about iptables, including a FAQ addressing specific problems you may experience and various helpful guides by Rusty Russell, the Linux IP firewall maintainer. The HOWTO documents here cover subjects such as basic networking concepts, 2.4 kernel packet filtering, and NAT configurations.
http://www.linuxnewbie.org/nhf/Security/IPtables_Basics.html — A basic and general look at the way packets move through the Linux kernel, plus an introduction to constructing simple iptables commands.
http://www.redhat.com/support/resources/networking/firewall.html — This Web page contains up-to-date links to a variety of packet filter resources.

Related Book:

Red Hat Linux Firewalls by Bill McCarty (Red Hat Press/Wiley, 2003)

Chapter 23: Kerberos

Kerberos is a network authentication protocol created by the Massachusetts Institute of Technology that uses secret-key cryptography — obviating the need to send passwords over the network. By authenticating using Kerberos, unauthorized users trying to intercept passwords on the network are effectively thwarted.

Advantages of Kerberos

Most conventional network systems use password-based authentication schemes. A user who authenticates to a network server must supply a user name and password for each service requiring authentication. This information is sent over the network, and the server verifies the user’s identity using this information. However, the transmission of authentication information for many services is in plaintext. An attacker with access to the network and a packet analyzer, also known as a packet sniffer, can intercept any passwords sent in this manner. The primary design goal of Kerberos is to eliminate the transmission across the network of authentication information. The proper use of Kerberos effectively eliminates the threat packet sniffers would otherwise pose on a network.