How to sensibly start IPtables ?

[Erik]

Archived from groups: comp.security.firewalls (More info?)

I have an RH9 Linux system running as Router/FW.
IPTables 1.2.9 on it and running happily.

Would the following be a sound idea, as to maintainablility of the
IPTables rules and the effectiveness and security of the FW:


Immediately after the running of a script in /etc/rc3.d a partial
IPTables script must run, to open up the FW for any necessary
ports/protocols/etc. related to that /etc/rc3.d script.

example and problem:

just after running the /etc/rc.d/init.d/named script, the FW must be
opened for protocol UDP/port 53.
If it is not opened, the subsequent ntpd script would not work, for it
opens the FW for a few timeservers, not given by IP number, but by
FQN. And it would log a few packet refusals, if not opened
immediately.

same goes for other servers, that need specific ports open. (Or, more
general, need specific IPTables rules effective): samba, apache,
sendmail...

For this, I would make a parallel directory for the partial IPTables
scripts (eg. /etc/rc.d/iptables/S08named), which would be controlled
by a mechanism incorporated in the /etc/rc.d mechanism (S08named
things)


Question is, how would I incorporate this parallel mechanism in the
startup scripts and where ?

fr gr
Erik

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Sun, 25 Jul 2004 14:52:35 +0200, Erik wrote:
> I have an RH9 Linux system running as Router/FW.
> IPTables 1.2.9 on it and running happily.
>
> Would the following be a sound idea, as to maintainablility of the
> IPTables rules and the effectiveness and security of the FW:
>
>
> Immediately after the running of a script in /etc/rc3.d a partial
> IPTables script must run, to open up the FW for any necessary
> ports/protocols/etc. related to that /etc/rc3.d script.


What you could have is a script with uses basename to get the name
which was used to call it. Example: fn=$(basename $0)

You then make two links in the same directories as the
S10network link.

Example:
cd /etc/rc.d/rc3.d/
ls -s /etc/rc.d/init.d/my_iptable_rules S10before_net
ls -s /etc/rc.d/init.d/my_iptable_rules S10network_up

Now a ls S* we see something like
S10before_net
S10network
S10network_up
which indicates the order they will execute when the system boots.

Now my_iptable_rules could have a test like

if [ $fn = S10before_net ] ; then
(load iptable with a restriced set of rules here)
fi

if [ $fn = S10network_up ] ; then
(load iptable with some more rules here)
fi

 

[Erik]

Archived from groups: comp.security.firewalls (More info?)

>ls -s /etc/rc.d/init.d/my_iptable_rules S10before_net
>ls -s /etc/rc.d/init.d/my_iptable_rules S10network_up
>

ls = ln ?

thnx
Erik

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Sun, 25 Jul 2004 15:56:06 +0200, Erik wrote:
>
>>ls -s /etc/rc.d/init.d/my_iptable_rules S10before_net
>>ls -s /etc/rc.d/init.d/my_iptable_rules S10network_up
>>
>
> ls = ln ?

Your are correct, should have been ln.

Frap, there goes all my gold stars for the week.

I had already disconected fingers from brain while forming the next
paragraph in head.

Thank you for the correction.

 

[Erik]

Archived from groups: comp.security.firewalls (More info?)

On Sun, 25 Jul 2004 14:23:03 GMT, the right honourable Bit Twister
<BitTwister@localhost.localdomain> wrote:

>On Sun, 25 Jul 2004 15:56:06 +0200, Erik wrote:
>>
>>>ls -s /etc/rc.d/init.d/my_iptable_rules S10before_net
>>>ls -s /etc/rc.d/init.d/my_iptable_rules S10network_up
>>>
>>
>> ls = ln ?
>
>Your are correct, should have been ln.
>
>Frap, there goes all my gold stars for the week.
>
>I had already disconected fingers from brain while forming the next
>paragraph in head.
>
>Thank you for the correction.

details...

wanted to make sure.
Such is the cross we have to carry: colons and semicolons...

thnx for the suggestions. worth a few stars to me

Erik