*
The moose likes Linux / UNIX and the fly likes iptables firewall Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Linux / UNIX
Bookmark "iptables firewall" Watch "iptables firewall" New topic
Author

iptables firewall

Adam Hardy
Ranch Hand

Joined: Oct 09, 2001
Posts: 565
Hi All,
I need a couple of pointers now that I've gone through a whole bunch of tuturials and how-tos on netfilter & iptables, and played with the iptables command.
I have a sample script from linuxguruz rc.DHCP.firewall.txt and I'd like to get it to run on boot automatically. How can I do this?
I'm also not sure of which order the different things should be started, and whether that's actually important or even how to do it for boot-time.
I assume the network configuration gets done first, but which should come next, iptables or pppoe?
TIA!
Adam


I have seen things you people would not believe, attack ships on fire off the shoulder of Orion, c-beams sparkling in the dark near the Tennhauser Gate. All these moments will be lost in time, like tears in the rain.
ca buki
Greenhorn

Joined: Oct 10, 2002
Posts: 12
Originally posted by Adam Hardy:
Hi All,
I have a sample script from linuxguruz rc.DHCP.firewall.txt and I'd like to get it to run on boot automatically. How can I do this?


You just need to add a line to the startup script. I use Slackware and the main statup script is /etc/rc.d/rc.local. If you add a line (probably at the end) calling the script you got from linuxguruz, it should start everytime you boot up.


I'm also not sure of which order the different things should be started, and whether that's actually important or even how to do it for boot-time.
I assume the network configuration gets done first, but which should come next, iptables or pppoe?
TIA!
Adam

I don't think order is too important, but I don't use PPPOE, so I'm not much help there. I think it's best to start the firewall after you have done the network config and then start everything else.
Jon
Adam Hardy
Ranch Hand

Joined: Oct 09, 2001
Posts: 565
Hi,
through experimentation, I can confirm that the order is not important. [edited later: this is crap! The order is important. 1) iptables 2) network 3) pppoe ]
Now I've got another problem. In the script, I've got a conditional expression:

and it's giving me this error:
./rc.DHCP.firewall: [: No: integer expression required
I'm using the console in KDE - am I not in the right kind of shell or something?
PLUS another question : logging - it looks like linux does something akin to log4j and that iptables is using it - the script I'm using has lines like this:

I've sussed that it uses /etc/syslog.conf and that there are several facilities keywords, but which facility keyword is iptables going to use?
Also if I'm going to change syslog, do I just edit the syslog.conf and restart the daemon, or is there another interface?
Thanks, if anyone can help!
Adam
[ October 17, 2002: Message edited by: Adam Hardy ]
Guy Allard
Ranch Hand

Joined: Nov 24, 2000
Posts: 776
Hi Adam -
I believe your script has a bug. The if statement S/B:
if [ "$DHCP" == "yes" ]; then
== is used for string comparisons.
-eq is used for numeric comparisons.
G.
Guy Allard
Ranch Hand

Joined: Nov 24, 2000
Posts: 776
And also, about logging:
Withoug doing anything to syslogd.conf, iptables will use the default facility.
Log messages go to (on a RH system) to:
/var/log/messages
iptables is (under the covers) invoking 'logger'. This is a command you can use from the console or from scripts to send your own messages to the/a log. Do a:
man logger
for more information.
Also will mention that many (not all) of the .conf files have their own man pages, e.g.
man lilo.conf
Regards, Guy
Guy Allard
Ranch Hand

Joined: Nov 24, 2000
Posts: 776
And after some further thought - starting these services in any order is probably possible, but ...
In general firewall start should occur before network start, for obvious reasons.
Regards, Guy
Adam Hardy
Ranch Hand

Joined: Oct 09, 2001
Posts: 565
Hi there again,
got another problem setting up my firewall:
I've got two network cards, defined as eth0 and eth1. eth0 is for my own LAN, and eth1 is for the DSL connection. I defined my eth0 with an IP address of 10.0.0.1 and I defined eth1 without an IP address, since the pppoe gets the IP address from the ISP's DHCP, or at least I think so, since I definitely don't have a fixed IP address from my ISP.
Is that the correct approach? I get the following message at boot:
Determining IP information for eth1: operation failed
Any idea what I'm doing wrong?
TIA
Adam
George Brown
Ranch Hand

Joined: Sep 26, 2000
Posts: 919
Adam, try swapping the cables round. Your linux box might have allocated eth1 to what you think is eth0.
Adam Hardy
Ranch Hand

Joined: Oct 09, 2001
Posts: 565
I am certain that eth0 and eth1 have the right cables attached. I had to stipulate which one pppoe should use to connect to the net, and that works.
I've sorted out what the problem was. I'm using the GUI network configuration dialog in KDE and it's got an option to activate the device when computer starts, and then under protocols, it's got an option to obtain IP address from DHCP.
This last option caused the boot error because it was looking for a DHCP server before the pppoe connection was up.
Just spent the last couple of hours configuring the startup scripts to load iptables first, then the network devices and then the pppoe.
Now my problem is getting the startup script to work. How do I get iptables to save its rules to the /etc/sysconfig/iptables file?
This is the steepest learning curve ever.
[ October 17, 2002: Message edited by: Adam Hardy ]
Adam Hardy
Ranch Hand

Joined: Oct 09, 2001
Posts: 565
Sussed it. I ran all my iptables rules via a script file in my home directory, but to save them to /etc/sysconfig/iptables so that they get loaded at boot, I used iptables-save
There's some config stuff in /proc/net/ip_tables_names - I can't change anything in there and the system seems to be updating the file timestamps. What on earth is it?
Guy Allard
Ranch Hand

Joined: Nov 24, 2000
Posts: 776
Hi Adam - All that file contains is a list of the table names currently known to iptables.
The modification timestamp is constantly updated as the system runs, this is normal.
You should not have to directly manipulate this data.
Regards, Guy
Adam Hardy
Ranch Hand

Joined: Oct 09, 2001
Posts: 565
Hello again,
after spending two days stumbling in the dark I need some more help on this again.
I am not able to configure iptables, networking and pppoe to start at boot.
Once it's booted, I have to stop pppoe (on eth1), use ifconfig to down the LAN eth0 interface, and then restart pppoe. Then it works.
Why does my LAN eth0 running, which I set linux to bring up at boot, prevent my pppoe interface from working?
I suspect I need to work on the iptables rules I have to do some 'routing' - the rules I have at the moment use 'drop' and 'log' on the INPUT and OUTPUT chains, but I hardly know what to do with the FORWARD chain. I got the rules I'm using from an example.
Do I need to write rules to route packets between the inet and the lan and the localhost?
At the moment I am only able to browse from the linux box with the firewall, not from my lan.

Thanks,
Adam
[ October 20, 2002: Message edited by: Adam Hardy ]
Adam Hardy
Ranch Hand

Joined: Oct 09, 2001
Posts: 565
I sorted out the first problem after chasing a fair few red herrings. I had configured the wrong subnet mask for my internal lan. Doh!
Adam Hardy
Ranch Hand

Joined: Oct 09, 2001
Posts: 565
Well I got the whole firewall working to allow the firewall linux box to browse and the other pc's on the lan, so all is hunky dory.
For anyone interested, these are the best docs on the net which helped me most:
IP Masquerading
IP address subnetting tutorial
(didn't know what I was doing with subnets til I read that)
www.iptables.org (www.netfilter.org)
plus searching the forum archives at www.linuxnewbie.org and doing searches at www.linuxguruz.org.
Thanks for the help, Jon Guy & George.
Adam
[ October 22, 2002: Message edited by: Adam Hardy ]
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: iptables firewall
 
Similar Threads
Linux Tomcat: java.net.BindException: Permission denied:80
GUI in Mandrake???
Mandrake 9.1 setup Firewall, can't access the net
Ports
XP, RH7.3, GRUB, 2 HDD's