Re: /etc/init.d/iptables

To: debian-firewall@lists.debian.org
Subject: Re: /etc/init.d/iptables
From: Ivan Shmakov <oneingray@gmail.com>
Date: Tue, 11 Aug 2009 12:28:22 +0700
Message-id: <87bpmm6hs9.fsf@violet.siamics.int>
References: <87ocqn6a95.fsf@violet.siamics.int> <87fxbz56b7.fsf@violet.siamics.int> <d1b732a70908102133x2ee99743j3a9dece7a200ad18@mail.gmail.com>

>>>>> Jonathan Yu <jonathan.i.yu@gmail.com> writes:
>>>>> Ivan Shmakov <oneingray@gmail.com> wrote:

 >> FWIW, I've ended up using the init.d/ script below. The script is
 >> expected to run prior to ifupdown, so assuming the symbolic link to
 >> the latter is at /etc/rcS.d/S39ifupdown, this one needs to be
 >> symlinked at, say, /etc/rcS.d/S38iptables-is.sh

	I wonder, does it make sense filing a wishlist Bug against
	iptables, asking for this script to be included?

 > I apparently used /etc/network/if-pre-up.d (I can't remember the
 > reasoning why, but I guess it's useful to make sure you load the
 > rules prior to bringing the interfaces up, which means the rules will
 > be there once network connectivity is brought up)

	Yes.  However, doesn't if-pre-up.d/ get activated every time an
	interface is brought up?

	Please consider:

 >> The script is designed to be run from within the rcS.d sequence,
 >> and before ifupdown, so that it won't be:

[...]

 >> * run several times at some (possibly random; consider, e. g.,
 >>   hotplug devices) points of time, ruining the current firewall
 >>   state along the way -- as it happens when one puts the script
 >>   into /etc/network/if-up.d/ or /etc/network/if-pre-up.d/.

[...]

 > A long time ago I wrote a blog article on the subject

 > http://www.debian-administration.org/article/Restoring_iptables_Automatically_On_Boot

	Thanks for the pointer!

 > Perhaps more interesting than that article is the discussion that
 > happened in the comments.

 > Hope this helps :-)

 jawnsy> Sure, if you save it as root then the file will be owned by
 jawnsy> root. But if you accidentally (or someone intentionally)
 jawnsy> modifies the permissions of it, or changes the ownership,
 jawnsy> iptables-restore will simply load the rules blindly.

 jawnsy> It's safer to actually check ownership and permissions before
 jawnsy> loading those; otherwise if you accidentally leave the file as
 jawnsy> 666 or 777 or otherwise writable by others, then it becomes
 jawnsy> vulnerable.

	I disagree.  If a user has enough power to chown () a file in
	/etc/ at will, then it could simply chown () the restoring
	script instead, and do anything with it (say, disable the
	checks, or the loading of the rules.)

 190.55.xx.xx> With restore you are replacing any already loaded rule
 190.55.xx.xx> (consider interaction with fail2ban, for example) and the
 190.55.xx.xx> iptables-save format is quite unreadable.  So I would
 190.55.xx.xx> prefer using other options, like ferm or creating a
 190.55.xx.xx> iptables script per board.

	I don't know much about fail2ban, but if it adds rules to
	iptables, they're going to be lost each time an interface is
	brought up, if one's using if-pre-up.d/.

	OTOH, a script in rcS.d/ will be run precisely once, quite early
	in the startup sequence.  In certain cases, this will save one
	from a conflict with an iptables autostuffer.

[...]

-- 
FSF associate member #7257

Reply to:

Follow-Ups:
- Re: /etc/init.d/iptables
  - From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>

References:
- /etc/init.d/iptables
  - From: Ivan Shmakov <oneingray@gmail.com>
- Re: /etc/init.d/iptables
  - From: Ivan Shmakov <oneingray@gmail.com>
- Re: /etc/init.d/iptables
  - From: Jonathan Yu <jonathan.i.yu@gmail.com>

Prev by Date: Re: /etc/init.d/iptables
Next by Date: Re: /etc/init.d/iptables
Previous by thread: Re: /etc/init.d/iptables
Next by thread: Re: /etc/init.d/iptables
Index(es):
- Date
- Thread