Re: how to adapt this iptables setup?

To: Debian-User List <debian-user@lists.debian.org>
Subject: Re: how to adapt this iptables setup?
From: HdV@DTO.TUDelft.NL
Date: Tue, 26 Aug 2003 11:39:49 +0200 (MEST)
Message-id: <[🔎] Pine.GSO.4.44.0308261105120.20655-100000@sanders.rc.tudelft.nl>
In-reply-to: <[🔎] 1061838926.1433.87.camel@ganesha>

On 25 Aug 2003, Bret Comstock Waldow wrote:

> His system comes in two/three parts.  There's an iptables_pre script
> which fits simply into the Debian init system - put it in /etc/init.d
> and use update-rc.d defaults to plug in the symlinks so it runs before
> the network is up.  It locks everything closed and optionally has
> support for alternatives to dhclient if that's not what I use.
>
> The second/third parts run after the network is up.  He writes:
>
> "Now that the iptables_pre script will protect the system while the
> network interfaces are being brought up, it is time to arrange for the
> main script, rc.fwsoho ... to be invoked on bootup.  While we could
> invoke it the same way we invoked iptables_pre, instead we will use a
> real rc.d-style script to invoke it.  This rc.d-style script is based on
> Red Hat 7.3 iptables startup script but has been modified to generate a
> message and error exit if IP Tables is not available."

I am not trying to be smarter than Bob (I read his book too), but...

Why would one burden the system with stuff that's only needed when a
network interface is up? Why not just use the pre-up and post-down
directives for the chosen interface? To me that seems to be a more
natural place to put this stuff.

I am not sure if it will be useful for what you're trying to accomplish,
but I have described what I think is a good way to initialize the
firewall at

http://huizen.dto.tudelft.nl/devries/security/iptables_example.html

Of course There's More Than One Way To Do It, so if it is not applicable
to your situation just ignore my blathering }:-)

> He instructs me to copy rc.fwsoho into /etc/rc.d, i

I am afraid there is no /etc/rc.d in Debian GNU/Linux.

> then put iptables
> (script) into init.d and symlink it in (the update-rc.d step in
> Debian).  iptables is hard coded to call /etc/rc.d/rc.fwsoho on the
> appropriate "start".

??? Does that mean your version of iptables has been compiled with such
an instruction? Otherwise it is just a shell script with a series
of instructions, this should include the usual "start|stop|restart"
commands and the policy/ruleset to aply.

> Ok.  There is no /etc/rc.d in my Debian system.  /etc/rcX.d has some
> meaning beyond just being another place to gather files - it corresponds
> to runlevel X, and gets swept automatically as the system passes through
> that runlevel.  What is the meaning and equivalent of /etc/rc.d?  The
> other directories referenced appear to exist.

You should use /etc/init.d to place this type of thing in. After that
you can make a symlink in the appropriate run-level directory /etc/rcx.d
from where it will be called. Take a look in those directories and
you'll see that's how all the other scripts in there are initialized. One
thing though: under Debian GNU/Linux the differences between the
run-levels are as not strictly defined as in RedHat.

> To those who want to tell me why I shouldn't use his approach, I welcome
> the comments, I'll learn from them.  But please also tell me the answers
> to the questions above, so I can get a context to put it all in.

I hope that's what I did `;-)

Grx HdV

Reply to:

References:
- how to adapt this iptables setup?
  - From: Bret Comstock Waldow <bwaldow@alum.mit.edu>

Prev by Date: Re: ssh tunneling
Next by Date: Re: nfs use-once-only? - SOLVED
Previous by thread: Re: how to adapt this iptables setup?
Next by thread: Debian's guerilla tactics
Index(es):
- Date
- Thread