Re: how to adapt this iptables setup?
On 25 Aug 2003, Bret Comstock Waldow wrote:
> His system comes in two/three parts. There's an iptables_pre script
> which fits simply into the Debian init system - put it in /etc/init.d
> and use update-rc.d defaults to plug in the symlinks so it runs before
> the network is up. It locks everything closed and optionally has
> support for alternatives to dhclient if that's not what I use.
>
> The second/third parts run after the network is up. He writes:
>
> "Now that the iptables_pre script will protect the system while the
> network interfaces are being brought up, it is time to arrange for the
> main script, rc.fwsoho ... to be invoked on bootup. While we could
> invoke it the same way we invoked iptables_pre, instead we will use a
> real rc.d-style script to invoke it. This rc.d-style script is based on
> Red Hat 7.3 iptables startup script but has been modified to generate a
> message and error exit if IP Tables is not available."
I am not trying to be smarter than Bob (I read his book too), but...
Why would one burden the system with stuff that's only needed when a
network interface is up? Why not just use the pre-up and post-down
directives for the chosen interface? To me that seems to be a more
natural place to put this stuff.
I am not sure if it will be useful for what you're trying to accomplish,
but I have described what I think is a good way to initialize the
firewall at
http://huizen.dto.tudelft.nl/devries/security/iptables_example.html
Of course There's More Than One Way To Do It, so if it is not applicable
to your situation just ignore my blathering }:-)
> He instructs me to copy rc.fwsoho into /etc/rc.d, i
I am afraid there is no /etc/rc.d in Debian GNU/Linux.
> then put iptables
> (script) into init.d and symlink it in (the update-rc.d step in
> Debian). iptables is hard coded to call /etc/rc.d/rc.fwsoho on the
> appropriate "start".
??? Does that mean your version of iptables has been compiled with such
an instruction? Otherwise it is just a shell script with a series
of instructions, this should include the usual "start|stop|restart"
commands and the policy/ruleset to aply.
> Ok. There is no /etc/rc.d in my Debian system. /etc/rcX.d has some
> meaning beyond just being another place to gather files - it corresponds
> to runlevel X, and gets swept automatically as the system passes through
> that runlevel. What is the meaning and equivalent of /etc/rc.d? The
> other directories referenced appear to exist.
You should use /etc/init.d to place this type of thing in. After that
you can make a symlink in the appropriate run-level directory /etc/rcx.d
from where it will be called. Take a look in those directories and
you'll see that's how all the other scripts in there are initialized. One
thing though: under Debian GNU/Linux the differences between the
run-levels are as not strictly defined as in RedHat.
> To those who want to tell me why I shouldn't use his approach, I welcome
> the comments, I'll learn from them. But please also tell me the answers
> to the questions above, so I can get a context to put it all in.
I hope that's what I did `;-)
Grx HdV
Reply to: