Re: Iptables at boot, was fail2ban for apache2

To: debian-user@lists.debian.org
Subject: Re: Iptables at boot, was fail2ban for apache2
From: Gene Heskett <gheskett@shentel.net>
Date: Mon, 2 Dec 2019 09:41:54 -0500
Message-id: <[🔎] 201912020941.54550.gheskett@shentel.net>
In-reply-to: <[🔎] 02e6fa53-8322-0672-d603-044b07cfe5b0@tana.it>
References: <201911090230.57430.gheskett@shentel.net> <[🔎] 20191202093526.nc5m2uwu3ybysfu6@localhost> <[🔎] 02e6fa53-8322-0672-d603-044b07cfe5b0@tana.it>

On Monday 02 December 2019 07:46:22 Alessandro Vesely wrote:

> On Mon 02/Dec/2019 10:35:26 +0100 Andrei POPESCU wrote:
> > You might want to install iptables-persistent, otherwise you'll have
> > to roll-out your own solution.
>
> I'm not using iptables-persistent, but just looked at it out of
> curiosity.
>
> Its LSB:
>
> ### BEGIN INIT INFO
> # Provides:          netfilter-persistent
> # Required-Start:    mountkernfs $remote_fs
> # Required-Stop:     $remote_fs
> # Default-Start:     S
> # Default-Stop:      0 1 6
> # Short-Description: Load boot-time netfilter configuration
> # Description:       Loads boot-time netfilter configuration
> ### END INIT INFO
>
> S also starts in single-user mode, i.e. without network?
>
> $remote_fs requires ip links to be already set up?
>
> Stop, for good measure, does nothing.  The comment in the script is
> crisply nice:
>
> stop)
>     # Why? because if stop is used, the firewall gets flushed for a
> variable # amount of time during package upgrades, leaving the machine
> vulnerable # It's also not always desirable to flush during purge
>     echo "Automatic flushing disabled, use \"flush\" instead of
> \"stop\"" ;;
>
> > In the particular case of iptables instead of writing a script you
> > should probably just reuse your existing rules file and load that
> > with an 'iptables-restore' from the .service unit.
>
> That's somewhat questionable in some cases.  I'd recommend to write a
> script with iptables commands rather than interactively issue iptables
> command until you are satisfied with the current setup.  That's
> natural, since iptables doesn't give a visual feedback, so reasoning
> is your best friend.  IOW, a commented script is more readable than an
> interactive setup.
>
> Then, since you have a script, why not run it directly, rather than
> saving/restoring its results?

Since I had spent a week battling the bots, and doing a new save for 
every addition, I find the iptables-restore both starts it and restores 
it. Good enough till I get a new machine built, by the weekend I hope.

> > We are quite far from the original topic so I would suggest you
> > start a new thread in case you need assistance with this.
>
> I try, but don't reset References:/In-Reply-To: header fields.

And kmail doesn't make that easy.

>
> Best
> Ale
Thanks Alessandro.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis
Genes Web page <http://geneslinuxbox.net:6309/gene>

Reply to:

References:
- Re: fail2ban for apache2
  - From: Andrei POPESCU <andreimpopescu@gmail.com>
- Iptables at boot, was fail2ban for apache2
  - From: Alessandro Vesely <vesely@tana.it>

Prev by Date: Re: external drive
Next by Date: Re: external drive
Previous by thread: Re: Iptables at boot, was fail2ban for apache2
Next by thread: Re: fail2ban for apache2
Index(es):
- Date
- Thread