From LedHed's Wiki
Jump to: navigation, search
 
 
(5 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
Reference: http://ubuntuforums.org/showthread.php?t=57111
  
== Ubuntu/Debian Init Script ==
 
By default Ubuntu & Debian don't come with an IPTables init script (Bitch Moan ....)
 
  
There are many ways to load your IPTables rulesets.
+
By default Ubuntu & Debian don't come with an IPTables init script (Bitch Moan ....)<br>
 +
<br>
 +
There are many ways to load your IPTables rulesets.<br>
 +
This is one approach.<br>
  
This is one approach.
+
== Overview ==
 
+
Add rules to your iptables via the command line.<br>
Add rules to your iptables via the command line.
+
Save the rulesets to a file for later use (To survive a reboot).<br>
Save the rulesets to a file for later use (To survive a reboot)
+
Launch an init script which loads the previously saved rulesets at given run-levels.<br>
Launch an init script which loads the previously saved rulesets at given run-levels
+
  
  
 
== Adding Rules ==
 
== Adding Rules ==
  
For more info on adding IPTable Rules see [IPTable Basics]
+
For more info on adding IPTable Rules see [[IPTable Basics]]<br>
 +
 
  
 
== Saving the Rulesets ==
 
== Saving the Rulesets ==
 
  iptables-save > /etc/default/iptables-rules
 
  iptables-save > /etc/default/iptables-rules
 +
This takes your currently applied rulesets and exports them to a file which the init script will use later.
  
  
 +
== The Script ==
 +
Paste the following code into /etc/init.d/iptables.<br>
  
 +
#! /bin/sh
 
   
 
   
 +
#This is an Ubuntu adapted iptables script from gentoo
 +
#(http://www.gentoo.org) which was originally distributed
 +
#under the terms of the GNU General Public License v2
 +
#and was Copyrighted 1999-2004 by the Gentoo Foundation
 +
#
 +
#This adapted version was intended for and ad-hoc personal
 +
#situation and as such no warranty is provided.
 +
 +
. /lib/lsb/init-functions
 +
 +
 +
IPTABLES_SAVE="/etc/default/iptables-rules"
 +
SAVE_RESTORE_OPTIONS="-c"
 +
 +
 +
checkrules() {
 +
if [ ! -f ${IPTABLES_SAVE} ]
 +
then
 +
echo "Not starting iptables. First create some rules then run"
 +
echo "\"/etc/init.d/iptables save\""
 +
return 1
 +
fi
 +
}
 +
 +
save() {
 +
/sbin/iptables-save ${SAVE_RESTORE_OPTIONS} > ${IPTABLES_SAVE}
 +
return $?
 +
}
 +
 +
start(){
 +
checkrules || return 1
 +
/sbin/iptables-restore ${SAVE_RESTORE_OPTIONS} < ${IPTABLES_SAVE}
 +
return $?
 +
}
 +
 +
 +
case "$1" in
 +
save)
 +
echo -n "Saving iptables state..."
 +
save
 +
if [ $? -eq 0 ] ; then
 +
echo " ok"
 +
else
 +
echo " error !"
 +
fi
 +
;;
 +
 +
start)
 +
log_begin_msg "Loading iptables state and starting firewall..."
 +
start
 +
log_end_msg $?
 +
;;
 +
stop)
 +
log_begin_msg "Stopping firewall..."
 +
for a in `cat /proc/net/ip_tables_names`; do
 +
/sbin/iptables -F -t $a
 +
/sbin/iptables -X -t $a
 +
 +
if [ $a == nat ]; then
 +
/sbin/iptables -t nat -P PREROUTING ACCEPT
 +
/sbin/iptables -t nat -P POSTROUTING ACCEPT
 +
/sbin/iptables -t nat -P OUTPUT ACCEPT
 +
elif [ $a == mangle ]; then
 +
/sbin/iptables -t mangle -P PREROUTING ACCEPT
 +
/sbin/iptables -t mangle -P INPUT ACCEPT
 +
/sbin/iptables -t mangle -P FORWARD ACCEPT
 +
/sbin/iptables -t mangle -P OUTPUT ACCEPT
 +
/sbin/iptables -t mangle -P POSTROUTING ACCEPT
 +
elif [ $a == filter ]; then
 +
/sbin/iptables -t filter -P INPUT ACCEPT
 +
/sbin/iptables -t filter -P FORWARD ACCEPT
 +
/sbin/iptables -t filter -P OUTPUT ACCEPT
 +
fi
 +
done
 +
log_end_msg 0
 +
;;
 +
 +
restart)
 +
log_begin_msg "Restarting firewall..."
 +
for a in `cat /proc/net/ip_tables_names`; do
 +
/sbin/iptables -F -t $a
 +
/sbin/iptables -X -t $a
 +
done;
 +
start
 +
log_end_msg $?
 +
;;
 +
 +
*)
 +
echo "Usage: /etc/init.d/iptables {start|stop|restart|save}" >&2
 +
exit 1
 +
    ;;
 +
esac
 +
 +
exit 0
 +
 +
Make the script Executable
 +
chmod +x /etc/init.d/iptables
 +
 +
 +
 +
== Add Script to Run-Levels ==
 +
update-rc.d iptables start 37 S . start 37 0 . start 37 6 .
 +
  
  

Latest revision as of 08:30, 29 December 2007

Reference: http://ubuntuforums.org/showthread.php?t=57111


By default Ubuntu & Debian don't come with an IPTables init script (Bitch Moan ....)

There are many ways to load your IPTables rulesets.
This is one approach.

Overview

Add rules to your iptables via the command line.
Save the rulesets to a file for later use (To survive a reboot).
Launch an init script which loads the previously saved rulesets at given run-levels.


Adding Rules

For more info on adding IPTable Rules see IPTable Basics


Saving the Rulesets

iptables-save > /etc/default/iptables-rules

This takes your currently applied rulesets and exports them to a file which the init script will use later.


The Script

Paste the following code into /etc/init.d/iptables.

#! /bin/sh

#This is an Ubuntu adapted iptables script from gentoo
#(http://www.gentoo.org) which was originally distributed
#under the terms of the GNU General Public License v2
#and was Copyrighted 1999-2004 by the Gentoo Foundation
#
#This adapted version was intended for and ad-hoc personal
#situation and as such no warranty is provided.

. /lib/lsb/init-functions


IPTABLES_SAVE="/etc/default/iptables-rules"
SAVE_RESTORE_OPTIONS="-c"


checkrules() {
	if [ ! -f ${IPTABLES_SAVE} ]
	then
		echo "Not starting iptables. First create some rules then run"
		echo "\"/etc/init.d/iptables save\""
		return 1
	fi
}

save() {
	/sbin/iptables-save ${SAVE_RESTORE_OPTIONS} > ${IPTABLES_SAVE}
	return $?
}

start(){
	checkrules || return 1
	/sbin/iptables-restore ${SAVE_RESTORE_OPTIONS} < ${IPTABLES_SAVE}
	return $?
}


case "$1" in
	save)
		echo -n "Saving iptables state..."
		save
		if [ $? -eq 0 ] ; then
			echo " ok"
		else
			echo " error !"
		fi
	;;

	start)
		log_begin_msg "Loading iptables state and starting firewall..."
		start
		log_end_msg $?
	;;
	stop)
		log_begin_msg "Stopping firewall..."
		for a in `cat /proc/net/ip_tables_names`; do
			/sbin/iptables -F -t $a
			/sbin/iptables -X -t $a

			if [ $a == nat ]; then
				/sbin/iptables -t nat -P PREROUTING ACCEPT
				/sbin/iptables -t nat -P POSTROUTING ACCEPT
				/sbin/iptables -t nat -P OUTPUT ACCEPT
			elif [ $a == mangle ]; then
				/sbin/iptables -t mangle -P PREROUTING ACCEPT
				/sbin/iptables -t mangle -P INPUT ACCEPT
				/sbin/iptables -t mangle -P FORWARD ACCEPT
				/sbin/iptables -t mangle -P OUTPUT ACCEPT
				/sbin/iptables -t mangle -P POSTROUTING ACCEPT
			elif [ $a == filter ]; then
				/sbin/iptables -t filter -P INPUT ACCEPT
				/sbin/iptables -t filter -P FORWARD ACCEPT
				/sbin/iptables -t filter -P OUTPUT ACCEPT
			fi
		done
		log_end_msg 0
	;;

	restart)
		log_begin_msg "Restarting firewall..."
		for a in `cat /proc/net/ip_tables_names`; do
			/sbin/iptables -F -t $a
			/sbin/iptables -X -t $a
		done;
		start
		log_end_msg $?
	;;

	*)
		echo "Usage: /etc/init.d/iptables {start|stop|restart|save}" >&2
		exit 1
    	;;
esac

exit 0

Make the script Executable

chmod +x /etc/init.d/iptables


Add Script to Run-Levels

update-rc.d iptables start 37 S . start 37 0 . start 37 6 .


More to Come