Re: iptables config resets after restarting system
Le 10/08/2018 à 22:29, Hubert Hauser a écrit :
echo " * allowing ping responses"
${IPTABLES} -A INPUT -p ICMP -j ACCEPT
${IP6TABLES} -A INPUT -p ICMPv6 -j ACCEPT
Replies to unicast echo requests have the ESTABLISHED state. So you
don't need an extra rule to accept them, unless you are sending echo
requests to broadcast or anycast addresses.
Besides, theses rules accept not accept echo-reply but also ANY ICMP or
ICMPv6 type, including echo-request.
echo -e " * SAVING RULES\n"
iptables-save > /etc/iptables/rules.v4
iptables-apply /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6
ip6tables-apply /etc/iptables/rules.v6
echo -e "\n * DONE!\n"
Here's my iptables config before restarting system:
(...)
And after restarting system:
(a few differences)
Running command fwall-rules after restarting system works. What am I
doing wrong?
How do yo restore the ruleset at startup ?
Are you using the same file ?
Re: iptables config resets after restarting system
On 08/11/2018 05:29 AM, Hubert Hauser wrote:
> Good afternoon!
>
> I've problem with resetting iptables after restarting system. Here's my
> /usr/local/bin/fwall-rules file:
>
> Running command fwall-rules after restarting system works. What am I
> doing wrong?
>
> --
> Best regards,
> Hubert Hauser.
>
It seems the firewalls before and after are what you want, according to
your script? There are a few minor differences, but those are the rules
that you specify in the script.
If you're talking about the iptables rules disappearing on reboot,
that's just how iptables works. You need to restore the iptables rules
on every reboot.
There are a few ways to do this. The easiest way would be to install the
iptables-persistent package, which will handle restoring
(ip(6)tables-restore /etc/iptables/rules.v{4,6}) at boot time, or you
could follow the instructions here
.
Also, a few notes about your script:
iptables-save dumps out the current iptables rules into a file.
iptables-apply applies the dump, but in your script, since the rules
have already been set in iptables, there is no need to run
iptables-{apply,restore}.
You probably don't need to maintain a separate script. I'd just maintain
/etc/iptables/rules.v{4,6} and have it be restored by iptables-restore.
That way, I can avoid having to maintain a separate script every time I
want to change my firewall rules.
iptables-apply is used to apply some rules file, then wait for user
confirmation. This makes sure that if your rules block you out of your
ssh session or similar, you don't accidentally make the machine
unreachable by you. In your case, since the rules have already been
applied (you added them in the script), iptables-apply will "undo" the
apply to the previous state, which is already problematic. So there is
no point to using iptables-apply here, since the rules are already
inside iptables.
iptables config resets after restarting system
Good afternoon!
I've problem with resetting iptables after restarting system. Here's my
/usr/local/bin/fwall-rules file:
#!/bin/bash
IPTABLES=/sbin/iptables
IP6TABLES=/sbin/ip6tables
echo -e "\n ** clean rules ** \n"
echo " * flushing old rules"
${IPTABLES} --flush
${IPTABLES} --delete-chain
${IPTABLES} --table nat --flush
${IPTABLES} --table nat --delete-chain
${IP6TABLES} --flush
${IP6TABLES} --delete-chain
${IP6TABLES} --table nat --flush
${IP6TABLES} --table nat --delete-chain
echo " * setting default policies"
${IPTABLES} -P INPUT DROP
${IPTABLES} -P FORWARD DROP
${IPTABLES} -P OUTPUT ACCEPT
${IP6TABLES} -P INPUT DROP
${IP6TABLES} -P FORWARD DROP
${IP6TABLES} -P OUTPUT ACCEPT
echo -e "\n ** input chain rules ** \n"
echo " * allowing loopback devices"
${IPTABLES} -A INPUT -i lo -j ACCEPT
${IPTABLES} -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
${IPTABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
${IP6TABLES} -A INPUT -i lo -j ACCEPT
${IP6TABLES} -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
${IP6TABLES} -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
## BLOCK ABUSING IPs HERE ##
#echo " * BLACKLIST"
#${IPTABLES} -A INPUT -s _ABUSIVE_IP_ -j DROP
#${IPTABLES} -A INPUT -s _ABUSIVE_IP2_ -j DROP
echo " * allowing ssh on port 16960"
${IPTABLES} -A INPUT -p tcp --dport 16960 -m state --state NEW -j ACCEPT
${IP6TABLES} -A INPUT -p tcp --dport 16960 -m state --state NEW -j ACCEPT
#echo " * allowing ftp on port 21"
#${IPTABLES} -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT
echo " * allowing dns on port 53 udp"
${IPTABLES} -A INPUT -p udp -m udp --dport 53 -j ACCEPT
${IP6TABLES} -A INPUT -p udp -m udp --dport 53 -j ACCEPT
echo " * allowing dns on port 53 tcp"
${IPTABLES} -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
${IP6TABLES} -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
echo " * allowing http on port 80"
${IPTABLES} -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
${IP6TABLES} -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
echo " * allowing https on port 443"
${IPTABLES} -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
${IP6TABLES} -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
echo " * allowing smtp on port 25"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
${IP6TABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j
ACCEPT
echo " * allowing smtps on port 465"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j
ACCEPT
${IP6TABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j
ACCEPT
echo " * allowing submission on port 587"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j
ACCEPT
${IP6TABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 587 -j
ACCEPT
echo " * allowing imaps on port 993"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j
ACCEPT
${IP6TABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j
ACCEPT
echo " * allowing pop3s on port 995"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j
ACCEPT
${IP6TABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j
ACCEPT
echo " * allowing imap on port 143"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j
ACCEPT
${IP6TABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j
ACCEPT
echo " * allowing pop3 on port 110"
${IPTABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j
ACCEPT
${IP6TABLES} -A INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j
ACCEPT
echo " * allowing ping responses"
${IPTABLES} -A INPUT -p ICMP -j ACCEPT
${IP6TABLES} -A INPUT -p ICMPv6 -j ACCEPT
# DROP everything else and Log it
${IPTABLES} -A INPUT -j LOG --log-prefix "iptables-reject "
${IPTABLES} -A INPUT -j REJECT --reject-with icmp-host-prohibited
${IP6TABLES} -A INPUT -j LOG --log-prefix "ip6tables-reject "
${IP6TABLES} -A INPUT -j REJECT --reject-with icmp6-adm-prohibited
#
# Save settings
#
echo -e " * SAVING RULES\n"
iptables-save > /etc/iptables/rules.v4
iptables-apply /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6
ip6tables-apply /etc/iptables/rules.v6
echo -e "\n * DONE!\n"
Here's my iptables config before restarting system:
# iptables-save
# Generated by iptables-save v1.6.0 on Fri Aug 10 22:24:06 2018
*nat
:PREROUTING ACCEPT [893:55496]
:INPUT ACCEPT [31:1408]
:OUTPUT ACCEPT [118:7908]
:POSTROUTING ACCEPT [118:7908]
COMMIT
# Completed on Fri Aug 10 22:24:06 2018
# Generated by iptables-save v1.6.0 on Fri Aug 10 22:24:06 2018
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [7920:1029798]
:f2b-nginx-botsearch - [0:0]
:f2b-nginx-http-auth - [0:0]
:f2b-nginx-limit-req - [0:0]
:f2b-php-url-fopen - [0:0]
:f2b-sshd - [0:0]
:f2b-sshd-ddos - [0:0]
-A INPUT -p tcp -j f2b-php-url-fopen
-A INPUT -p tcp -j f2b-nginx-botsearch
-A INPUT -p tcp -j f2b-nginx-limit-req
-A INPUT -p tcp -j f2b-nginx-http-auth
-A INPUT -p
