The officially official Devuan Forum!

You are not logged in.

#1 2017-11-10 21:34:07

Monti
Member
Registered: 2017-09-25
Posts: 27

Iptables with Devuan

Hi guys

After installing Devuan I was eager to find out how to configure Iptables so I could get an ok simple desktop configuration.

I have used FreeBSD for a while now and are starting pf in /etc/rc.conf, but if I am understanding correctly now Iptables is a way of handling rules for telling netfilter, which is running all the time no matter what, in the kernel on how to handle network traffic. So no need for any entry in a rc.-file. Is this correct?

As a first timer I used this guide: https://wiki.debian.org/iptables

When it comes to loading rules I have understood it as such that one have  to make a shell script that executes on every reboot, where this script tells which file is the custom iptables rules file. Otherwise there will be no loading of rules. Is this correct?

The Iptables rules file can be named what ever and be located where ever as long as the path in shell script points to it. Is this also correct?

I used the commands:

iptables-restore < /etc/network/iptables.up.rules
iptables-save > /etc/network/iptables.up.rules

I tried to make a script 'iptables' which I placed in /etc/network/if-pre-up.d/

Content of the script was:

#!/bin/sh
/sbin/iptables-restore < /etc/network/iptables.up.rules

To make the script executable I used:

chmod +x /etc/network/if-pre-up.d/iptables

My experience is that the computer hanged during boot when using this script. Note: I just noticed that there is no space betwen #! and /bin/sh. Maybe this has something to do with it.

Since this is new to me I am wondering if there is an optimal or preferable way of doing it with Devuan? Also, is there any difference between a systemd system and Devuan when it comes to configuring Iptables?


Thanks

Last edited by Monti (2017-11-10 21:36:21)

Offline

#2 2017-11-10 22:26:58

ralph.ronnquist
Administrator
From: Clifton Hill, Victoria, AUS
Registered: 2016-11-30
Posts: 119

Re: Iptables with Devuan

Hmm, by attaching the loading of table rules to the event(s) of bringing up an interface, you probably make life a little bit difficult for yourself. It's not "wrong" per se, and probably the only major complication is that in a typical set up, the network interfaces are brought up by udev in the pre-pivot boot up stage.

If that is your case, you will need to ensure that the rules files are included in your initrd, as well as the iptables-restore program and its dependencies (libraries). (I believe the if-pre-up.d script gets pulled in to the initrd automagically when remaking initrd).

Or alternatively, make that not be your case by not letting udev start networking. I.e., remove all "allow-hotplug" phrases from /etc/nework/interfaces. Possibly use "auto <if>" phrases instead, which tells the post-pivot networking init script that "these are yours, mate", or if then you also have a separate network manager, you'll need to leave all song and dance to it.

EDIT: I see from your other post that you're using wicd, so my thought about udev is probably not applicable here. Maybe it's enough to make your script exit more promptly when lo is brought up; or even tie it explicitly to $IFACE=wlan0.

Online

#3 2017-11-18 23:59:46

Monti
Member
Registered: 2017-09-25
Posts: 27

Re: Iptables with Devuan

Thank you very much for your lengthy reply @ralph.ronnquist and sorry for my late follow up. I have been occupied with Wicd and Wi-Fi and thought I would try to come to a conclusion there first.

Regarding what you told me about attaching to the event of bringing up an interface, I was clearly not aware of what I was doing.

So I can focus on how to setup rules, could you please come up with a suggestion on how to do loading of rules the best way with Devuan? Just to have something running I have temporary installed gufw/ufw.

Regarding Iptables How-To's that are out there, are there any differences between a systemd system and Devuan that I need to be aware of?

Offline

#4 2017-11-19 01:27:40

ralph.ronnquist
Administrator
From: Clifton Hill, Victoria, AUS
Registered: 2016-11-30
Posts: 119

Re: Iptables with Devuan

So I can focus on how to setup rules, could you please come up with a suggestion on how to do loading of rules the best way with Devuan? Just to have something running I have temporary installed gufw/ufw.

There are "wheels" of many colours for this smile ufw isn't too bad although it does introduce a (confusion?) layer between the ufw rules and the actual iptables rules. But I'm sure you'll easily find proponents talking more warmly about ufw.

I'm happy with raw iptables, so I install and use the iptables-persistent package.

Regarding Iptables How-To's that are out there, are there any differences between a systemd system and Devuan that I need to be aware of?

Not really. Of course, for those kiddies, the "word" iptables has got the extra meaning of being the name of a service in addition to being the program for manipulating the kernel tables.

Online

#5 2017-11-19 22:27:23

Monti
Member
Registered: 2017-09-25
Posts: 27

Re: Iptables with Devuan

Thanks a lot for your prompt reply and support ralph.ronnquist

Appreciate the iptables-persistent package. Having a service taking care of it make sense to me. Great.


although it does introduce a (confusion?) layer between the ufw rules and the actual iptables rules.

Yes, agree. To see if I could understand how ufw is working I ended up with confusion big_smile


Cheers

Last edited by Monti (2017-11-19 22:28:09)

Offline

#6 2017-11-19 22:37:23

Monti
Member
Registered: 2017-09-25
Posts: 27

Re: Iptables with Devuan

Forgot to ask about "master" file.

Over at Debian Wiki https://wiki.debian.org/iptables it says:

"...save the new rules to the master iptables file"

A bit confusing, so I have to ask; Is this some specific temporary master file read by netfilter?

Offline

#7 2017-11-19 22:53:36

ralph.ronnquist
Administrator
From: Clifton Hill, Victoria, AUS
Registered: 2016-11-30
Posts: 119

Re: Iptables with Devuan

The direct answer is "No". The notion of "master file" only concerns that example, and refers to the "salient path name" encoded into the automatic setup script. (As you know, that example is not ideal in my view, with the automatic setup attached to and repeated with any and all interface(s) coming up.)

iptables-persistent instead enshrines the path names /etc/iptables/rules.v4 and /etc/iptables/rules.v6 as being its "master files".

Online

#8 2017-11-19 23:13:23

Monti
Member
Registered: 2017-09-25
Posts: 27

Re: Iptables with Devuan

ralph.ronnquist wrote:

...
iptables-persistent instead enshrines the path names /etc/iptables/rules.v4 and /etc/iptables/rules.v6 as being its "master files".

Thanks. Good to know smile


Regarding the "microHOWTO" iptables-persistent guide and just for the record, the service itself is now named 'netfilter-persistent'. Package name is still 'iptables-persistent'.

Last edited by Monti (2017-11-20 00:03:19)

Offline

Board footer