You are not logged in.
Pages: 1
Hi guys
After installing Devuan I was eager to find out how to configure Iptables so I could get an ok simple desktop configuration.
I have used FreeBSD for a while now and are starting pf in /etc/rc.conf, but if I am understanding correctly now Iptables is a way of handling rules for telling netfilter, which is running all the time no matter what, in the kernel on how to handle network traffic. So no need for any entry in a rc.-file. Is this correct?
As a first timer I used this guide: https://wiki.debian.org/iptables
When it comes to loading rules I have understood it as such that one have to make a shell script that executes on every reboot, where this script tells which file is the custom iptables rules file. Otherwise there will be no loading of rules. Is this correct?
The Iptables rules file can be named what ever and be located where ever as long as the path in shell script points to it. Is this also correct?
I used the commands:
iptables-restore < /etc/network/iptables.up.rules
iptables-save > /etc/network/iptables.up.rules
I tried to make a script 'iptables' which I placed in /etc/network/if-pre-up.d/
Content of the script was:
#!/bin/sh
/sbin/iptables-restore < /etc/network/iptables.up.rules
To make the script executable I used:
chmod +x /etc/network/if-pre-up.d/iptables
My experience is that the computer hanged during boot when using this script. Note: I just noticed that there is no space betwen #! and /bin/sh. Maybe this has something to do with it.
Since this is new to me I am wondering if there is an optimal or preferable way of doing it with Devuan? Also, is there any difference between a systemd system and Devuan when it comes to configuring Iptables?
Thanks
Last edited by Monti (2017-11-10 21:36:21)
Offline
Hmm, by attaching the loading of table rules to the event(s) of bringing up an interface, you probably make life a little bit difficult for yourself. It's not "wrong" per se, and probably the only major complication is that in a typical set up, the network interfaces are brought up by udev in the pre-pivot boot up stage.
If that is your case, you will need to ensure that the rules files are included in your initrd, as well as the iptables-restore program and its dependencies (libraries). (I believe the if-pre-up.d script gets pulled in to the initrd automagically when remaking initrd).
Or alternatively, make that not be your case by not letting udev start networking. I.e., remove all "allow-hotplug" phrases from /etc/nework/interfaces. Possibly use "auto <if>" phrases instead, which tells the post-pivot networking init script that "these are yours, mate", or if then you also have a separate network manager, you'll need to leave all song and dance to it.
EDIT: I see from your other post that you're using wicd, so my thought about udev is probably not applicable here. Maybe it's enough to make your script exit more promptly when lo is brought up; or even tie it explicitly to $IFACE=wlan0.
Offline
Thank you very much for your lengthy reply @ralph.ronnquist and sorry for my late follow up. I have been occupied with Wicd and Wi-Fi and thought I would try to come to a conclusion there first.
Regarding what you told me about attaching to the event of bringing up an interface, I was clearly not aware of what I was doing.
So I can focus on how to setup rules, could you please come up with a suggestion on how to do loading of rules the best way with Devuan? Just to have something running I have temporary installed gufw/ufw.
Regarding Iptables How-To's that are out there, are there any differences between a systemd system and Devuan that I need to be aware of?
Offline
So I can focus on how to setup rules, could you please come up with a suggestion on how to do loading of rules the best way with Devuan? Just to have something running I have temporary installed gufw/ufw.
There are "wheels" of many colours for this ufw isn't too bad although it does introduce a (confusion?) layer between the ufw rules and the actual iptables rules. But I'm sure you'll easily find proponents talking more warmly about ufw.
I'm happy with raw iptables, so I install and use the iptables-persistent package.
Regarding Iptables How-To's that are out there, are there any differences between a systemd system and Devuan that I need to be aware of?
Not really. Of course, for those kiddies, the "word" iptables has got the extra meaning of being the name of a service in addition to being the program for manipulating the kernel tables.
Offline
Thanks a lot for your prompt reply and support ralph.ronnquist
Appreciate the iptables-persistent package. Having a service taking care of it make sense to me. Great.
although it does introduce a (confusion?) layer between the ufw rules and the actual iptables rules.
Yes, agree. To see if I could understand how ufw is working I ended up with confusion
Cheers
Last edited by Monti (2017-11-19 22:28:09)
Offline
Forgot to ask about "master" file.
Over at Debian Wiki https://wiki.debian.org/iptables it says:
"...save the new rules to the master iptables file"
A bit confusing, so I have to ask; Is this some specific temporary master file read by netfilter?
Offline
The direct answer is "No". The notion of "master file" only concerns that example, and refers to the "salient path name" encoded into the automatic setup script. (As you know, that example is not ideal in my view, with the automatic setup attached to and repeated with any and all interface(s) coming up.)
iptables-persistent instead enshrines the path names /etc/iptables/rules.v4 and /etc/iptables/rules.v6 as being its "master files".
Offline
...
iptables-persistent instead enshrines the path names /etc/iptables/rules.v4 and /etc/iptables/rules.v6 as being its "master files".
Thanks. Good to know
Regarding the "microHOWTO" iptables-persistent guide and just for the record, the service itself is now named 'netfilter-persistent'. Package name is still 'iptables-persistent'.
Last edited by Monti (2017-11-20 00:03:19)
Offline
Pages: 1