2.20. Loading a Firewall Configuration
Problem
You want to load your firewall rules, e.g., at boot time.
Solution
Use ipchains-restore or iptables-restore. Assuming you’ve saved your firewall configuration in /etc/sysconfig: [Recipe 2.19]
For iptables
:
#!/bin/sh
echo 1 > /proc/sys/net/ipv4/ip_forward (optional)
iptables-restore < /etc/sysconfig/iptables
For ipchains
:
#!/bin/sh
echo 1 > /proc/sys/net/ipv4/ip_forward (optional)
ipchains-restore < /etc/sysconfig/ipchains
To tell Red Hat Linux that firewall rules should be loaded at boot time:
# chkconfig iptables on # chkconfig ipchains on
Discussion
Place the load commands in one of your system rc files. Red Hat Linux already has rc files “iptables” and “ipchains” in /etc/init.d that you can simply enable using chkconfig . SuSE Linux, in contrast, has a script /sbin/SuSEpersonal-firewall that invokes iptables or ipchains rules, and it’s optionally started by /etc/init.d/personal-firewall.initial and /etc/init.d/personal-firewall.final at boot time.
To roll your own solution, you can write a script like the following and invoke it from an rc file of your choice:
#!/bin/sh # Uncomment either iptables or ipchains PROGRAM=/usr/sbin/iptables #PROGRAM=/sbin/ipchains FIREWALL=`/bin/basename $PROGRAM` RULES_FILE=/etc/sysconfig/${FIREWALL} LOADER=${PROGRAM}-restore FORWARD_BIT=/proc/sys/net/ipv4/ip_forward if [ ! -f ${RULES_FILE} ] then echo "$0: Cannot find ${RULES_FILE}" 1>&2 exit 1 fi case "$1" in start) echo 1 > ${FORWARD_BIT} ${LOADER} < ${RULES_FILE} ...
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.