iptables script won't start on boot

[jkcunningham]

I installed arno's iptables script sometime ago: http://rocky.molphys.leidenuniv.nl/iptables-firewall/arno-iptables-firewall.tgz
It is configured and operates as expected, once it is started. I can start it by

[SilveRo]

Did you make it executable (with chmod)? Do an 'ls -l rc.iptables' to check....

I got my firewall (a custum script, /etc/filter) to start at boot and to stop at shutdown adding to /etc/conf.d/local.start :

./etc/filter start

and to /etc/conf.d/local.stop :

./etc/filter stop
_________________
Think Gray
(things aren't all black or all white)

[boroshan]

Its still worth getting /etc/init.d/iptables to work since you can get them loaded at boot. If you load them from local, there's a window of vulnerability between the network coming up and the firewall kicking in.

Probably not long enough to matter, but if you're going to do a job...
_________________
Don't let THEM immanentize the Eschaton!

[jkcunningham]

Thanks for the responses. Yes, its executable. And I can execute it manually.

It is very strange. 'rc-update --show' lists it under 'default', so it thinks it's ready to go. It just doesn't work on boot.

So, basically, every time there's a power failure I have a wide open firewall.

:evil:

[boroshan]

just to be sure - you did load a ruleset to be restored on boot up, didn't you? The idea is you establish the set using a script and then use

[jkcunningham]

Ahhh - no. I missed that part.
I have now
Thank you.

It still bothers me that the script won't autostart.

[bin-doph]

well I dont know arno's script but maybe the handbook-ref will help u get ur script a bit more gentoo-like and finally to start up

http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=2&chap=5#doc_chap4

to prevent ur firewall from being open after a system-reboot u should consider puting your script-call into /etc/conf.d/local.start

if it is a shell-script put set -x in it and redirect the output somewhere for debugging. maybe you'll catch it that way

hth
-fe
_________________
perl -e '$_=q;4a75737420616e6f74686572205065726c204861636b65720as;;for(s;s;s;s;s;s;s;s;s;s;s;s){s;(..)s?;qq qprint chr 0x$1 and \161 ssq;excess;}'

[spudicus]

[boroshan]

That may well be the case. I use speedtouch to connect, and that happens after the firewall gets loaded.

I wonder if it's worth raising a bug obout this. If you connect on boot up, you should have your loaded first. On the other hand if you don't connect automatically, it makes sense to load the scripts in isolation... so maybe not.

Is there any reason why one shouldn't add iptables to the boot runlevel? That would solve the problem once and for all...
_________________
Don't let THEM immanentize the Eschaton!

[spudicus]

[jkcunningham]

Thank you, gentlemen - your discussion has proven provocative. I just realized that what I should have been doing was letting arno's script generate the iptables script, and starting iptables the usual way: 'rc-update add iptables boot'. There's no need to regenerate the script each time. It confused me because the script also starts iptables.

I am trying it at the boot level - I think in this case it will work, and if so, there's no security hole, however short. But if it doesn't, I'll put it back at the default level.

It turns out that the symptom I posted at the top here:

/var/lib/init.d/depcache: line 5: server: command not found
/var/lib/init.d/depcache: line 8: server: command not found

is unrelated. It shows up everytime rc-update is run, even when I've taken out arno's script. I've done some googling around on it, and I think there's a missing dependency for something called 'server'. This is a minimal system firewall box. It doesn't have X or anything beyond what it takes to be a firewall and dhcp server. On one of my desktops, 'server -h' comes up with stuff that looks like this:

> server
Usage: server -n rsa_nickname -p port [-3RFrf] [-w password]
[-c ciphers] [-d dbdir]
-3 means disable SSL v3
-r means request certificate on first handshake.
-f means require certificate on first handshake.
-R means request certificate on all handshakes.
-F means require certificate on all handshakes.
-c ciphers Letter(s) chosen from the following list
A SSL2 RC4 128 WITH MD5
B SSL2 RC4 128 EXPORT40 WITH MD5
C SSL2 RC2 128 CBC WITH MD5
D SSL2 RC2 128 CBC EXPORT40 WITH MD5
E SSL2 DES 64 CBC WITH MD5
F SSL2 DES 192 EDE3 CBC WITH MD5

a SSL3 FORTEZZA DMS WITH FORTEZZA CBC SHA
b SSL3 FORTEZZA DMS WITH RC4 128 SHA
c SSL3 RSA WITH RC4 128 MD5
d SSL3 RSA WITH 3DES EDE CBC SHA
<snip more lines of similar nature>

When I run 'qpkg -f server' it shows up in mozilla !?. I don't know what to make of it. Something I've installed is confusing depcache?
I'll probably start a different thread on it.

-Jeff